Slashdot Mirror
Future Of IDS
A reader wrote to us about a summary article regarding IDS ? . This is an interesting article in so far as it attempts to prognosticate what the future will be for detection, and that draws in some interesting work on security modelling. T: Readers may also want to see this vnunet article on IDS products -- guess what comes out on top?
Check this out for full info on a whole range of IDS systems ... hardware & software.
Network Intrusion ran by some guy who is extremely helpfull on the Security Focus IDS mailing list.
I wonder if the author would credit things like my NetWatchman or Security Focus's Aris as large scale correlation efforts? I know it would probably be tough to get much more specific, as you could generate a huge amount of traffic trying to correlate every wierd package that hit many boxes.
That was one of the most content-free articles I've ever seen this side of USA Today. Any chance of tracking down a detailed side by side analysis of the products tested with pros and cons and maybe WHY they thought snort was so much better (not that I disagree, but vagaries don't tend to be terribly convincing when presenting to management).
this is getting old and so are you
blog
I'm about to deploy an IDS system at my work. When I met with the director and CIO about this they asked for recommendations, of course. I first suggested Snort. It's free, it works well, and I had used it before. But, since it didn't have someone standing behind it, the CIO wasn't interested. They rather spend $20K on another product. To them it is more important to be able to say "Hey, we were using product X from company Y! Don't blame us!" if something goes wrong.
In places where the budget is a bigger concern I still implement Snort. I can't possibly afford to stick a commercial product on every subnet that I'd like to.
My biggest issue with IDS's is "So, what now?"
For example, Yesterday I get hit with about 90 attempts to get cmd.exe on my webserver from one specific IP addy. So, a quick nslookup / whois later and I get the server name and contact info for the suspected malicious box.
Since it's from a major site, I decide to contact them to let them know they may have a potentially compromised box on thier network.
Three v-mails and two emails later, no word back from them.
I'm all for IDS's, but aside from possibly dishing out some Louisville Slugger style 'cease and desist' requests, what good is the info?
argent out
Anyways, I want to throw in a shill for ACID for anyone who runs Snort. It makes my job SO INCREDIBLY MUCH EASIER that, well, I bother to do it every day, maybe two or three times a day, and haven't had any major incidents to speak of. If you run Snort, you ought to log to a centralized database that can handle the traffic from all your sensors, and then grind through it with ACID for starters. Yes, you should keep a packet vault; yes, you should run Nessus; yes, you still need to use TripWire or Integrit for filesystems. But having a friendly, capable frontend to Snort sensors is a HUGE help.
If you're running a lot of sensors and they get a ton of attacks in production, you should also look into the Barnyard plugin for Snort. It's nice for keeping things from slowing down.
If I were to take a stab at what would MOST help IDS and ISS research in the near future, I'd guess at the integration of tools like Nessus and Snort with a predictive intelligent agent like Intravenous or similar. I wish I could comment intelligently on the article, but mostly I wanted people using Snort to be aware of HOW helpful the ACID frontend is, so that more people use it, and I have less subnets to blackhole ;-).
Remember that what's inside of you doesn't matter because nobody can see it.
Installing and monitoring a large-scale IDS installation is a complex and involved process which is not simple!
... it's the process and management of deployment and operational running that costs the earth!
Snort may be cheap and easy to install, but many corporations buy IDS on the strength of the management and reporting capability.
One of my clients went with Cisco Netranger IDS because it offers excellent Monitoring screens that are then staffed by a 24/7 response unit waiting for alerts on the border/dmz/back office networks. It then made it straightforward to sit semi-skilled staff in front of the consoles to monitor activity and alert a skilled technician (i.e. me in this case) if an amber or red warning occurred.
While Snort may be free, you would have to roll your own management stations (though I guess someone has done this), and thus management costs creep in.
PleasePleasePlease remember software costs are rarely in the price
DANGER: I'm not flaming snort, I just haven't had to chance to try and scale it up into an enterprise-type situation.
Once a system is compromised there is no way I would trust anything on it again until I pulled it off of the 'Net and did a complete reinstall. IDS is good to let you know your box is cracked and perhaps what may have been accessed/tampered with, but it's the last stage in security. Build yourself a good firewall, be careful with your access rights, and have a good password policy.
