IDS mailing list archives
Re: on TASL correlation rules
From: Augusto Paes de Barros <augusto () paesdebarros com br>
Date: Wed, 28 Dec 2005 08:46:30 -0300
"I think its a dirty little secret that much fewer customers customize NIDS rules than the NIDS vendors think..." Totally true. I believe that's because they sell their products as something that doesn't need to be customized. I like to say that IDSes are more like ERP systems than Antivirus. A lot of customization is required to make it work. Regards, Augusto. On 12/23/05, Anton Chuvakin <anton () chuvakin org> wrote:
Ron and all,In general though, the issue we've found while writing these types of rules is that whatever the algorithm, there is always a trade off between being exact and being general.That is *exactly* the discussion I wanted to start! Thanks for picking it up. When one provides canned correlation rules (such as your TASL scripts), this question comes up in full force. And, unlike NIDS rules, where people expect them to work pretty much out of the box (I think its a dirty little secret that much fewer customers customize NIDS rules than the NIDS vendors think...), this one gets real subjective real quick. And this is where the site-specific rules or scripts come in.Site-specific rules can get much more interesting. For example, writing a rule that can alert on any "SSH login failure" not coming from the SOC is very simple, but you have to know about the DNS server, the SOC and the trust relationship between them before hand.This is one of my favorite examples: its an extremely simple and just as useful custom rule ("if SSH not from SOC, alert") but an impossible default vendor -provided rule. The main question is: how many people will go and create it? Will the "NIDS disease" (mentioned above) hit it as well and thus devalue the correlation software? Best, -- Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org http://www.securitywarrior.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
-- Augusto Paes de Barros, CISSP-ISSAP(r) http://www.paesdebarros.com.br/indexpb.html ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- on TASL correlation rules Anton Chuvakin (Dec 05)
- Message not available
- Re: on TASL correlation rules Ron Gula (Dec 10)
- Re: on TASL correlation rules Anton Chuvakin (Dec 27)
- Re: on TASL correlation rules Augusto Paes de Barros (Dec 28)
- Re: on TASL correlation rules Ron Gula (Dec 10)
- Message not available
- <Possible follow-ups>
- Re: on TASL correlation rules rgula () tenablesecurity com (Dec 28)