headers
Jimi Thompson | 1 Dec 2004 05:34
Picon
Gravatar

Re: IDS requirement

I realize that I'm a bit late here, but it's been a holiday.  We had a
similar discussion on the SNORT mailing list recently and I'll distill
it down for you.  The general concensus is that IPS is mostly
marketing hype.  Unless you are doing something to identify an attack
in progress in real time and actively doing something (i.e. modifying
a firewall rule or routing table) to stop that attack, you are not an
IPS, because you are not, by definition, preventing anything.

IDS = intrusion detection system

IPS = intrusion prevention system

HTH,

Jimi

On Mon, 22 Nov 2004 15:28:28 -0600 (CST), skill2die4 <at> secguru.com
<skill2die4 <at> secguru.com> wrote:
> 
> >
> > Can anyone email me a document on how IDS/IPS actually
> > works.....with the terminology well explained.
> >
> 
> IMHO, articles of your interest would be :
> 
> FAQ's
> ============
> [FAQ] Sniffing (network wiretap, sniffer)
> [FAQ] IDS
(Continue reading)

Permalink | Reply | 0 comments |
headers
Karel Chwistek | 1 Dec 2004 09:30
Picon
Favicon

Re: NIDS and HIDS

Try to look at:

    IBM Tivoli Security Compliance Manager - 
http://www-306.ibm.com/software/tivoli/products/security-compliance-mgr/

K.

> 
> I just recently started a new job as a network security analyst and one
> of my projects is to implement an intrusion detection system.  I've been
> doing some research and pursuing the listserv archives and was wondering
> if anyone had any thoughts/opinions.
> 
> 
> For NIDS's, I've been looking at SourceFire's commercialized version of
> Snort, CISCO's IDS appliances, and McAffee's IntruShield.
> 
> 
> For HIDS's, there appears to be three main categories:  monitoring the
> host's file system, the host's network connections, and the host's log
> files.
> --Host's file system:  I'm looking at Tripwire Manager, Tripwire for
> Servers, and Tripwire for Network Devices.
> 
> --Host's network connections:  I'm looking for an enterprise-wide
> solution that we can roll out to all the Windows XP machines and
> centrally manage.  Since we already use Symantec for anti-virus,
> Symantec's Client Security 2.0 seems to incorporate a centrally managed
> personal firewall, HIDS, and anti-virus capability. 
>
(Continue reading)

Permalink | Reply | 3 comments |
headers
Shaiful | 2 Dec 2004 03:06
Picon
Favicon

RE: Foolin an IDS ?

Hi,

There is a new paper by OK for IDS evasion:

Advanced Polymorphic Worms: Evading IDS by Blending in
with Normal Traffic, by Oleg Kolesnikov, Dave Dagon,
and Wenke Lee, 2004.

http://www.cc.gatech.edu/~ok/w/ok_pw.pdf

Regards,
Shaiful
--- Eric Hines <eric.hines <at> appliedwatch.com> wrote:

> There is a pretty well known paper written by Ptacek
> and Newsham "Intrusion
> Detection System Insertion, Evasion, and Denial of
> ServicE" that outlines
> multiple techniques for eluding IDS':
> http://secinf.net/info/ids/idspaper/idspaper.html
> 
> A tool was created based on the techniques outlined
> in this paper called
> Fragroute by Dug Song which illegaly fragments your
> outbound packets to a
> destination host based on how you tell it to
> fragment the traffic.
> "fragroute intercepts, modifies, and rewrites egress
> traffic destined for a
> specified host, implementing most of the attacks
(Continue reading)

Permalink | Reply | 0 comments |
headers
Timm, Kevin | 1 Dec 2004 19:15

RE: NIDS and HIDS

For HIDS there is also kernel level process interruption which actually does some protection somewhat
like AV  

-----Original Message-----
From: Karel Chwistek [mailto:karel_chwistek <at> cz.ibm.com] 
Sent: Wednesday, December 01, 2004 2:31 AM
To: Focus IDS List
Subject: Re: NIDS and HIDS

Try to look at:

    IBM Tivoli Security Compliance Manager - http://www-306.ibm.com/software/tivoli/products/security-compliance-mgr/

K.

> 
> I just recently started a new job as a network security analyst and 
> one of my projects is to implement an intrusion detection system.  
> I've been doing some research and pursuing the listserv archives and 
> was wondering if anyone had any thoughts/opinions.
> 
> 
> For NIDS's, I've been looking at SourceFire's commercialized version 
> of Snort, CISCO's IDS appliances, and McAffee's IntruShield.
> 
> 
> For HIDS's, there appears to be three main categories:  monitoring the 
> host's file system, the host's network connections, and the host's log 
> files.
> --Host's file system:  I'm looking at Tripwire Manager, Tripwire for
(Continue reading)

Permalink | Reply | 0 comments |
headers
Brito, Nelson (ISS Brazil | 1 Dec 2004 21:03

RE: IDS requirement

I disagree, because the IPS concept is misunderstood for almost
everybody.   

IPS, as you said, is Intrusion Prevention (some people says Protection)
System.  

IMHO, IPS is something between the source of attack and the target,
blocking or stopping the attack in real time, without interaction (or
any kind of re-configuration) with other device / application.   

The IPS, by default, uses its own engine to do that, which means that
IPS does not need to re-configure nor Firewalls neither Routers to block
or stop a threat, even because IPS is not just a technology to use
protecting network segments. It is a concept, as I said bellow, between
the source of attack and the target. It can be a HIPS, stopping the
attack before it reaches the target (OS).  

So, briefly, IPS can be:  
1 - A network engine to stop attacks before they reach the target
systems, a device in other words;  
2 - An engine installed on a machine which stops the attacks before they
reach the machine, an engine working in Kernel space or even in a lowest
level.

Sorry my broken English, it is not my main Language, by the way.

Cheers.

- nb
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jason Haar | 1 Dec 2004 22:03
Picon
Picon

Re: NIDS and HIDS

Karel Chwistek wrote:

>>For HIDS's, there appears to be three main categories:  monitoring the
>>host's file system, the host's network connections, and the host's log
>>files.
>>--Host's file system:  I'm looking at Tripwire Manager, Tripwire for
>>Servers, and Tripwire for Network Devices.
>>
>>    
>>

Slightly OT - but are the days of filesystem monitoring over? I mean, 
systems must move towards automated updates (e.g. Windows Update, YUM) - 
which means that "the system" can and will change OS files at will. A 
filesystem integrity checking solution will go off nearly daily in such 
an environment.

Or am I just out of touch, and the commercial ones take that into 
account somehow (it would be easy enough on RPM-based Linux systems - 
they could interrogate the RPM database to see if something was recently 
upgraded. Hmmm - but how could they tell it wasn't done by a hacker?)

I know this list is full of people who do InfoSec for a living - but the 
cold reality is that 99.9% of business isn't represented here - they 
need security solutions that work and don't require a lot of interaction 
(I am forever hearing from people about their failed NIDS rollouts 
because they didn't appreciate the amount of personnel time and effort 
was required to maintain it). HIDS - like NIDS - need lots of 
interaction (how many of our Mums can run ZoneAlarm comprehensively?)
(Continue reading)

Permalink | Reply | 1 comment |
headers
Daniel Hamburg | 2 Dec 2004 08:15
Picon

IDS, IPS and encrypted traffic

Hello everybody,

I’ve been looking around the net for a while, trying to find some theoretical and practical approaches to
solve the 
problem of analyzing encrypted traffic.

I know, that there is a need to decrypt the traffic before analyzing it, but I haven’t found any concrete
solutions 
neither for NIDS nor for HIDS yet. Some HIDS vendors announced that their products are capable of analyzing
encrypted 
traffic, but I didn’t succeed to find any details about that.

Does anybody know some products or papers which deal with the problem of analyzing encrypted traffic?

Thanks in advance,
  Daniel Hamburg

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
Permalink | Reply | 7 comments |
headers
mavericks2 | 1 Dec 2004 05:10
Favicon

Port Speed setting in Cisco IDS 4235


Hi all,

I am trying to setup a Cisco IDS Appliance 4235 which typically has 10/100/1000 Mb port  used for monitoring.
The switch to which this port is connected does not support 1000 Mbps, so there is continous flapping on the
switch port where the IDS is connected. Hence i am trying to fix the port speed on the IDS box but unable to do
so since there is no option provided in the confiuration menus of the IDS or VMS.

Could someone please help me out with how to configure the port speed / mode on the sniffing interface of the
Cisco IDS appliance 4235......

Thanks in Advance,

Regards,

Sunil D.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
Permalink | Reply | 2 comments |
headers
Terry S | 2 Dec 2004 18:10
Picon
Favicon

CiscoWorks - VMS - IDS Monitoring and Alerting


I was wondering if Cisco has any “Best Practices” on the best ways to use IDS Event Manager and or do you know
what other companies are doing to best us it. I feel that we are not getting 100% out of it. I am still having
issues with monitoring and making sure we are getting the right alerts. I feel like unless I have someone
sitting right in front of it watching every minute that we are missing things. 

I have downloaded a Perl script from Cisco’s website but you are still limited on what you can assign the
script to. 

For example: When I go to assign the script to a filter the only choices I have are: 

Originating Device 
Originating Device Address 
Attacker Address 
Victim Address 
Signature Name 
Signature ID 
Severity 

From these choices not one is good because you have to know info, like Originating Device IP. If I pick
Severity = High then all High alerts trigger the script. When I tested this one I was getting e-mail after
e-mail. I did set the thresholds. 

What would be nice if there was a way to do “Grouping” Signatures, meaning that I could make a group and add
all the Virus/Worm related signatures to that group and then create a filter that would alert when a
signature from that group was matched? Grouping would allow us to focus our alerts a little better. 

Any help or suggestions would be nice on the best wayt to get the Event Manager to alert use to an issue. 

--------------------------------------------------------------------------
(Continue reading)

Permalink | Reply | 2 comments |
headers
Gary Halleen (ghalleen | 2 Dec 2004 19:14
Picon
Favicon

RE: Port Speed setting in Cisco IDS 4235

Changing the port speed/duplex settings is not currently supported on the
sensors.  You should first check and make sure the speed/duplex is not
hard-configured on the switch.  It should be set to AUTO, and in nearly all
cases, this allows the sensor to set to the best setting automatically.

That said, it is possible to change the settings manually, and this is
something TAC can assist with if the first option doesn't work.  Send me a
private e-mail if you'd like and I'll elaborate.

Gary

-----Original Message-----
From: mavericks2 <at> bigpond.com [mailto:mavericks2 <at> bigpond.com] 
Sent: Tuesday, November 30, 2004 8:11 PM
To: focus-ids <at> securityfocus.com
Subject: Port Speed setting in Cisco IDS 4235

Hi all,

I am trying to setup a Cisco IDS Appliance 4235 which typically has
10/100/1000 Mb port  used for monitoring. The switch to which this port is
connected does not support 1000 Mbps, so there is continous flapping on the
switch port where the IDS is connected. Hence i am trying to fix the port
speed on the IDS box but unable to do so since there is no option provided
in the confiuration menus of the IDS or VMS.

Could someone please help me out with how to configure the port speed / mode
on the sniffing interface of the Cisco IDS appliance 4235......

Thanks in Advance,
(Continue reading)

Permalink | Reply | 0 comments |

Gmane