IDS mailing list archives

Re: couple IDS development questions

From: "Jamie Riden" <jamie.riden () gmail com>
Date: Wed, 17 Oct 2007 13:33:49 +0100

On 16 Oct 2007 12:13:56 -0000, whilter () o2 pl <whilter () o2 pl> wrote:

Hi


Recently i'm working on a new IDS project.

As a matter a fact at the moment i'm stuck in a point where i'm supposted to decide few very important things :


1) Which language?? C/C++ with its

already implemented projects (Snort, ModSecurity), Java with its multiplatform option?


You'll probably find you have to do the low-level stuff in something
like C, or using C libraries. I'd be quite sympathetic to using Java
for higher level stuff like correlation, but others may disagree.

3) How is network IDS analizing  network activity when almost every package nowadays is encrypted?


A lot of stuff these days is not encrypted, like attacks against web
applications over plain HTTP. Even on other protocols, it's possible
to detect an attack in progress which is exploiting a parsing
weakness. I think the THCIISLAME (google it) attack is a detectable
attack using an encrypted protocol(?). As another example, you can try
to detect SSH brute-forcing attempts by the connection rate, even
though SSH is an encrypted protocol.

4) I'm thinking about encrypting IDS messages/alerts-packages as well? What cipher should i use?


The 'easy' answer is something like AES128 / SHA256 / CBC  - if you do
it right you'll prevent eavesdropping and the insertion of fake
messages. You will probably want to think about preventing replay
attacks as well, which is a bit harder.

'Practical Cryptography' by Ferguson and Schneier is well worth a read
if you're implementing crypto - even if you use a library such as
botan to implement the crypto primitives.

cheers,
 Jamie
-- 
Jamie Riden / jamesr () europe com / jamie () honeynet org uk
UK Honeynet Project: http://www.ukhoneynet.org/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

couple IDS development questions whilter (Oct 16)
- Re: couple IDS development questions Stefano Zanero (Oct 18)
- Re: couple IDS development questions Sebastien Tricaud (Oct 18)
- Re: couple IDS development questions Jamie Riden (Oct 18)
- Re: couple IDS development questions Control Zed (Oct 19)