Re: IDS detection approaches

Hola,

I would completely go with a signature based IDS. Anomaly
based IDS will not give you the greatest results. 

For signature base I highly recommend SNORT. It is probably
one of the best IDS out there. Now I'm not just saying this
as a "ooh open source is the best".  I truely
believe this. I actually use to be a huge Cisco buff and
just dealt with Cisco IDS. However, at my current job I am a
security analyst and have to analyze events from Cisco, IIS,
Juniper, etc, and SNORT beats them all. Mainly for the fact
that you are able to see the packet payload and are able to
make the decision if something is malicious based on the
actual payload and not just the signature that is triggered
(like some IDS). Also, when a new threat emerges usually
SNORT users will create a signature to combat the threat.
The other vendors create the signatures for you and it
usually ends up to be like 3 months after the threat was
actually a realistic threat. And on top of it the vendor
signatures usually give out huge amount of false positves.
Then again, an IDS is only as good as who tunes it. If you
take A
 NY IDS and turn it on in a production network you will have
so many false positives I garuntee you will miss actual
threats. Every IDS (including SNORT) has to be tuned for the
production network it is on.

Finally, make sure to place the IDS behind the firewall. If
you place it in front of the firewall you will receive so
much traffic that it is just not valuable data. You have a
firewall, so let the firewall do its job and block the
already known bad activity, and catch what gets through the
firewall with a IDS.

-FF

------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw 
to learn more.
------------------------------------------------------------
------------

Frank,

This is an unfair, and inaccurate, generalization on Cisco
IPS.  I can't
speak for ISS or Juniper, but assume the same there.

Since Cisco IDS 4.1, verbose alert information has been
available, and is
part of the alert (when enabled).  In 4.1, this was referred
to as
TriggerPacket data, and now is called Verbose Alert.  A
Cisco verbose alert
contains all information normally existing in an IDS/IPS
alert, as well as a
PCAP of the packet that triggered the alert.  You can
analyze this packet in
whichever tool you prefer, just as if you'd captured it with
tcpdump.

Over the last several years, Cisco has had a great track
record of releasing
new signatures in a very short time period when new threats
are discovered.
Since January 1, 2006, there have been 92 signature updates.
 When new
threats (especially dangerous threats), a new signature
update is released
in a very short time -- sometimes hours.

Additionally, all Cisco IPS signatures are open.  You are
able to view all
or most fields of signatures, create your own, and modify
existing
signatures.  You do not need to wait for Cisco to release
new signatures if
you have sufficient IDS/IPS skills to write a new signature.
 If you can
write a snort rule, you can write a Cisco IPS signature.

Gary



On 10/4/07 7:29 PM, "frankfrydrychgmail.com" <frankfrydrychgmail.com>
wrote:

> Hola,
> 
> 
> I would completely go with a signature based IDS.
Anomaly based IDS will not
> give you the greatest results.
> 
> 
> For signature base I highly recommend SNORT. It is
probably one of the best
> IDS out there. Now I'm not just saying this as a
"ooh open source is the
> best".  I truely believe this. I actually use to
be a huge Cisco buff and just
> dealt with Cisco IDS. However, at my current job I am a
security analyst and
> have to analyze events from Cisco, IIS, Juniper, etc,
and SNORT beats them
> all. Mainly for the fact that you are able to see the
packet payload and are
> able to make the decision if something is malicious
based on the actual
> payload and not just the signature that is triggered
(like some IDS). Also,
> when a new threat emerges usually SNORT users will
create a signature to
> combat the threat. The other vendors create the
signatures for you and it
> usually ends up to be like 3 months after the threat
was actually a realistic
> threat. And on top of it the vendor signatures usually
give out huge amount of
> false positves. Then again, an IDS is only as good as
who tunes it. If you
> take A
>  NY IDS and turn it on in a production network you will
have so many false
> positives I garuntee you will miss actual threats.
Every IDS (including SNORT)
> has to be tuned for the production network it is on.
> 
> 
> Finally, make sure to place the IDS behind the
firewall. If you place it in
> front of the firewall you will receive so much traffic
that it is just not
> valuable data. You have a firewall, so let the firewall
do its job and block
> the already known bad activity, and catch what gets
through the firewall with
> a IDS.
> 
> 
> -FF
> 
>
------------------------------------------------------------
------------
> Test Your IDS
> 
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to 
> http://www.coresecurity.co
m/index.php5?module=Form&action=impact&campaign=intr

> o_sfw 
> to learn more.
>
------------------------------------------------------------
------------



The Hacker only has to be right once...