Phase 1: apt-get install snort
Phase 2:
Phase 3: Security!
The future of IDS obviously lies in improving overall Webcurity.
Free music from Jack Merlot.
THe point of the IDS is not so you can crack down on anyone trying some exploit against your site.. it's so you might actually detect someone actually breaking into your servers.
The point is to be aware, not to come down on them. If they knocked on the door, trying some exploit.. it's not worth your time to chase them down if it has no effect. On the other hand.. what if it turns out to be a rival company?
I think the general idea is to be aware of what's going on. If you are aware, you can be prepared.
If you look at a system like SNORT... it's not *really* and IDS. It's just something that checks for many, many common attack signatures. It tells you *nothing* about whether someone has intruded into your system. It's not really an IDS.
Now. the Linux IDS stuff... that locks certain files at the kernel level and notifies admin if anything tries to change.. THAT is an intrusion detection system. Someone has intruted, tried to modify something they shouldn't.. now you KNOW you have an intruder.
Triggers and such set up in some systems to detect when someone is where they shouldn't be is the real goal of an IDS.. not to tell you some new worm is trying to exploit your webserver.
The future of IDS is that he will stand down as leader of the Conservative Party after they lose the next election, at which point he'll get a big fat job with some big firm in The City and disappear into obscurity.
What?
Intrusion Detection Systems? You mean this isn't about Iain Duncan Smith?
"Information wants to be paid"
Both of the projects he's mentioning are brilliant. They encourage people to disclose alerts so that the numbers can be leveraged en masse to get vendors and ISPs off their asses.
:-))
This is the flipside to things like predictive agents and automated vulnerability testers. It improves security by social mechanisms. I'm going to look into using ARIS today, and if I can figure out how myNetWatchman works, I'll consider it too.
I hope other readers are forming solid opinions about where IDSes ought to be headed by reading posts to this article. It has been informative for me, at least. (and I've been around this stuff for a while... sometimes I see packet headers in my sleep
Remember that what's inside of you doesn't matter because nobody can see it.
See my earlier comment about ACID. Multisensor correlation and alert grouping, emailing of packet traces to offenders or CIO's, pretty much all you could ask for.
Try it. ACID homepage You may be pleasantly surprised at how easy Snort is to scale up. I have numerous sensors, all in production, all logging on all interfaces, all the time, and haven't had any major incidents on my subnet. I credit this partly to having early warning of when some idiot tries to attack my boxen, as well as to using Thoth for host monitoring, which makes it trivial to check that all my daemons are up-to-date, and all kernel patches are installed.
Someone pisses me off consistently, they get blackholed. This is something I'd recommend doing by hand, of course, but for people whose business I don't need or want, it's a great way to end the problem right then and there. :-)
Remember that what's inside of you doesn't matter because nobody can see it.
Not likely. This is an assertion I've seen being made by the IT media for the last two years that I've been doing IDS. IPsec & IPv6 were touted as making IDS obsolete.
The fundamental fact is that we will never get to the point where all traffic sent out over the great big I is encrypted. Its a matter of simple economics. Things like publicly available web sites, DNS, and even email don't need to be encrypted, nothing is gained by protecting that data. That's why it's a public service. Therefore, content providers (those deploying IDS) will never fork out the $$$ to buy equipment which can handle the load produced by millions of daily transactions that come down to just to encrypting index.html and decrypting GET index.html requests.
As an IDS analyst for the last two years in a Fortune 10 company, I can tell you from first-hand experience that 90%+ of the attacks we see on a daily basis are HTTP-based. DNS comes in second, because guess what? It's one of the needed public services offered by content providers on the Internet. Why encrypt data you're offering out to the whole world?
Nice article for CIOs, but I'm getting tired of hearing that encryption is going to get rid of NIDS. It's an omega point that we'll just never get to.
That made it pretty damn easy for me to push Snort where I work.
Only choads that are getting kickbacks from manufacturers are going to push for overpriced commercial solutions in shops that don't have an existing IDS installation or a compelling reason to use the packaged solutions (NetRanger, OpenView, their ilk).
A packet is a packet... NFR and Snort are both designed by well-respected engineers who are more interested in accuracy and correctness than in unit shifting. I trust them for that.
