Slashdot Mirror
Future Of IDS
A reader wrote to us about a summary article regarding IDS ? . This is an interesting article in so far as it attempts to prognosticate what the future will be for detection, and that draws in some interesting work on security modelling. T: Readers may also want to see this vnunet article on IDS products -- guess what comes out on top?
Check this out for full info on a whole range of IDS systems ... hardware & software.
Network Intrusion ran by some guy who is extremely helpfull on the Security Focus IDS mailing list.
I wonder if the author would credit things like my NetWatchman or Security Focus's Aris as large scale correlation efforts? I know it would probably be tough to get much more specific, as you could generate a huge amount of traffic trying to correlate every wierd package that hit many boxes.
That was one of the most content-free articles I've ever seen this side of USA Today. Any chance of tracking down a detailed side by side analysis of the products tested with pros and cons and maybe WHY they thought snort was so much better (not that I disagree, but vagaries don't tend to be terribly convincing when presenting to management).
this is getting old and so are you
blog
I'm about to deploy an IDS system at my work. When I met with the director and CIO about this they asked for recommendations, of course. I first suggested Snort. It's free, it works well, and I had used it before. But, since it didn't have someone standing behind it, the CIO wasn't interested. They rather spend $20K on another product. To them it is more important to be able to say "Hey, we were using product X from company Y! Don't blame us!" if something goes wrong.
In places where the budget is a bigger concern I still implement Snort. I can't possibly afford to stick a commercial product on every subnet that I'd like to.
My biggest issue with IDS's is "So, what now?"
For example, Yesterday I get hit with about 90 attempts to get cmd.exe on my webserver from one specific IP addy. So, a quick nslookup / whois later and I get the server name and contact info for the suspected malicious box.
Since it's from a major site, I decide to contact them to let them know they may have a potentially compromised box on thier network.
Three v-mails and two emails later, no word back from them.
I'm all for IDS's, but aside from possibly dishing out some Louisville Slugger style 'cease and desist' requests, what good is the info?
argent out
Anyways, I want to throw in a shill for ACID for anyone who runs Snort. It makes my job SO INCREDIBLY MUCH EASIER that, well, I bother to do it every day, maybe two or three times a day, and haven't had any major incidents to speak of. If you run Snort, you ought to log to a centralized database that can handle the traffic from all your sensors, and then grind through it with ACID for starters. Yes, you should keep a packet vault; yes, you should run Nessus; yes, you still need to use TripWire or Integrit for filesystems. But having a friendly, capable frontend to Snort sensors is a HUGE help.
If you're running a lot of sensors and they get a ton of attacks in production, you should also look into the Barnyard plugin for Snort. It's nice for keeping things from slowing down.
If I were to take a stab at what would MOST help IDS and ISS research in the near future, I'd guess at the integration of tools like Nessus and Snort with a predictive intelligent agent like Intravenous or similar. I wish I could comment intelligently on the article, but mostly I wanted people using Snort to be aware of HOW helpful the ACID frontend is, so that more people use it, and I have less subnets to blackhole ;-).
Remember that what's inside of you doesn't matter because nobody can see it.
Installing and monitoring a large-scale IDS installation is a complex and involved process which is not simple!
... it's the process and management of deployment and operational running that costs the earth!
Snort may be cheap and easy to install, but many corporations buy IDS on the strength of the management and reporting capability.
One of my clients went with Cisco Netranger IDS because it offers excellent Monitoring screens that are then staffed by a 24/7 response unit waiting for alerts on the border/dmz/back office networks. It then made it straightforward to sit semi-skilled staff in front of the consoles to monitor activity and alert a skilled technician (i.e. me in this case) if an amber or red warning occurred.
While Snort may be free, you would have to roll your own management stations (though I guess someone has done this), and thus management costs creep in.
PleasePleasePlease remember software costs are rarely in the price
DANGER: I'm not flaming snort, I just haven't had to chance to try and scale it up into an enterprise-type situation.
Once a system is compromised there is no way I would trust anything on it again until I pulled it off of the 'Net and did a complete reinstall. IDS is good to let you know your box is cracked and perhaps what may have been accessed/tampered with, but it's the last stage in security. Build yourself a good firewall, be careful with your access rights, and have a good password policy.
Phase 1: apt-get install snort
Phase 2:
Phase 3: Security!
The future of IDS is that he will stand down as leader of the Conservative Party after they lose the next election, at which point he'll get a big fat job with some big firm in The City and disappear into obscurity.
What?
Intrusion Detection Systems? You mean this isn't about Iain Duncan Smith?
"Information wants to be paid"
See my earlier comment about ACID. Multisensor correlation and alert grouping, emailing of packet traces to offenders or CIO's, pretty much all you could ask for.
