Slashdot Mirror
Attack Registry And Intelligence Service
thelaw writes: "SecurityFocus just announced the start of their new service, ARIS (Attack Registry and Intelligence Service) Analyzer. The service allows you to submit logs from several different intrusion detection systems automatically and quasi-anonymously. Looking at the front page, they seem to have over 700,000 incidents already reported since starting."
And I'll bet they can clear 1,000,000 attacks before the day is out.
Slashdot: Proof that a million monkeys at a million typewriters can create a masterpiece
This centralized service for reporting will lead to some falsified logs being submitted to get somebody in trouble. I hope people use this service, but I also hope they take it with a grain of salt.
Of course, all too soon, they will have a whole category for "slashdotted"...
--Blair
And my bit of paranoia for the day:
Why do they keep saying how 'secure and private' the log files you send them are? Can't they just trace the IP that sent the log right back to the company and/or individual who owns the IP (unless of course it's a dynamic IP being assigned)? Not that they would want to do so, but let's just stop advertising privacy. There is no privacy on the net. It's like streaking thru a crowded marketplace; not many people notice, but those that do get to see the whole deal.
Although some interesting information could pop out of the service, I don't see any real benefit for ME to submit MY logs. In fact, I only see potential harm... after all, what if their security is breached?
If I'm shown to be wrong, then I must reconsider. But for now, I'll stay on the sidelines.
I must have missed something.
I'm not trying to troll or anything but other than the "Cool" factor what does this service do? How is knowing the most common attack types going to help me? The common ones are already patched by clued-in admins. I mean did you see the common attack list? If you're open to SNMP GET you have problems.
Are they going to try and find new attacks with the data or something?
G.H.
Just wait till some crappy band steals your nic.
This service has two sides:
The bright side is that it will bring stats of intrussion attempts. This is particularly interesting, because you can learn wha't going around and take measures before it's too late.
The dark side is that I see a forthcomming IASD (Intrussion Attempt source database) available online, so many ppl will start banning IP's "Just in case".
I do not like ORBS, I feel it's not usefull because of the tendence of give false positives.
As an example, we use a very strict mail relay policy, and every week I get the ORBS tester machines sending mails that end up in postmaster because of their lack of valid rcpt addressess.
Every time is because some ignorant saw SPAM w/bogus reply addresses in some of our domains and thinks that the spam was actually sent from one of our SMTP servers (false, all tend to came from yah00 or h0tmail or some server in korea, who cares).
Imagine a script kiddie who, instead of deleting it's path in the victim's logfile, now replaces it's IP w/someone else's IP address.
Who audits the victim's security policy? Who gives for grant that the supposed victim is honest?
This is very, very difficult to prove.
What can there possibly be left for old-skool h4x0rz like myself? Those 455hol3z have taken all the phun out of it.
A g4ll3ry of my h4x0r1ng k0nqu3sts
After looking over the ARIS site, I'm left with a bunch of questions.
First, what the heck is the definition of an "incident"? Their FAQ doesn't indicate what this means. If some goofball script kiddie runs a script that sends out 100,000 pings of death, is that one incident, or 100,000? If he tries a Syn flood attack on my site, setting up 1,000 sessions, is that one incident, or 1,000? It sounds like AOL's goofy customer count: "Here, set up seven screen names so that we can claim you're seven different customers."
Secondly, does handing all your log files over to these guys remind anyone of the movie The Net? How do we know SecurityFocus can be trusted? How do we know we're not handing our log files over to someone who's already hacked SecurityFocus? What does this service do for us?
Incidents.org is run by the Global Incidents Analysis Center which is associated with the SANS institute. It's be operating for a while and the "current detects" section is very valueable for those of us who have to address day-to-day security issues.
GIAC assigns a "handler" to be on-duty at any given time. All the reported incidents are filtered through the handler.
We're happy to have all users, whether corporate security professionals, college kids, or home users. if you have an IDS in place, please feel free to participate.
Absolutely. Users who create an account and submit their logs have access to the following:
- A service designed to assist users in reporting incidents. We look up the appropriate contacts for the offending organization and their upstream provider, allow you to select which incidents you wish to report, and draft a report fo you with all the pertinant information.
- Access to descriptions about what the attack was that your IDS spotted. This includes links into the Bugtraq database where approrpiate, articles, exploit code (so you can see if the compromise was successful or not), etc...
- The ability to see how many other ARIS users your attacker has attacked, in case that factors into your decision on whether to report or not.
- We track which incidents have been reported (thorugh our system) for you.
- We cross-correlate reports from different IDS brands, for those users who have more than one type.
GMac, your plan is (adopts Sean Connory accent) "Sherioushly Flawed".
;-)
If you automatically shut down a system which looked like it was being hacked, you risk turning off the front door on your 24/7 international business!
It's very difficult to detect a real alert from a false alarm. Case in point:
Last client I was working in had a pair (!) of Sun E10Ks in a failover cluster forming the engine of their website. The Cisco Netranger IDS in the network segment occassionally thought one E10K was launching "ping smurf" attacks on the other E10K, and no amount of IDS tuning would get round it. It turned out it was part of normal Sun cluster network chatter, and it's extremely difficult to harden a clusterised E10K: that's why you deploy an extremely tight firewall in front of it.
Hilarious I grant you, but not at 3am when your mobile goes off and someone is screaming "Help!!" down it
How secure a particular NT installation is is dependant on the skill of the administrator securing it, and how carefully the administrator watches for new holes, and aggressively patches them away. We have those functions adequately covered.
Briefly, we provide a way to automate your incident reporting, correlation with other users who have been attacked by the same IP, and essentially a way to cast one more "vote" against an attacker. The latter two items can't be done in isolation. Plus, we provide links to what your IDS description actually means, in case you want to look it up.
The value of this data could theoretically extend far beyond prevention of current attacks. A large body of data on the types and frequency of attacks could potentially lead to statistical analyses allowing predictions of the most common origins of attacks. One could then use this data to inform the development of internet routers and filters to minimize international attacks.
Further, one could do post-hoc correlations of attacks to salient events, yearly cycles, etc. Such data could lead to more accurate predictions of the impacts of same on a company.
In other words, this will be useful for helping to figure out the big picture of how the internet creates and deals with attacks.
Am I the only one who likes to watch script kiddies try and infultrate my machine. I mean I love to watch them try tired old attacks and fail. If this service would let me watch the activities on other servers as well I can double my fun. Actually I'd like the ability to see if the same h4x0r is trying to attack my neighbors as well.
had to, it just sounded great