Future Of IDS

A reader wrote to us about a summary article regarding IDS ^? . This is an interesting article in so far as it attempts to prognosticate what the future will be for detection, and that draws in some interesting work on security modelling. T: Readers may also want to see this vnunet article on IDS products -- guess what comes out on top?

Excellent IDS-related site

[doctor_oktagon]

Check this out for full info on a whole range of IDS systems ... hardware & software.

Network Intrusion ran by some guy who is extremely helpfull on the Security Focus IDS mailing list.

Large scale correlation

[pdqlamb]

I wonder if the author would credit things like my NetWatchman or Security Focus's Aris as large scale correlation efforts? I know it would probably be tough to get much more specific, as you could generate a huge amount of traffic trying to correlate every wierd package that hit many boxes.

Um, details?

[the_rev_matt]

That was one of the most content-free articles I've ever seen this side of USA Today. Any chance of tracking down a detailed side by side analysis of the products tested with pros and cons and maybe WHY they thought snort was so much better (not that I disagree, but vagaries don't tend to be terribly convincing when presenting to management).

Re:Um, details?

[Flower]

Go to Snort's website. Note article "One Pig to Rule Them All." Find link directing you to here. Fill in the required info and download 4MB pdf. It's going to take me awhile to digest the nearly 250 pages of this report.

Managers Like Names...

[NetJunkie]

I'm about to deploy an IDS system at my work. When I met with the director and CIO about this they asked for recommendations, of course. I first suggested Snort. It's free, it works well, and I had used it before. But, since it didn't have someone standing behind it, the CIO wasn't interested. They rather spend $20K on another product. To them it is more important to be able to say "Hey, we were using product X from company Y! Don't blame us!" if something goes wrong.

In places where the budget is a bigger concern I still implement Snort. I can't possibly afford to stick a commercial product on every subnet that I'd like to.

Re:Managers Like Names...

[iabervon]

If budget isn't a concern, why not install Snort in addition to something else? That way you'll know when to blame company Y and what to blame them for missing. An IDS isn't like a fileserver where you can only really use one or another.

ACID and Barnyard for Snort users -- great stuff!

[jabbo]

I would have thought SecurityFocus could handle a /.'ing, but I guess not. It's a shame since they are one of the good, unbiased sources for security info out there.

Anyways, I want to throw in a shill for ACID for anyone who runs Snort. It makes my job SO INCREDIBLY MUCH EASIER that, well, I bother to do it every day, maybe two or three times a day, and haven't had any major incidents to speak of. If you run Snort, you ought to log to a centralized database that can handle the traffic from all your sensors, and then grind through it with ACID for starters. Yes, you should keep a packet vault; yes, you should run Nessus; yes, you still need to use TripWire or Integrit for filesystems. But having a friendly, capable frontend to Snort sensors is a HUGE help.

If you're running a lot of sensors and they get a ton of attacks in production, you should also look into the Barnyard plugin for Snort. It's nice for keeping things from slowing down.

If I were to take a stab at what would MOST help IDS and ISS research in the near future, I'd guess at the integration of tools like Nessus and Snort with a predictive intelligent agent like Intravenous or similar. I wish I could comment intelligently on the article, but mostly I wanted people using Snort to be aware of HOW helpful the ACID frontend is, so that more people use it, and I have less subnets to blackhole ;-).

It's in the process, stoopid

[doctor_oktagon]

Installing and monitoring a large-scale IDS installation is a complex and involved process which is not simple!

Snort may be cheap and easy to install, but many corporations buy IDS on the strength of the management and reporting capability.

One of my clients went with Cisco Netranger IDS because it offers excellent Monitoring screens that are then staffed by a 24/7 response unit waiting for alerts on the border/dmz/back office networks. It then made it straightforward to sit semi-skilled staff in front of the consoles to monitor activity and alert a skilled technician (i.e. me in this case) if an amber or red warning occurred.

While Snort may be free, you would have to roll your own management stations (though I guess someone has done this), and thus management costs creep in.

PleasePleasePlease remember software costs are rarely in the price ... it's the process and management of deployment and operational running that costs the earth!

DANGER: I'm not flaming snort, I just haven't had to chance to try and scale it up into an enterprise-type situation.

FIrewall Firewall Firewall

[IgnorantKnucklehead]

Once a system is compromised there is no way I would trust anything on it again until I pulled it off of the 'Net and did a complete reinstall. IDS is good to let you know your box is cracked and perhaps what may have been accessed/tampered with, but it's the last stage in security. Build yourself a good firewall, be careful with your access rights, and have a good password policy.

Re:Hard to install and setup?

[Waffle+Iron]

That sounds a little like the South Park underpants gnomes' business model:

Phase 1: apt-get install snort
Phase 2:
Phase 3: Security!

Re:You misunderstand.

[monkeydo]

SNORT is a Network IDS. What you are describing is Host IDS. Two different things. SNORT tells you what is going on in your network. HIDS tells you what is going on on and to your host.

The point is to be aware, not to come down on them. If they knocked on the door, trying some exploit.. it's not worth your time to chase them down if it has no effect. On the other hand.. what if it turns out to be a rival company?

The point is _detection_ as in the three prongs of security, Protection, Detection, and Response.

