Re: Assessment tools/Scanners

[roesch () clark net (Martin Roesch)]

Greg Shipley wrote:
> Not sure what you are asking here - almost all of the commercial ID
> products are looking for knowns, and knowns only.  They are
> signature-based.....

Allow me to interject for a second.  I wouldn't say that all commercial
IDSs are necessarily straight jacketed into signature detection only,
almost all of them have some sort of facility to perform anomaly
detection as well.  Even Snort can do primitive anomaly detection, such
as alerts on bad TCP flag combinations or looking for tiny fragments.  I
think that the ability to develop anomaly detection schemes with a tool
is pretty important, and you can do that with both NFR and Dragon (and
to a lesser extent, Snort).  Sure, they provide the capability to look
for set "patterns" in packets, but they can also be tuned to look for
things you should *never* see.

> The advantage of the NFRs and Dragons of the world is that you can, fairly
> easily, code up your own "sig" for an attack.  I know ISS RealSecure v3.2
> has some of this flexibility, but not as flexible as, say, NFRs n-code.
> Are there any products that do network-level statistical profiling, to
> look for "unknown" attacks?  Not that I know of, but that's just me....

This requires codifying the statistical "signature" of a new attack,
which can be a fairly daunting task.  Questions like "what header fields
do I keep track of?", "what are the characteristics of a
post-buffer-overflow root shell session?", "how much traffic represents
a valid statistical sample?", etc need to be answered before you can
define a method of statistical analysis for intrusion/anomaly
detection.  Doesn't CMDS try to do some sort of statistical analysis?

> I'm working on some of this data now, but I'll put this question to the
> list: what would you guys LIKE to see?  IMHO, the only way to thoroughly
> validate a vendor's set of signatures is to run each and every attack past
> them.  And to do so, you either have to possess or write exploit code for
> every check.  And even then, make no mistake, you CAN mutate attacks to
> the point that network-based ID will fail.

Definitely, but the vast majority of script kiddies don't do this either
because they're lazy or because they don't have the "skillz".  Whether
or not you are concerned about the set of people outside the script
kiddie domain is a function of your site's security posture and the
threat model that you used to develop your site's security
architecture.  If you're concerned with script kids, then you need one
level of protection, if you're worried about nation-state level attacks
you should probably unplug from the internet.  Somewhere in between
those two is a happy medium of functionality versus cost versus risk of
undetected compromise.

> And hell, as Dug pointed out, if you pipe stuff through fragrouter you'll
> get past almost everything but NFR and Dragon.

Hey, Snort will detect that someone is running their packets thru
fragrouter! ;) (Of course, that's *all* it tells you....)

     -Marty


-- 
Martin Roesch
roesch () clark net
http://www.clark.net/~roesch