Stay Secure!


Gary Halleen, CISSP ISSAP, CHP
Consulting Security Engineer
Western Area Security Team
Cisco Systems
5300 SW Meadows Road, Suite 300
Lake Oswego OR 97035
(503) 598-7134

Author, Security Monitoring with CS-MARS, ISBN: 1587052709


------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw 
to learn more.
------------------------------------------------------------
------------

Hello Franck,

On 5 Oct 2007 02:29:52 -0000
frankfrydrychgmail.com wrote:

> Hola,
> 
> I would completely go with a signature based IDS.
Anomaly based IDS
> will not give you the greatest results. 

As of signature based IDS...
Let's imagine a so called "0-day", how could you
get signature for
a thing that nobody saw ?
I don't say Anomaly based IDS are best, they're
complementary
for precisely trying to find what the signature based do not
see.


Best regards,

Jean-philippe.


------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw 
to learn more.
------------------------------------------------------------
------------

> I would completely go with a signature based IDS.
Anomaly based IDS will not
> give you the greatest results.

Seems like this conversation just comes up over and over on
this list. It's
like a broken record.

Anyway, Defend the above statement. What experience do you
have with
anomaly/behavior systems? I suspect not much. At least not
with any of the
modern ones such as that from Mazu or Lancope.

Nowadays when you talk about "anomaly IDS" you're
talking about
NetFlow-based systems that absolutely smoke sig-based
systems on cost vs.
value. If you have 500 sites on an MPLS cloud, you need 500
SPAN/tap/mirror
based probes. Not so with NetFlow-based systems. You need
only a flow
collector appliance and a management console. The routers at
each of the
sites provide a "virtual probe" of sorts that
sends traffic accounting
telemetry back to the centrally located collector. Far
cheaper than anything
you'll get out of a sig-based platform.

I recommend sig-based systems at critical areas in the
network (datacenter
switch fabrics, Internet ingress/egress points, etc. and
NetFlow technology
everywhere else. Together they make a powerful combination.
But simply
saying "Anomaly based IDS will not give you the
greatest results" is both an
uninformed, dated, and inaccurate view of the way things
really are.



On 10/4/07 10:29 PM, "frankfrydrychgmail.com" <frankfrydrychgmail.com>
wrote:

> Hola,
> 
> 
> 
> I would completely go with a signature based IDS.
Anomaly based IDS will not
> give you the greatest results.
> 
> 
> 
> For signature base I highly recommend SNORT. It is
probably one of the best
> IDS out there. Now I'm not just saying this as a
"ooh open source is the
> best".  I truely believe this. I actually use to
be a huge Cisco buff and just
> dealt with Cisco IDS. However, at my current job I am a
security analyst and
> have to analyze events from Cisco, IIS, Juniper, etc,
and SNORT beats them
> all. Mainly for the fact that you are able to see the
packet payload and are
> able to make the decision if something is malicious
based on the actual
> payload and not just the signature that is triggered
(like some IDS). Also,
> when a new threat emerges usually SNORT users will
create a signature to
> combat the threat. The other vendors create the
signatures for you and it
> usually ends up to be like 3 months after the threat
was actually a realistic
> threat. And on top of it the vendor signatures usually
give out huge amount of
> false positves. Then again, an IDS is only as good as
who tunes it. If you
> take ANY IDS and turn it on in a production network you
will have so many
> false positives I garuntee you will miss actual
threats. Every IDS (including
> SNORT) has to be tuned for the production network it is
on.
> 
> 
> 
> Finally, make sure to place the IDS behind the
firewall. If you place it in
> front of the firewall you will receive so much traffic
that it is just not
> valuable data. You have a firewall, so let the firewall
do its job and block
> the already known bad activity, and catch what gets
through the firewall with
> a IDS.
> 
> 
> 
> -FF
> 
>
------------------------------------------------------------
------------
> Test Your IDS
> 
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to 
> http://www.coresecurity.co
m/index.php5?module=Form&action=impact&campaign=intr

> o_sfw 
> to learn more.
>
------------------------------------------------------------
------------
> 


-- 

Adam  Powers
Chief Technology Officer
Lancope, Inc.
c. 678.725.1028
f. 678.302.8744
e. adamlancope.com


------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw 
to learn more.
------------------------------------------------------------
------------

FF, I believe IDS placement should depend upon it's purpose.
The
purpose of the IDS should determine where the IDS is placed.
For
example, an IDS whose purpose is to identify all possible
inbound
threats for firewall tweaking (or returning traffic back to
the
community ;]) should be placed outside the firewall. A
production
protection IDS would probably be better placed inside the
firewall.
Defense-in-depth and architecture design are two key points
to
remember.

