Re: How do you know...

[Brian Caswell <bmc () mitre org>]

Colin Wu wrote:
> Over the past few days we have received a number of scans and each time
> Snort picks it up just fine.  My questions is: Other than going over the
> log line-by-line, how can I tell if a system on my network answered the
> probe and is now a candidate for compromise.  My network is a /16 so
> it's not a small problem.  I'm thinking it may mean writing my own log
> scanner but just wanted to check with you folks in case someone's
> already invented the wheel.

Well, there are a number of ways, and it also depends on your network,
your environment, your time, and your response level.

Below is a basic outline on how to see if a machine is candidate for
compromise.

- If the signature is for something the target is running  
  (IIS alerts targeting a QNX box)
- If the alert is a SYN scan and you see no return traffic. 
  (SUBSEVEN scans are about 4 billion a day. 
- If the system is mission critical.  
  (www.mcmaster.ca is probably really important to you)
- If the system has any other 'weird' traffic to it
  (system starts using IRC when it never did that before)
- If the system gets any other traffic from the attacker 
  that would not be normal
- Do you trust that the administrator of that machine has
  kept it up to date?
  (For example, I trust that I am not running vulnerable stuff
  on MY workstation, so I don't hit the panic button when a 
  SUBSEVEN scan goes off)
- What OS is that machine?  
  (NT = GO LOOK AT IT RIGHT NOW!)

There are a number of things that are really important to keep in
mind, most of them are common sense.  If the attack looks really bad,
then YES.  Look into the attack even more.  But if you know your mail
server is running the latest and greatest version, and someone tries
to be the WIZ then you should just ignore it. [0]

You will probably want to have access to your router/firewall/host
logs all at one place.  That's one of the main things that Snort does
not have.  ACID & all the other log browsers don't really have good
integration with logs from other sources that snort.

CERIAS is working on a new IDS database/interface from what I have
heard, and there are a few billion vendors that are doing the same
thing.

You also might want to include security scanning logs into this
mythical database as well.   Since you have a fairly big netblock to
watch after, its important to know what is out there, and what it is
running.  HiverWorld had a decent idea incorporating nmap and nessus
into their IDS.  Knowing before the incident happens what the server
might be vulnerable to allows the analysts to be able to say "Yeap. 
Stupid attacker.  Nastygram sent, Beer here I come" without hitting
the panic button as hard first.

This isn't to say that you should completely trust tools that do that,
but its something to think about.  

IDS analysis is a very difficult and time consuming task, even when
all the stuff you are watching is yours.  How managed security
companies succeed, I have no idea.  

[0] Cause nobody does it like the Wiz.

-- 
Brian Caswell
The MITRE Corporation

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users