Having a firewall (protection) without IDS (detection) is betting that your firewall is blocking everything bad, and not wanting to know if it isn't. Putting sensors inside and outside of your firewall allows you to see what is being attempted and what is being blocked. The IDS will flag things as possible attacks that will pass through the firewall, what you do when you IDS alarms is as important as having it in the first place.

The Firewall is the lock on your front door, the NIDS is your motion detector, and response is the alarm company sending the police.

CEO's like $$$

[jabbo]

That made it pretty damn easy for me to push Snort where I work.

Only choads that are getting kickbacks from manufacturers are going to push for overpriced commercial solutions in shops that don't have an existing IDS installation or a compelling reason to use the packaged solutions (NetRanger, OpenView, their ilk).

A packet is a packet... NFR and Snort are both designed by well-respected engineers who are more interested in accuracy and correctness than in unit shifting. I trust them for that.

When you get right down to it, unless you're rolling in dough, why blow $20,000 per management station plus consulting costs to implement something your network administrator can probably set up in a week for free? (I know I can) It's stupid. Save the cash for your coke dealer or a rock for the missus.

IDS Performance, False Positives, and The Future

So, having read both of the articles, I don't see anything in here about the "future" of IDS. Everything in the IDS world relates to pattern matching and speed.

The problem with that is that the number of alerts does not determine the efficiency and efficacy of an IDS does. As Stefan Axelsson points out in his paper "The Base Rate Fallacy and its Implications for the Difficulty of Intrusion Detection, the real limiting factor in IDS performance will ALWAYS be the number of false positives generated.

Unfortunately, not many people seem to be working in the direction to deal with that problem. Most of the major IDS vendors are talking only in terms of getting faster, and having more rules.

The only company I've actually seen that is looking at any new paradigm to deal with this problem is nCircle. Their system has an IDS and a vulnerability scanner working together to accomplish the reduction in false positives.

It's not a perfect system, but it performs significantly better than any of the IDS products that I've seen. And it definitely shows some sort of vision into the future, and into dealing with the real problems with the way IDS is currently done.

Just my $0.02...

You pay for performance

[Krelnik]

That's all well and good, but have you ever tried to put SNORT with a large number of signatures enabled on a really high speed link that is well utilized?

I am afraid if you do you are in for a RUDE awakening. The fact of the matter is that these $20,000 solutions cost that much for a reason, and the reason is they've spent years optimizing them for high speed links. This is something the hobbiest programmers who work on Snort cannot compete with. For instance, what open source coder has a SMARTBITS on their desk? Something like that is essential to test these things, but they cost upwards of $10,000.

So I would say yes, if all you want to do is monitor a T1 or two, and you're willing to tinker alot, something like Snort would work. But if you have a SERIOUS network with lots of bandwidth, you're gonna have to pony up the dough.

Disclosure: I helped build one of the systems that Snort supposedly beat, and I analyzed the source code for another one that was bought by that company. Snort CANNOT beat either one in a high bandwidth situation. I've seen the code, I've run the tests, trust me.

I no longer work for that company so have little to gain by saying this.

But when is Snort going to get good sigs?

[adturner]

I'm sure i'm going to get mod'd down or marked flamebait for this, but here it goes...

Has anyone ever bothered to actually READ the Snort signatures? I actually spent quite a few hours going over them and found a number of things:

1) Massive false postives. Almost all of the HTTP signatures only look for a request to a vulnerable CGI/ASP/etc, not for the actual exploit. This means perfectly normal/valid requests generate alerts.

2) Many sigs are easy to avoid. For HTTP sigs that actually try to look for the exploit it's generally a matter of putting a fake &var=value between the ? and the exploited param since Snort can only do simple string matching.

3) Many sigs are just plain stupid. I love the one that looks for the string "I love you" everywhere in all SMTP traffic. Heaven forbid someone at your company email their wife/husband/etc.

4) There's a number of sigs that have hard-coded strings for specific BROKEN exploits. Basically, they'll detect the broken exploit, which will catch the scriptkiddies, but anyone with half a brain who fixed the exploit won't be detected.

Unforunately, tuning the IDS (turning off signatures) isn't a valid means of reducing false positives since it makes you completely blind to the attack. Which means you either get deluged with alerts or miss legitimate threats to your network.

Honestly, I got so fed up with Snort and wasting my time with it, that I finally decided to get rid of it and spend the saved time being more proactive in securing my systems.

I monitor 2 DS-3's, that's all I need to...

[jabbo]

I can't speak to higher-end solutions, because as I mentioned in my response, I suspect they'll already have an architecture in place (eg. when I was at IBM Burlington, before Snort was even born, the setup they had created for monitoring ingress and egress traffic was far beyond what I've seen before or since).

But for my live production hosts, dual-homed on UUNet and Qwest, and all monitored, Snort + Barnyard + ACID have kept up without clipping traffic or interfering with operations. And yes, we DO saturate both of those links on occasion (though not always).

That's all I can speak to. When I worked at XOOM we saw traffic up to about 0.75Gbps steady and never bothered running an IDS, just were real fucking careful about what went live and keeping everything audited. An HP OpenView installation with some sort of IDS support was looking like $300K in bills. We said "fuck that" and to this day I wouldn't do any differently.

But, my situation may be very different from yours. If you need a $20K solution and its presence saves you $40K, you sure as hell don't need my blessing to buy it!