When you get right down to it, unless you're rolling in dough, why blow $20,000 per management station plus consulting costs to implement something your network administrator can probably set up in a week for free? (I know I can) It's stupid. Save the cash for your coke dealer or a rock for the missus.
Remember that what's inside of you doesn't matter because nobody can see it.
The article says it's hard to setup snort. What's so hard about: apt-get install snort?
Nothing's hard about that, but that isn't setting up snort.
Let me know when "apt-get setup snort" is working.
So, having read both of the articles, I don't see anything in here about the "future" of IDS. Everything in the IDS world relates to pattern matching and speed.
The problem with that is that the number of alerts does not determine the efficiency and efficacy of an IDS does. As Stefan Axelsson points out in his paper "The Base Rate Fallacy and its Implications for the Difficulty of Intrusion Detection, the real limiting factor in IDS performance will ALWAYS be the number of false positives generated.
Unfortunately, not many people seem to be working in the direction to deal with that problem. Most of the major IDS vendors are talking only in terms of getting faster, and having more rules.
The only company I've actually seen that is looking at any new paradigm to deal with this problem is nCircle. Their system has an IDS and a vulnerability scanner working together to accomplish the reduction in false positives.
It's not a perfect system, but it performs significantly better than any of the IDS products that I've seen. And it definitely shows some sort of vision into the future, and into dealing with the real problems with the way IDS is currently done.
Just my $0.02...
ACID looks great...but it requires PHP. :^/
Does anyone have good information on how to compile Apache with mod_perl and PHP and SSL?
Wooden armaments to battle your imaginary foes!
They (VNU) seem to be blocking on the HTTP_REFERER header. Copy & paste the URL into a separate browser tab (or window for the non-moz / Konq users :) and hit return. Or use wget.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
I was browsing the other vnunet articles and saw that according to another article on vnunet.com writing Linux viruses is easy. They claim that "It is a stable OS, but it's not a secure OS." so it will most likely be a target next year.
/. but they'll probably think we've had enough security articles for one day and it'll get rejected and no one will read it.
I could try submitting this to
Things you think are in the Constitution, but are not.
Here's the link, sorry. I was sure I did a preview and it showed up, oh well.
Things you think are in the Constitution, but are not.
Hi, I currently work in the UC Davis sec lab (current project(s): HACQIT).
/.'d), you may not be able to check all attacks. Some methodogies start from the approach that deviating from a set of known safe operations is considered suspect. Other IDSes approach it from checking against a known-attack database. We're currently working on genetic algorithms and expert systems to correlate sensors and systems to detect and respond to attacks. The best approach I've seen is a complete kernel-level instrumentation of all system calls that's transparent and mostly undetectable. It would probably be DoS-able as well. The main prob is that you realy gotta have another comp to offload IDS checking.
The basic problem with all IDS is in the confidence level of determining if something is an attack or just random garbage. Also, IDS have to be fast. If there's too much traffic (if you've been
Right now, nearly all IDSes are extremely primitive and consist of nothing more than snort rules and Perl scripts that call ipchains or something.
Btw, I went to RAID 2001 this year (hosted at UCD), it was fairly interesting.
The biggest trick the devil pulled was letting lawyers become politicians so they can write the laws.
I am afraid if you do you are in for a RUDE awakening. The fact of the matter is that these $20,000 solutions cost that much for a reason, and the reason is they've spent years optimizing them for high speed links. This is something the hobbiest programmers who work on Snort cannot compete with. For instance, what open source coder has a SMARTBITS on their desk? Something like that is essential to test these things, but they cost upwards of $10,000.
So I would say yes, if all you want to do is monitor a T1 or two, and you're willing to tinker alot, something like Snort would work. But if you have a SERIOUS network with lots of bandwidth, you're gonna have to pony up the dough.
Disclosure: I helped build one of the systems that Snort supposedly beat, and I analyzed the source code for another one that was bought by that company. Snort CANNOT beat either one in a high bandwidth situation. I've seen the code, I've run the tests, trust me.
I no longer work for that company so have little to gain by saying this.
Don't know about the SSL side (haven't done it yet), but grab the sources for:
.php
Apache, Mod-Perl, PHP, (for PHP, make sure you have the proper graphics librarys installed also so that Acid can display graphs. What you need is in the Install file in the Acid Source.
