headers
Justin.Ross | 1 Jun 2005 01:08

Re: New to Snort !!!

There's really two schools of thought on where to place an IDS, one is 
external, the other is internal; in a perfect world you'll want to cover 
both and diff the logs (to see what made it through and what didn't).

I agree that for testing (perfomance and functionality) and fun you should 
place your IDS on the "outer-most network device"; however, if you are 
constrained by budget/time and can only place one IDS, my advice would be 
to place it inside your edge device, or behind your firewall. You won't 
see external attacks to your firewall, but you will see how/what attacks 
are coming through your edge and into your "trusted" network, and really 
your firewall should be dropping all packets that have the firewall IP 
address as a destination. That's just my opinion but I think you will get 
the most bang for your buck if you see what makes it through to your 
network not just what exists on the Internet. 

By the way, let me tell you how annoying it is to go to the network 
support staff and show them logs of fruitless/mis-targetted/blocked 
attacks and have them say "yeah yeah..  our firewall blocked that... now 
tell us something we don't know." I'd rather show them what their firewall 
is letting through and leverage that to fix the issues/vulnerabilities 
that effect your network. 

There are tons of online references to find out more about Snort and 
Intrusion Detection in general. I really have to recommend the following: 
Snort 2.0 Intrusion Detection or Snort 2.1 Intrusion detection Second 
Edition from Syngress. It's written by Snort developers and it gives a 
great overview of IDS (in my opinion) as well as takes you into the nuts 
and bolts of Snort, pre-processing, optimizing, and it covers reporting 
too. I would have to rate it as a "must have" for you, in your situation. 
I would also recommend Network Intrusion Detection, An Analyst Handbook by
(Continue reading)

Permalink | Reply | 0 comments |
headers
Wilmar SULAIMAN | 1 Jun 2005 04:42
Picon
Picon

Testing IDS?

Dear all,

I am new to the IDS. How you normally test your IDS? Currently I am 
working using MIT darpa dataset 1999. I believe it is really hard to get 
100% accuracy. One of the issues that I found is because this is post 
attack analysis, we knew the ip victim, therefore do we need to include 
the non ip victim in the testing? because including non ip victim under 
testing phase could improve the false positive rate.

http://www.cs.fit.edu/~mmahoney/dist/, I also found this link is very 
usefull, but the evaluation program doesn't consider the port. So what 
does it mean is it could be the case that the attack intended to port 80, 
but our IDS detected port 25 packet as port 80 attack.

Any idea how people normally testing their IDS? especially for 1999 darpa 
dataset.

Wilmar Sulaiman

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
(Continue reading)

Permalink | Reply | 0 comments |
headers
Fergus Brooks | 1 Jun 2005 06:15
Picon

Re: Value of IDS, ROI

We looked at this some time ago and one of my colleagues came across this:

Google ALE (Annual Loss Expectancy) - a way of quantifying risk and calculating
ROI in the operational risk arena.

ALE: calculate the cost of a threat being realized (e.g. house
burning down, US$500,000). Estimate the probability of this event
happening in a 12-month period (e.g. 1 in 1,000). Multiply cost by
probability (in this example, US$500). This provides you with the
maximum amount you should put aside to mitigate the risk each year
(to pay for insurance, sprinklers, whatever).  ALE allows you to
calculate the ROI precisely, to the cent.

There are some very interesting sites dealing with this, specifically
for IS, out there

Rgds.

On 5/30/05, Jonathan Glass <jonathan.glass <at> gmail.com> wrote:
> One of my colleagues has come up with another strategy for answering the
> ROI question:  Security investments should be lumped into the insurance
> category.  The first year you purchase a piece of equipment, you outlay
> a large amount of cash, and receive some benefit, so there's some sort
> of ROI, but after that, it's all maintenance, and you have to shift the
> focus.  The new formula has to include the cost of NOT having this
> protection in place, and how much it would cost to have a major
> incident, which the Security solution would prevent.
> 
> Right now we're still haggling over this repositioning of security
> investments, so we don't have any good formulas, but I'm sure they could
(Continue reading)

Permalink | Reply | 0 comments |
headers
Prashant Khandelwal | 1 Jun 2005 08:26
Favicon

RE: IDS\IPS that can handle one Gig


Hi Tim,
         I totally agree and value your thoughts and IMHO no compromises
should be made on security, I had pointed out earlier in my eg that
turning off fragmentation or any vital feature for that matter doest
make "any sense in real world security policy".

          To be more specific the intention or bottom-line is that lot
many stuff can be done to tune an IDS/IPS for the optimal performance no
matter its Intel based /ASIC's. A prior acquaintance with network on
which IDS/IPS is supposed to be implemented would help tuning the
performance a lot and reducing flase +vs too. For instance (just an
eg)If no Apache's are running on your network ,then enabling sigs for
them in your polices can hit the performance and it would not make any
sense aswell, like wise there are lot many things and tweaks  that can
be done which can help all IDS/IPS to perform better. 

    IMHO one should also look in to the fact that how much flexibility a
particular vendor gives in there products to the end users so that these
tweaking can be done as any IDS/IPS can give its best only when it's
tuned for that particular network environment .With this flexibility and
cautious planning, proper security policies should be framed and pushed
to the IDS/IPS to get the best performance and max security. 

Best Regards,
Prashant

-----Original Message-----
From: THolman <at> toplayer.com [mailto:THolman <at> toplayer.com] 
Sent: Wednesday, June 01, 2005 4:24 AM
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ramon Kagan | 1 Jun 2005 15:11
Picon
Favicon

Re: Snort on Gigabit [was Re: IDS\IPS that can handle one Gig]

Hi,

My first suggestion is don't use the pre-packaged snort.  In general
compromises for the general case are used during compilation, download the
source and build it yourself.  Secondly, blindly using all of snorts
pre-processors, filters and the like is off-the-bat doomed to fail.  You
need to analyze your traffic, figure out what you don't even allow on your
network and remove the components you don't need.  Thirdly, use the
unified log output format, it's designed for high performance.  As part of
this you should also probably install barnyard to generate a single
unified log but this will be done by another process that doesn't need to
be in real-time (although it will be close).  The idea is to off-load as
much as possible from the snort process to ensure you don't drop packets.

These are some off-the-top-of-my-head suggestions and should be a good
place to start.  You really need to read through all of snort's
documentation though.

Ramon Kagan, GCIA
York University, Computing and Network Services
Information Security  -  Senior Information Security Analyst
(416)736-2100 #20263
rkagan <at> yorku.ca

-----------------------------------   ------------------------------------
I have not failed.  I have just	       I don't know the secret to success,
found 10,000 ways that don't work.     but the secret to failure is
				       trying to please everybody.
	- Thomas Edison				- Bill Cosby
-----------------------------------   ------------------------------------
(Continue reading)

Permalink | Reply | 1 comment |
headers
Dave Hawkins | 1 Jun 2005 17:31
Favicon

RE: IDS\IPS that can handle one Gig


I would tend to disagree with the notion that all 'industry' tests are
bought-and-paid-for. NSS for example is a pretty rigorous test that
includes many methods of mixing legit traffic with the attacks, and
they're nice and thorough about testing for stability at gigabit speeds
(at least in the case of their gigabit-IDS, their latest testing edition
comes out soon).  To my knowledge they're very well respected, and don't
simply pass a vendor because they've been paid.  Check out
http://www.nss.co.uk/default.htm for more details on them.

I do agree with Barrett though, be sure that the IPS you're paying for
is going to address your primary needs.  DDoS mitigation can be
difficult, and not all vendors out there can provide protection against
the myriad of attacks (ie, some can block SYN flooding, but not
partially-completed handshakes).  Some IPS devices that claim gigabit
speeds have been shown to crumble in the face of relatively
insignificant floods (like 20mbps), causing huge latency for the
remaining legitimate traffic.  If you're less concerned about DDoS and
need more specific protocol support, make sure you fully understand the
depth to which the IPS analyzes the protocol, or how broad their
signature base is.

If speed/lack of latency is your primary concern when adding a security
device, make sure you find something that's ASIC-based, since most of
the PC-style IPS devices tend to choke when you even attempt to approach
1-gig even on a single segment (not to mention devices that handle
multiple segments in a single appliance).  It wouldn't be a bad idea to
mirror/span the traffic from your switch to the IPS first to see how
many alerts your setup is currently triggering, and investigate for
false-positives, before you put any device in-line.  Mirroring a gig of
(Continue reading)

Permalink | Reply | 0 comments |
headers
Andrew Plato | 1 Jun 2005 18:11

RE: IDS\IPS that can handle one Gig


> Another option, and one that many organizations are beginning to
favor, 
> is to forget the current, "fashionable" notions of IPS and return 
> to basics -- to focus more closely on vunerability and information 
> management.  I believe that if you have a comprehensive, continuous 
> and meaningful flow of information about the environment and an 
> effective vulnerability remediation program, the need for IPS 
> appliances and agents (band-aids) can be reduced dramatically.  

