Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Announcement: Alert Verification for Snort

Re: Announcement: Alert Verification for Snort

From: Martin Roesch <roesch_at_sourcefire.com>
Date: Thu, 23 Oct 2003 21:57:01 -0400

On Oct 23, 2003, at 6:53 AM, Sam f. Stover wrote:

>
> On Wednesday, October 22, 2003, at 11:22 PM, Martin Roesch wrote:
>
>> In case 2 the "nontextual" isn't a false positive but I think that
>> most people are calling it an FP these days. I *personally* think
>> that's a misconception. What we have in that case is a *real attack*
>> that your IDS is detecting exactly as it was asked to. Just because
>> it doesn't have the additional information about the context or
>> relevance of the event isn't a problem with the IDS, it's a side
>> effect of the way that NIDS have been built for the past 10 years.
>
> In the not too distant past I would have agreed with this - but I
> think as IDS implementations grew, the way people describe FPs has
> changed. I think today's IDS *needs* to know "the additional
> information about the context and relevance" - because the event you
> are referring to is what I'll call an "effective FP". Effective
> because any time I spend trying to track down an IIS attack on an
> apache box is wasted effort. I completely understand your point
> Marty, because an attack did occur, and the IDS did log it. However,
> if it is going to log it, then I want it to tell me that the severity
> of the attack is lessened because it didn't succeed. Even better, I
> want to see the 404 or 403 error, so I can show my boss why I didn't
> even bother to look into it.

I agree and we're building new technology at Sourcefire to address it,
and I know other companies are either building new stuff or adapting
old stuff (e.g. vuln scanners) to get the same sort of data. I was
just pointing out that systems like Snort as it currently exists don't
have this notion built into them so saying that alert verification
reduces false positives when it's actually addressing nontextuals is
something that I want to discuss, especially since it's my code that's
producing the "false postives". :)

> I want my IDS to differentiate between an IIS attack on my apache box
> and an IIS attack on an IIS box. I don't really care how it does it.
> The two main methods, as I see it, are passive fingerprinting or
> integration with another tool like a vuln scanner. Both have their
> drawbacks w/ relation to different environments - which could probably
> fuel a complete thread.

Yup.

> The IDS landscape has changed. Ten years ago, the type of event
> mentioned was probably not considered a FP. But at that time, IDS was
> an infant and people weren't dealing with events on the scale of
> millions per day like they are today. Current-day NIDS need to evolve
> to solve the problems that current-day users are facing. IMHO 10
> years ago, NIDS administrators could afford to be a bit more
> interested in all kinds of attacks. IDS was a new and exciting
> technology. I think it's lost some of it's glamour since then and
> people have to use it as just another tool. And the people I talk to
> don't have the time nor resources to run down half of the "real"
> attacks, much less look into attacks that will never succeed.

Yes. Separating the wheat from the chaff is becoming increasingly
important in IDS as we all know, I'll be interested to see how the
different techniques and approaches people are using to address this
problem actually work in production.

     -Marty 

-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch@sourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------
Received on Oct 24 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos