Slashdot Mirror
Future Of IDS
A reader wrote to us about a summary article regarding IDS ? . This is an interesting article in so far as it attempts to prognosticate what the future will be for detection, and that draws in some interesting work on security modelling. T: Readers may also want to see this vnunet article on IDS products -- guess what comes out on top?
My biggest issue with IDS's is "So, what now?"
For example, Yesterday I get hit with about 90 attempts to get cmd.exe on my webserver from one specific IP addy. So, a quick nslookup / whois later and I get the server name and contact info for the suspected malicious box.
Since it's from a major site, I decide to contact them to let them know they may have a potentially compromised box on thier network.
Three v-mails and two emails later, no word back from them.
I'm all for IDS's, but aside from possibly dishing out some Louisville Slugger style 'cease and desist' requests, what good is the info?
argent out
Installing and monitoring a large-scale IDS installation is a complex and involved process which is not simple!
... it's the process and management of deployment and operational running that costs the earth!
Snort may be cheap and easy to install, but many corporations buy IDS on the strength of the management and reporting capability.
One of my clients went with Cisco Netranger IDS because it offers excellent Monitoring screens that are then staffed by a 24/7 response unit waiting for alerts on the border/dmz/back office networks. It then made it straightforward to sit semi-skilled staff in front of the consoles to monitor activity and alert a skilled technician (i.e. me in this case) if an amber or red warning occurred.
While Snort may be free, you would have to roll your own management stations (though I guess someone has done this), and thus management costs creep in.
PleasePleasePlease remember software costs are rarely in the price
DANGER: I'm not flaming snort, I just haven't had to chance to try and scale it up into an enterprise-type situation.
Once a system is compromised there is no way I would trust anything on it again until I pulled it off of the 'Net and did a complete reinstall. IDS is good to let you know your box is cracked and perhaps what may have been accessed/tampered with, but it's the last stage in security. Build yourself a good firewall, be careful with your access rights, and have a good password policy.
If budget isn't a concern, why not install Snort in addition to something else? That way you'll know when to blame company Y and what to blame them for missing. An IDS isn't like a fileserver where you can only really use one or another.
The article says it's hard to setup snort. What's so hard about: apt-get install snort?
Nothing's hard about that, but that isn't setting up snort.
Let me know when "apt-get setup snort" is working.
So, having read both of the articles, I don't see anything in here about the "future" of IDS. Everything in the IDS world relates to pattern matching and speed.
The problem with that is that the number of alerts does not determine the efficiency and efficacy of an IDS does. As Stefan Axelsson points out in his paper "The Base Rate Fallacy and its Implications for the Difficulty of Intrusion Detection, the real limiting factor in IDS performance will ALWAYS be the number of false positives generated.
Unfortunately, not many people seem to be working in the direction to deal with that problem. Most of the major IDS vendors are talking only in terms of getting faster, and having more rules.
The only company I've actually seen that is looking at any new paradigm to deal with this problem is nCircle. Their system has an IDS and a vulnerability scanner working together to accomplish the reduction in false positives.
It's not a perfect system, but it performs significantly better than any of the IDS products that I've seen. And it definitely shows some sort of vision into the future, and into dealing with the real problems with the way IDS is currently done.
Just my $0.02...
I'm sure i'm going to get mod'd down or marked flamebait for this, but here it goes...
Has anyone ever bothered to actually READ the Snort signatures? I actually spent quite a few hours going over them and found a number of things:
1) Massive false postives. Almost all of the HTTP signatures only look for a request to a vulnerable CGI/ASP/etc, not for the actual exploit. This means perfectly normal/valid requests generate alerts.
2) Many sigs are easy to avoid. For HTTP sigs that actually try to look for the exploit it's generally a matter of putting a fake &var=value between the ? and the exploited param since Snort can only do simple string matching.
3) Many sigs are just plain stupid. I love the one that looks for the string "I love you" everywhere in all SMTP traffic. Heaven forbid someone at your company email their wife/husband/etc.
4) There's a number of sigs that have hard-coded strings for specific BROKEN exploits. Basically, they'll detect the broken exploit, which will catch the scriptkiddies, but anyone with half a brain who fixed the exploit won't be detected.
Unforunately, tuning the IDS (turning off signatures) isn't a valid means of reducing false positives since it makes you completely blind to the attack. Which means you either get deluged with alerts or miss legitimate threats to your network.
Honestly, I got so fed up with Snort and wasting my time with it, that I finally decided to get rid of it and spend the saved time being more proactive in securing my systems.