I hear this every now and then from security people, and I think this is
an attitude borne out of lack of experience with IPS. 

I have yet to see an environment (and I am a consultant so I see
hundreds per year) where there is an effective patch and vulnerability
management that can keep pace with the exploits in the wild. Quite
simply, it is impossible to think you can keep a large enterprise
continuously patched and therefore resistant to the latest
vulnerabilities. 

On average, it can take 20 to 30 days for an organization to roll out a
single Microsoft Windows patch. That includes testing, troubleshooting,
and deployment. In 30 days, your environment could be crawling with all
sorts of filth thanks to unpatched machines.

Furthermore, if you look at the timeline of when an vulnerability is
"discovered", then when an exploit hits the streets - that time can be
days, even hours. In that case, its still weeks before MS or anybody
releases a patch, and then even more time before you could patch all
your machines. In this case, even under reasonable, well controlled
(Continue reading)

Permalink | Reply | 7 comments |
headers
Doug.Janelle | 1 Jun 2005 18:12
Favicon

Re: New to Snort !!!


Justin.Ross wrote:

> my advice would be to place [the IDS] inside your
> edge device, or behind your firewall. You won't see
> external attacks to your firewall, but you will see
> how/what attacks are coming through your edge and
> into your "trusted" network,

I couldn't agree more, Justin. There's really not a whole
lot one can do about all the miscreants banging on the
door, so inundating your analysts with huge amounts of
data on attacks they can't do anything about only dulls
thier senses and dilutes the value of the data. Moving the
sensor inside improves the signal-to-noise dramatically.
You get the most value from knowing who got past your first
line of defence, and who's trying to get back out.

dcj2

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
(Continue reading)

Permalink | Reply | 0 comments |
headers
Palmer, Paul (ISSAtlanta | 1 Jun 2005 18:20

RE: IDS\IPS that can handle one Gig

Tim Holman states:

> Agreed - with a system based around PCI / Intel architecture
> (eg Netscreen IDP, Check Point Interspect/Smart Defense, Cisco
> 4200, ISS Proventia to name but a few), then it makes sense to
> turn off various checks to improve performance, but at what
> cost to security?

This is not a valid conclusion. Whether or not you see performance gains
by disabling checks does not correlate with the chipsets used. Some of
the products you mentioned show consistent performance regardless of
which checks have been enabled. In contrast, some of the "ASIC"
technology products DO show significant performance differences
depending on which checks are enabled.

Anyone making a decision based solely upon the perceived advantages of
the advertised technology of the product is likely to be disappointed.

Paul

-----Original Message-----
From: THolman <at> toplayer.com [mailto:THolman <at> toplayer.com] 
Sent: Tuesday, May 31, 2005 6:54 PM
To: prashant <at> juniper.net; focus-ids <at> securityfocus.com
Subject: RE: IDS\IPS that can handle one Gig

Hi Prashant,

Agreed - with a system based around PCI / Intel architecture (eg
Netscreen IDP, Check Point Interspect/Smart Defense, Cisco 4200, ISS
(Continue reading)

Permalink | Reply | 3 comments |
headers
Peter Schawacker | 1 Jun 2005 19:41
Favicon

RE: IDS\IPS that can handle one Gig

Hiya Andrew,

I always enjoy reading your posts.  Thanks for replying to mine.  I've
answered some of your comments inline below.

I would be remiss if I were not to warn readers that (here comes the
"full-disclosure" statement...) I used to pimp IPS and VM for a certain
company and that I now pimp VM, SIM and related technologies for a different
one.

This is a really important conversation, the IPS/VM balance problem.  Let's
keep it going.  Having worked with both, I for one would like to get more
thoughts about the relationship between IPS and VM out on the table.  

Cheers,

P

-----Original Message-----
From: Andrew Plato [mailto:andrew.plato <at> anitian.com] 
Sent: Wednesday, June 01, 2005 9:12 AM
To: ps <at> tenablesecurity.com; focus-ids <at> securityfocus.com
Subject: RE: IDS\IPS that can handle one Gig

 
> Another option, and one that many organizations are beginning to
favor, 
> is to forget the current, "fashionable" notions of IPS and return 
> to basics -- to focus more closely on vunerability and information 
> management.  I believe that if you have a comprehensive, continuous
(Continue reading)

Permalink | Reply | 5 comments |

Gmane