Try it. ACID homepage You may be pleasantly surprised at how easy Snort is to scale up. I have numerous sensors, all in production, all logging on all interfaces, all the time, and haven't had any major incidents on my subnet. I credit this partly to having early warning of when some idiot tries to attack my boxen, as well as to using Thoth for host monitoring, which makes it trivial to check that all my daemons are up-to-date, and all kernel patches are installed.
Someone pisses me off consistently, they get blackholed. This is something I'd recommend doing by hand, of course, but for people whose business I don't need or want, it's a great way to end the problem right then and there. :-)
Remember that what's inside of you doesn't matter because nobody can see it.
The point is to be aware, not to come down on them. If they knocked on the door, trying some exploit.. it's not worth your time to chase them down if it has no effect. On the other hand.. what if it turns out to be a rival company?
The point is _detection_ as in the three prongs of security, Protection, Detection, and Response.
Having a firewall (protection) without IDS (detection) is betting that your firewall is blocking everything bad, and not wanting to know if it isn't. Putting sensors inside and outside of your firewall allows you to see what is being attempted and what is being blocked. The IDS will flag things as possible attacks that will pass through the firewall, what you do when you IDS alarms is as important as having it in the first place.
The Firewall is the lock on your front door, the NIDS is your motion detector, and response is the alarm company sending the police.
Si vis pacem, para bellum
The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
That made it pretty damn easy for me to push Snort where I work.
Only choads that are getting kickbacks from manufacturers are going to push for overpriced commercial solutions in shops that don't have an existing IDS installation or a compelling reason to use the packaged solutions (NetRanger, OpenView, their ilk).
A packet is a packet... NFR and Snort are both designed by well-respected engineers who are more interested in accuracy and correctness than in unit shifting. I trust them for that.
When you get right down to it, unless you're rolling in dough, why blow $20,000 per management station plus consulting costs to implement something your network administrator can probably set up in a week for free? (I know I can) It's stupid. Save the cash for your coke dealer or a rock for the missus.
Remember that what's inside of you doesn't matter because nobody can see it.
The article says it's hard to setup snort. What's so hard about: apt-get install snort?
Nothing's hard about that, but that isn't setting up snort.
Let me know when "apt-get setup snort" is working.
So, having read both of the articles, I don't see anything in here about the "future" of IDS. Everything in the IDS world relates to pattern matching and speed.
The problem with that is that the number of alerts does not determine the efficiency and efficacy of an IDS does. As Stefan Axelsson points out in his paper "The Base Rate Fallacy and its Implications for the Difficulty of Intrusion Detection, the real limiting factor in IDS performance will ALWAYS be the number of false positives generated.
Unfortunately, not many people seem to be working in the direction to deal with that problem. Most of the major IDS vendors are talking only in terms of getting faster, and having more rules.
The only company I've actually seen that is looking at any new paradigm to deal with this problem is nCircle. Their system has an IDS and a vulnerability scanner working together to accomplish the reduction in false positives.
It's not a perfect system, but it performs significantly better than any of the IDS products that I've seen. And it definitely shows some sort of vision into the future, and into dealing with the real problems with the way IDS is currently done.
Just my $0.02...
ACID looks great...but it requires PHP. :^/
Does anyone have good information on how to compile Apache with mod_perl and PHP and SSL?
Wooden armaments to battle your imaginary foes!
I was browsing the other vnunet articles and saw that according to another article on vnunet.com writing Linux viruses is easy. They claim that "It is a stable OS, but it's not a secure OS." so it will most likely be a target next year.
/. but they'll probably think we've had enough security articles for one day and it'll get rejected and no one will read it.
I could try submitting this to
Things you think are in the Constitution, but are not.
Hi, I currently work in the UC Davis sec lab (current project(s): HACQIT).
/.'d), you may not be able to check all attacks. Some methodogies start from the approach that deviating from a set of known safe operations is considered suspect. Other IDSes approach it from checking against a known-attack database. We're currently working on genetic algorithms and expert systems to correlate sensors and systems to detect and respond to attacks. The best approach I've seen is a complete kernel-level instrumentation of all system calls that's transparent and mostly undetectable. It would probably be DoS-able as well. The main prob is that you realy gotta have another comp to offload IDS checking.
The basic problem with all IDS is in the confidence level of determining if something is an attack or just random garbage. Also, IDS have to be fast. If there's too much traffic (if you've been
Right now, nearly all IDSes are extremely primitive and consist of nothing more than snort rules and Perl scripts that call ipchains or something.
Btw, I went to RAID 2001 this year (hosted at UCD), it was fairly interesting.
The biggest trick the devil pulled was letting lawyers become politicians so they can write the laws.
I am afraid if you do you are in for a RUDE awakening. The fact of the matter is that these $20,000 solutions cost that much for a reason, and the reason is they've spent years optimizing them for high speed links. This is something the hobbiest programmers who work on Snort cannot compete with. For instance, what open source coder has a SMARTBITS on their desk? Something like that is essential to test these things, but they cost upwards of $10,000.