As far as answering the initial question, one new trend is
"vector-based" modeling. Take a look at http://www.trustedsourc
e.org/,
and the trustedsource query. Plug in a few IP addresses and
see.
(NOTE: I do not work for secure computing.) The simplistic
idea is a
network space, 192.168.1.x (for example), is given a
"credit card"
score (or trust-worthiness score). This
"trust-worthiness" score is a
determination of the network space to be secure and remain
secure at a
given point in time. If the IP address or network space is
flagged as
malicious, a firewall admin may wish to block all traffic
to/from that
IP space. Remember that saying about blocking email based
upon country
codes/location/email language due to the likelihood of spam.
This
takes that idea and makes it a little more useful, in my
opinion. This
is possible because it is an aggregation of flow data,
signature based
and heuristic/anomaly detection IDS capabilities. 

Partially referring back to the initial paragraph and what
others have
mentioned, a company needs a blended IDS system.
Signature-based
systems require dedicated analysts to maintain, and can
quickly absorb
storage space on large links. Flow data, usually coming from
routers,
can provide important information. However, it usually
requires an
outside trigger (like a trustworthiness score or an IDS
event) to
research. One of the key benefits of flow data is the amount
of
traffic passed for an event. An IDS system may not capture
the full
stream or storage may be an issue. Flow data can record the
totally
bytes passed, which can be in the 10s of megs of data, in
the space of
a few hundred bytes. So the conversation turns back into
defense-in-depth and architecture design.

I think application layer / "deep packet analysis"
is also starting to
take off, as well.

Hopefully, this helps snort user.


-----Original Message-----
From: listbouncesecurityfocus.com
[mailto:listbouncesecurityfocus.com] On Behalf Of
frankfrydrychgmail.com
Sent: Thursday, October 04, 2007 4:30 PM
To: focus-idssecurityfocus.com
Subject: Re: IDS detection approaches

Hola,


I would completely go with a signature based IDS. Anomaly
based IDS
will not give you the greatest results. 


For signature base I highly recommend SNORT. It is probably
one of the
best IDS out there. Now I'm not just saying this as a
"ooh open source
is the best".  I truely believe this. I actually use to
be a huge
Cisco buff and just dealt with Cisco IDS. However, at my
current job I
am a security analyst and have to analyze events from Cisco,
IIS,
Juniper, etc, and SNORT beats them all. Mainly for the fact
that you
are able to see the packet payload and are able to make the
decision
if something is malicious based on the actual payload and
not just the
signature that is triggered (like some IDS). Also, when a
new threat
emerges usually SNORT users will create a signature to
combat the
threat. The other vendors create the signatures for you and
it usually
ends up to be like 3 months after the threat was actually a
realistic
threat. And on top of it the vendor signatures usually give
out huge
amount of false positves. Then again, an IDS is only as good
as who
tunes it. If you take A
 NY IDS and turn it on in a production network you will have
so many
false positives I garuntee you will miss actual threats.
Every IDS
(including SNORT) has to be tuned for the production network
it is on.


Finally, make sure to place the IDS behind the firewall. If
you place
it in front of the firewall you will receive so much traffic
that it
is just not valuable data. You have a firewall, so let the
firewall do
its job and block the already known bad activity, and catch
what gets
through the firewall with a IDS.


-FF

------------------------------------------------------------
----------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.
php5?module=Form&action=impact&campa
ign=intro_sfw 
to learn more.
------------------------------------------------------------
----------
--


------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw 
to learn more.
------------------------------------------------------------
------------

I think blocking packets based on scoring of the source is a
very bad 
way to go, just like spam it will result in a lot of false
positives, 
and actually lead to a "selective" internet which
I am sure many dont 
want the thing is by scoring you cannot just decide a subnet
is likely 
to have attacks originating from it thus block that subnet
(like people 
do with e-mails) I happened to see a lot of e-mails servers
which were 
blocked due to CBLs and such and were in fact clean servers
but removing 
such an entry from the CBLs is a very long tiring process
resulting in 
servers such as hotmail which many dont use because it
blocks many 
subnets. I would hate to see the same happen with IDS i.e.
trying to 
surf the internet and getting a "your page has been
blocked due to IP 
black listing from your subnet" because someone decided
to perform an 
attack from my subnet.