Here's what I used.. (Subsitute what ever version is current below)
#Mod-Perl Install
perl Makefile.PL \
APACHE_SRC=../apache_1.3.20/src \
DO_HTTPD=1 \
USE_APACI=1 \
PREP_HTTPD=1 \
EVERYTHING=1 \
[...]
make
make test
make install
#PHP 4 Install
./configure \
--with-mysql \
--with-apache=../apache_1.3.20 \
--enable-track-vars \
--enable-inline-optimization \
--enable-ftp \
--enable-sockets \
--with-gd \
--with-jpeg-dir=/usr/lib \
--with-zlib-dir=/usr/include \
--with-png-dir=/usr/lib \
--with-freetype-dir=/usr/lib
make
make install
#Apache Install
./configure \
--enable-module=most \
--enable-shared=max \
--activate-module=src/modules/php4/libphp4.a \
--activate-module=src/modules/perl/libperl.a
make
make install
#add to Httpd.conf
#AddType application/x-httpd-php
Note, please decend into the top level of each source tree before executing command to configure, make and install.
I know this is off-Topic, but there are several folks out there that can't figure out how to compile these together to get Acid to work correctly.
Why encrypt data you're offering out to the whole world?
Just because it goes over the internet doesn't mean it's no private. Financial, insurance, and login information, among many others. All of these things go through "public" web sites. I work for a bank. Most of our web traffic travels under the covers of SSL.
Right now, we're implementing an SSL terminator near the front door. SSL doesn't have to terminate on the web server. If it doesn't, you have the ability to let your SSL move across the web farm, not being server-bound anymore, never mind the overhead SSL imposes on a web server. Does moving SSL traffic unencrypted across the network between firewall and server squick me? You betcha. Does it squick me as much as not seeing IDS on the majority of our traffic? No way.
Even with IPv6 and IPsec, IDS isn't going away anytime soon, for exactly the reason outlined above.
The truth about Scientology, Xenu, and you: Operation Clambake
I'm sure i'm going to get mod'd down or marked flamebait for this, but here it goes...
Has anyone ever bothered to actually READ the Snort signatures? I actually spent quite a few hours going over them and found a number of things:
1) Massive false postives. Almost all of the HTTP signatures only look for a request to a vulnerable CGI/ASP/etc, not for the actual exploit. This means perfectly normal/valid requests generate alerts.
2) Many sigs are easy to avoid. For HTTP sigs that actually try to look for the exploit it's generally a matter of putting a fake &var=value between the ? and the exploited param since Snort can only do simple string matching.
3) Many sigs are just plain stupid. I love the one that looks for the string "I love you" everywhere in all SMTP traffic. Heaven forbid someone at your company email their wife/husband/etc.
4) There's a number of sigs that have hard-coded strings for specific BROKEN exploits. Basically, they'll detect the broken exploit, which will catch the scriptkiddies, but anyone with half a brain who fixed the exploit won't be detected.
Unforunately, tuning the IDS (turning off signatures) isn't a valid means of reducing false positives since it makes you completely blind to the attack. Which means you either get deluged with alerts or miss legitimate threats to your network.
Honestly, I got so fed up with Snort and wasting my time with it, that I finally decided to get rid of it and spend the saved time being more proactive in securing my systems.
Off topic or not, it's definately a great help! Thanks!
Wooden armaments to battle your imaginary foes!
Here are some links to Intrusion Detection systems being developed at Iowa State. They are offering fellowships for those interested in doing graduate work in computer security. Here is a link to one of their papers on distributed intrusion dection.
Automated Discovery of Concise Predictive Rules for Intrusion Detection
bash-2.04$
bash-2.04$yes "Don't you hate dialup connections?"| write USERNAME
From a brief initial read, it seems to be a fair review. It requires more work than the commercial offerings but is more flexible. And for their tests, they got comparable performance to the commercial products. To give a brief quote:
You are right however, the current links are mostly fluff.
I don't want knowledge. I want certainty. - Law, David Bowie
Snort combined with the equally free BigBrother gives every admin exactly what he wants. Secure net with an easy to monitor interface. If I'm not mistaken there was an article in SysAdmin not long ago about hooking Tripwire into BigBrother. The same should be able to do with Snort, shouldn't it?
