Intrusion Detection Systems mailing list archives

Re: IDS & SNMP

From: Talisker () technologist com (Talisker)
Date: Fri, 19 May 2000 19:20:13 +0100


Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Nuno

Be wary of using SNMP between the sensors and manager, IMHO the Simple in
Simple Network Management Protocol refers to the security.  eg you can ask a
router to reset itself, the only authentication required to do this would be
the SNMP Community Name, depending on the MIB this may also be possible with
your IDS.  The community name is passed in clear!!

SNMP version 2 was fairly secure. However, it didn't catch on so they
released SNMP version 2c, you guessed it, without the security improvements.
Funny old thing this caught on and is probably what most of us are using. (I
don't get a say)  SNMP version 3 is allegedly is due release, this will have
improved security features, unless it doesn't catch on so they'll release
version 3c without the security (maybe thats a little cynical of me).

As a compromise might I suggest a secure connection between the IDS agent
and the IDS console, and an SNMP connection to your enterprise management
suite, thereby reducing the risk of compromise.  Moreover, if there is a
compromise at the enterprise management suite, the vital IDS data will still
on the console, though without the enterprise management suite you might not
know:o)

Take care

Andy

PS I'm biased, whilst I think SNMP is a very useful Sys Admin tool, and feel
there is need for some processed security info to be output to it.  I don't
like to use SNMP as a means of primary security transport prior to
processing.
Am I being overly paranoid? Your information is only as secure as your
weakest link.

The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.

----- Original Message -----
From: "Sanchez-Cherry, Kevin" <Kevin.Sanchez-Cherry () nasd com>
To: "'Nuno Miguel Neves'" <nneves () di fc ul pt>
Cc: "Intrusion Detection List" <ids () uow edu au>
Sent: Friday, May 19, 2000 4:56 PM
Subject: RE: IDS: IDS & SNMP

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
--------------------------------------------------------------------------

Try the Axent website www.axent.com and go to the products section for
NetProwler and ITA.  You can also request an eval copy to try out, as well
as the relevant documentation.  The NetProwler docs should have all the

SNMP

information, I know the ITA docs have some in it.

-----Original Message-----
From: Nuno Miguel Neves [mailto:nneves () di fc ul pt]
Sent: Friday, May 19, 2000 11:50 AM
To: Sanchez-Cherry, Kevin
Cc: 'Greg Shipley'; Intrusion Detection List
Subject: Re: IDS: IDS & SNMP

Is there any documentation about it?

More specificcaly, did they develop a MIB for that?

"Sanchez-Cherry, Kevin" wrote:

They are still using it to integrate NetProwler and ITA

-----Original Message-----
From: Greg Shipley [mailto:gshipley () neohapsis com]
Sent: Thursday, May 18, 2000 6:30 PM
To: Nuno Miguel Neves
Cc: Intrusion Detection List
Subject: Re: IDS: IDS & SNMP

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au

--------------------------------------------------------------------------

--

-

On Wed, 17 May 2000, Nuno Miguel Neves wrote:

Does anyone knows of an IDS that uses SNMP to communicate betweem the
sensors and the manager?


Axent was using SNMP to integrate NetProwler (their NIDS) into their
IntruderAlert (host-based IDS) management framework.  This was back in
late 1999 - not sure if they've moved away from it yet or not.

Axent?  :)

-G


--
                  nneves () di fc ul pt    Dept. Informatica, Fac. Ciencias,
|\ |    |\ |      Tel: +351 21 7500058  Univ. Lisboa, Bloco C5, Campo

Grande

| \|uno | \|eves  Fax: +351 21 7500084  1700 Lisboa, Portugal

Current thread:

RE: IDS & SNMP Sanchez-Cherry, Kevin (May 19)
- Re: IDS & SNMP Nuno Miguel Neves (May 19)
- <Possible follow-ups>
- RE: IDS & SNMP Sanchez-Cherry, Kevin (May 19)
  - Re: IDS & SNMP Talisker (May 19)
  - Know Your Enemy: A Forensic Analysis Lance Spitzner (May 21)
  - Gnutella/Napster thomas sjogren (May 22)
  - Date: Tue, 23 May 2000 10:36:35 +0800 tongcd (May 22)
    - Re: Date: Tue, 23 May 2000 10:36:35 +0800 Inno Eroraha (May 23)
    - Intrusion Detection and Incident Handling Authors Needed Jensenne Roculan (May 23)
    - Please excuse me, this is a test mail. Akshay Kumar Sreeramoju (May 23)
    - TESTING: Please disregard this Akshay Kumar Sreeramoju (May 23)
    - TESTING: Please disregard this message Akshay Kumar Sreeramoju (May 23)
    - RE: Intrusion Detection and Incident Handling Authors Needed Lubbers, Louis (May 23)
    - core dump SHAIFUL HASHIM (May 26)

(Thread continues...)