My 2 cents.... ;)

'Merigoth' wrote:
> FF, I believe IDS placement should depend upon it's
purpose. The
> purpose of the IDS should determine where the IDS is
placed. For
> example, an IDS whose purpose is to identify all
possible inbound
> threats for firewall tweaking (or returning traffic
back to the
> community ;]) should be placed outside the firewall. A
production
> protection IDS would probably be better placed inside
the firewall.
> Defense-in-depth and architecture design are two key
points to
> remember.
>
> As far as answering the initial question, one new trend
is
> "vector-based" modeling. Take a look at http://www.trustedsourc
e.org/,
> and the trustedsource query. Plug in a few IP addresses
and see.
> (NOTE: I do not work for secure computing.) The
simplistic idea is a
> network space, 192.168.1.x (for example), is given a
"credit card"
> score (or trust-worthiness score). This
"trust-worthiness" score is a
> determination of the network space to be secure and
remain secure at a
> given point in time. If the IP address or network space
is flagged as
> malicious, a firewall admin may wish to block all
traffic to/from that
> IP space. Remember that saying about blocking email
based upon country
> codes/location/email language due to the likelihood of
spam. This
> takes that idea and makes it a little more useful, in
my opinion. This
> is possible because it is an aggregation of flow data,
signature based
> and heuristic/anomaly detection IDS capabilities. 
>
> Partially referring back to the initial paragraph and
what others have
> mentioned, a company needs a blended IDS system.
Signature-based
> systems require dedicated analysts to maintain, and can
quickly absorb
> storage space on large links. Flow data, usually coming
from routers,
> can provide important information. However, it usually
requires an
> outside trigger (like a trustworthiness score or an IDS
event) to
> research. One of the key benefits of flow data is the
amount of
> traffic passed for an event. An IDS system may not
capture the full
> stream or storage may be an issue. Flow data can record
the totally
> bytes passed, which can be in the 10s of megs of data,
in the space of
> a few hundred bytes. So the conversation turns back
into
> defense-in-depth and architecture design.
>
> I think application layer / "deep packet
analysis" is also starting to
> take off, as well.
>
> Hopefully, this helps snort user.
>
>
> -----Original Message-----
> From: listbouncesecurityfocus.com
> [mailto:listbouncesecurityfocus.com] On Behalf Of
> frankfrydrychgmail.com
> Sent: Thursday, October 04, 2007 4:30 PM
> To: focus-idssecurityfocus.com
> Subject: Re: IDS detection approaches
>
> Hola,
>
>
> I would completely go with a signature based IDS.
Anomaly based IDS
> will not give you the greatest results. 
>
>
> For signature base I highly recommend SNORT. It is
probably one of the
> best IDS out there. Now I'm not just saying this as a
"ooh open source
> is the best".  I truely believe this. I actually
use to be a huge
> Cisco buff and just dealt with Cisco IDS. However, at
my current job I
> am a security analyst and have to analyze events from
Cisco, IIS,
> Juniper, etc, and SNORT beats them all. Mainly for the
fact that you
> are able to see the packet payload and are able to make
the decision
> if something is malicious based on the actual payload
and not just the
> signature that is triggered (like some IDS). Also, when
a new threat
> emerges usually SNORT users will create a signature to
combat the
> threat. The other vendors create the signatures for you
and it usually
> ends up to be like 3 months after the threat was
actually a realistic
> threat. And on top of it the vendor signatures usually
give out huge
> amount of false positves. Then again, an IDS is only as
good as who
> tunes it. If you take A
>  NY IDS and turn it on in a production network you will
have so many
> false positives I garuntee you will miss actual
threats. Every IDS
> (including SNORT) has to be tuned for the production
network it is on.
>
>
> Finally, make sure to place the IDS behind the
firewall. If you place
> it in front of the firewall you will receive so much
traffic that it
> is just not valuable data. You have a firewall, so let
the firewall do
> its job and block the already known bad activity, and
catch what gets
> through the firewall with a IDS.
>
>
> -FF
>
>
------------------------------------------------------------
----------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it 
> with real-world attacks from CORE IMPACT.
> Go to
> http://www.coresecurity.com/index.
php5?module=Form&action=impact&campa
> ign=intro_sfw 
> to learn more.
>
------------------------------------------------------------
----------
> --
>
>
>
------------------------------------------------------------
------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it 
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw 
> to learn more.
>
------------------------------------------------------------
------------
>
>
>   

-- 
Liran Cohen
http://www.rct.co.il
http://www.dir.rct.co.il



------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw 
to learn more.
------------------------------------------------------------
------------