/Haeger
You are not entitled to your opinion. You are entitled to your informed opinion. -- Harlan Ellison
First, most IDS users focus on eliminating "false positives." This mindset, and especially ISS' goal of "zero false positives," is misguided.
I treat every IDS event as an "indicator," in the military intel idea of "indications and warnings." If I tell my IDS to find "X", and it reports "X", is that a false positive if "X" doesn't mean compromise? No, it's my responsibility to evaluate that indication by performing correlation and looking at the bigger picture.
Second, most IDS developers seem to focus on the detection aspect, i.e., can we detect at gigabit speeds? Can we detect Unicode-encoded attacks? This is necessary but not sufficient to perform network security monitoring.
IDS vendors need to understand that ESCALATION is the goal, not just detection. If the IDS doesn't provide enough supporting data to help me make a judgement without physically inspecting the target, why bother alerting at all? Why flash the red alert light if I must call the customer or do computer forensics to find out if the box is hacked?
Expect more rants in the form of a book (hopefully) late next year or sometime in '03.
Helevius
Page 165: The Tests
all available signatures enabled
This is not a level playing field. The product that I helped build (ISS RealSecure) contains a number of signatures that are not intended to be turned on in normal usage. For instance, RealSecure can generate an even for every single HTTP GET request on your network, no matter how inane.
This feature is intended to be used as a special purpose tool, for instance to analyze web usage over the short term. It is not intended to be turned on during normal IDS usage. If you do turn it on, it often overwhelms your console with tons of incidental data and rapidly fills your logs.
Page 166-167: Performance Under Load
Another RealSecure specific problem here is that RealSecure deliberately drops redundant reports and does not count them, so that you do not get inundated with a million messages that tell you the exact same thing. Therefore I would expect it to fare very poorly in the boping count test.
Others in this thread have pointed out the danger of using tools like SMARTBITS to generate background traffic. The problem is that unless you really know what you are doing, SMARTBITS is likely to generate traffic that is entirely unrealistic. (For instance, TCP data packets that don't correspond to an actual open session that the IDS would have been tracking). This can cause both unrealistically good and unrealistically bad performance, depending on what the background traffic actually is and how the IDS is built.
The assertion early in this section that "if a sensor detects 100 per cent of attacks at 100 per cent load in this test" (of minimum length packets) that it "can handle anything that islikely to be thrown at it" is patent BS. Yes this is the worst case scenario of "packets per second", but packets per second is not the most important metric here.
I also note on page 177 and 178 in a footnote that neither RealSecure nor BlackICE were "re-tested for Edition 2", yet they are not reluctant to conclude that SNORT is better than the commercial products. I think we've got an apples and oranges problem here.
I also question whether their assertion that all products were tested with their latest signature updates can possibly true, if they didn't retest all the products. Most of the commercial vendors release new signatures on a regular basis.
(This is also true for the Cisco, CA, Symantec, Enterasys and other products in the comparison, if you read the footnotes carefully).
You can get the real IDS report from the NSS group at http://www.nss.co.uk. at no charge.
- David A. Wheeler (see my Secure Programming HOWTO)
I can't speak to higher-end solutions, because as I mentioned in my response, I suspect they'll already have an architecture in place (eg. when I was at IBM Burlington, before Snort was even born, the setup they had created for monitoring ingress and egress traffic was far beyond what I've seen before or since).
But for my live production hosts, dual-homed on UUNet and Qwest, and all monitored, Snort + Barnyard + ACID have kept up without clipping traffic or interfering with operations. And yes, we DO saturate both of those links on occasion (though not always).
That's all I can speak to. When I worked at XOOM we saw traffic up to about 0.75Gbps steady and never bothered running an IDS, just were real fucking careful about what went live and keeping everything audited. An HP OpenView installation with some sort of IDS support was looking like $300K in bills. We said "fuck that" and to this day I wouldn't do any differently.
But, my situation may be very different from yours. If you need a $20K solution and its presence saves you $40K, you sure as hell don't need my blessing to buy it!
Remember that what's inside of you doesn't matter because nobody can see it.
I found this to be underdocumented when recently configuring snort.
in snort.conf:
change
var EXTERNAL_NET any
to
var EXTERNAL_NET !$HOME_NET
Otherwise, you'll see all your local hosts matching rules meant for external traffic. That's a little confusing.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
It's "apt-get install snort". And if you had actually tried it before (which we all know you haven't due to your syntax slip) you would realize that it is in fact that easy.