So I would say yes, if all you want to do is monitor a T1 or two, and you're willing to tinker alot, something like Snort would work. But if you have a SERIOUS network with lots of bandwidth, you're gonna have to pony up the dough.
Disclosure: I helped build one of the systems that Snort supposedly beat, and I analyzed the source code for another one that was bought by that company. Snort CANNOT beat either one in a high bandwidth situation. I've seen the code, I've run the tests, trust me.
I no longer work for that company so have little to gain by saying this.
Don't know about the SSL side (haven't done it yet), but grab the sources for:
.php
Apache, Mod-Perl, PHP, (for PHP, make sure you have the proper graphics librarys installed also so that Acid can display graphs. What you need is in the Install file in the Acid Source.
Here's what I used.. (Subsitute what ever version is current below)
#Mod-Perl Install
perl Makefile.PL \
APACHE_SRC=../apache_1.3.20/src \
DO_HTTPD=1 \
USE_APACI=1 \
PREP_HTTPD=1 \
EVERYTHING=1 \
[...]
make
make test
make install
#PHP 4 Install
./configure \
--with-mysql \
--with-apache=../apache_1.3.20 \
--enable-track-vars \
--enable-inline-optimization \
--enable-ftp \
--enable-sockets \
--with-gd \
--with-jpeg-dir=/usr/lib \
--with-zlib-dir=/usr/include \
--with-png-dir=/usr/lib \
--with-freetype-dir=/usr/lib
make
make install
#Apache Install
./configure \
--enable-module=most \
--enable-shared=max \
--activate-module=src/modules/php4/libphp4.a \
--activate-module=src/modules/perl/libperl.a
make
make install
#add to Httpd.conf
#AddType application/x-httpd-php
Note, please decend into the top level of each source tree before executing command to configure, make and install.
I know this is off-Topic, but there are several folks out there that can't figure out how to compile these together to get Acid to work correctly.
I'm sure i'm going to get mod'd down or marked flamebait for this, but here it goes...
Has anyone ever bothered to actually READ the Snort signatures? I actually spent quite a few hours going over them and found a number of things:
1) Massive false postives. Almost all of the HTTP signatures only look for a request to a vulnerable CGI/ASP/etc, not for the actual exploit. This means perfectly normal/valid requests generate alerts.
2) Many sigs are easy to avoid. For HTTP sigs that actually try to look for the exploit it's generally a matter of putting a fake &var=value between the ? and the exploited param since Snort can only do simple string matching.
3) Many sigs are just plain stupid. I love the one that looks for the string "I love you" everywhere in all SMTP traffic. Heaven forbid someone at your company email their wife/husband/etc.
4) There's a number of sigs that have hard-coded strings for specific BROKEN exploits. Basically, they'll detect the broken exploit, which will catch the scriptkiddies, but anyone with half a brain who fixed the exploit won't be detected.
Unforunately, tuning the IDS (turning off signatures) isn't a valid means of reducing false positives since it makes you completely blind to the attack. Which means you either get deluged with alerts or miss legitimate threats to your network.
Honestly, I got so fed up with Snort and wasting my time with it, that I finally decided to get rid of it and spend the saved time being more proactive in securing my systems.
Here are some links to Intrusion Detection systems being developed at Iowa State. They are offering fellowships for those interested in doing graduate work in computer security. Here is a link to one of their papers on distributed intrusion dection.
Automated Discovery of Concise Predictive Rules for Intrusion Detection
bash-2.04$
bash-2.04$yes "Don't you hate dialup connections?"| write USERNAME
From a brief initial read, it seems to be a fair review. It requires more work than the commercial offerings but is more flexible. And for their tests, they got comparable performance to the commercial products. To give a brief quote:
You are right however, the current links are mostly fluff.
I don't want knowledge. I want certainty. - Law, David Bowie
I can't speak to higher-end solutions, because as I mentioned in my response, I suspect they'll already have an architecture in place (eg. when I was at IBM Burlington, before Snort was even born, the setup they had created for monitoring ingress and egress traffic was far beyond what I've seen before or since).
But for my live production hosts, dual-homed on UUNet and Qwest, and all monitored, Snort + Barnyard + ACID have kept up without clipping traffic or interfering with operations. And yes, we DO saturate both of those links on occasion (though not always).
That's all I can speak to. When I worked at XOOM we saw traffic up to about 0.75Gbps steady and never bothered running an IDS, just were real fucking careful about what went live and keeping everything audited. An HP OpenView installation with some sort of IDS support was looking like $300K in bills. We said "fuck that" and to this day I wouldn't do any differently.
But, my situation may be very different from yours. If you need a $20K solution and its presence saves you $40K, you sure as hell don't need my blessing to buy it!
Remember that what's inside of you doesn't matter because nobody can see it.