It wasn't a syntax slip, cretin. It was a sarcastic comment on the fact that an installation is very different from a setup, and the fact that as any security professional can tell you (and pay attention, boy, because one is) Snort requires some setup if one wants it to actually help protect one's network, not just produce a nice warm fuzzy feeling that bears little relationship to reality.
And for the record, if I actually try "apt-get" anything I'll get a "command not found" error because I don't do Debian. Not due to any deficiency in Debian, just because the Fortune 500 company for which I administrate a couple hundred UNIX servers uses RedHat.
Lately I've been compiling Apache with just PHP, mod_ssl, and mod_auth_pgsql (no mod_perl anymore). Last time I did it was not TOO hard, though. You need to apply the SSL patches FIRST, THEN apply the mod_perl patches, and LAST add PHP.
At least, that worked for Apache 1.3.12 on FreeBSD 2.2. Like I said, it's been a while since I needed to prototype an Apache module (sooner or later it's best to move them all to C, IMHO).
Remember that what's inside of you doesn't matter because nobody can see it.
As I said, this was the Network ICE business plan from three years ago. We built a product to address these issues, we shipped it, we were successful, and this product is being mixed with the rest of ISS's technologies to become RealSecure 7.
I hate to come out with a "vendor" message, it is just that the author is most familiar with Snort, where these things are issues. He makes the assumption that other products are just commercialized versions of Snort. This isn't true -- at least in the case of our commercial product, it isn't related to Snort at all. He is maybe describing "The Future of Snort", but this is three years old for BlackICE.
I just got in from a busy day and what do I find but a little Snort action on ole Slashdot...
So, I've got a few comments about the comments:
Snort signatures and the quality thereof. Anyone who complains about the quality of Snort signatures is a lazy bastard, they're open source and easy to modify, if you find that much wrong with them make the appropriate changes and mail them back to me or Brian Caswell, our own official Snort Rules Nazi. Just because we write Snort sigs doesn't mean you have to use them, the original concept behind Snort and the rules files that came with the distro was that the users could look at examples of how to write them and develop their own set for the site they were protecting. This has gotten way out of hand over the past three years and has blossomed into the approximately 1300 rules we have now. The quality isn't always the best, but we're working on it (and if you've been tracking them over the past 6 months they've gotten much better.
Performance. People from ISS talking about the superior performance of their solution is laughable, it's been shown repeatedly in third party IDS roundups that Snort performs on par with or better than almost all of the other commercially available NIDS solutions out there. In fact, I know of one large entertainment company that sank a decent chunk of money into hardware that's running Snort at OC-12 speeds on their network successfully with no packet loss at all. Moral of the story? IDS performance is tied directly to the configuration and horsepower of the sensor hardware. No big revelations there. The fact of the matter is that's Snort's capabilities and performance keep increasing as we continue to develop it. We're also about to revisit some major architectural components of the system as we begin development on Snort 2.0 this month, but that's a different topic...
Love Snort but need a commercial company to back it? Check out Sourcefire, a company that I founded this year precisely to do that. We are selling network IDS appliances complete with a web-based GUI, data analysis console, and full blown configuration management system built in. We're also working on a Management Console appliance that will allow you to deploy and manage a distributed Snort NIDS infrastructure and manage all the data that comes out of the system and perform multi-sensor correlation.
Rapid response. When the shit hits the fan on the Internet, Snort is usually the leader in getting out new sigs to the user community. Case in point, the W32/Voyager MS SQL worm that recently came out, we were the first with sigs to pick it up.
So in the end, Snort gives you speed and accuracy (in that I mean you can identify specific exploits very precisely), has an active development and user community and is flexible to meet users needs. I think that this is a really good combo for most people's needs. Now that Sourcefire is out there, I think that the needs of "pro" users can be satisfied as well as those of the open source world.
On the other hand I might be biased, as I did write the thing... ;)
-Marty
It just occured to me that are you using RedHat because it offers superior something compared to others or what is the reason...
:-)
The decision came from the adminisphere. Way over my pay grade.
Disclaimer: I'm the author and v1.1 needs to be released soon :)
Top Most Bizarre/Disturbing Error Messages