Re: [suse-security] Intrusion detection?
At 09:25 PM 6/01/2001 +0000, you wrote:
Thomas, Can you advice us a IDS that dont suck? I just use Linux at home so I'll probably keep using many things that suck, at least for try to learning how they suck, but others may need to know other IDS apps, for corporate use. http://website.lineone.net/~offthecuff/HIDS.htm (http://www.networkintrusion.co.uk)
btw ... also many commercial stuff suck, in this case vulnerability scanners: http://www.nwc.com/1201/1201f1b1.html
IMHO IDS systems are close to worthless. At best they lets you know that you have already been broken into, at worst, they breed a dangerous false sense of security. As a greater percentage of network traffic is being encrypted every day, and an IDS cannot "see" into encrypted traffic, it means that your IDS has a huge blind-spot. This is only going to get worse. Test out any of the IIS exploits if you don't believe me (the unicode exploit is a good example because it works against IIS4 and IIS5) this exploit will sail straight past your IDS without raising a murmur, allow you to execute arbitrary programs on the target machine, and even download the servers Private SSL key. FUN! Cheers -Nix -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking
On Tue, 9 Jan 2001, Nix wrote:
At 09:25 PM 6/01/2001 +0000, you wrote:
Thomas, Can you advice us a IDS that dont suck? I just use Linux at home so I'll probably keep using many things that suck, at least for try to learning how they suck, but others may need to know other IDS apps, for corporate use. http://website.lineone.net/~offthecuff/HIDS.htm (http://www.networkintrusion.co.uk)
btw ... also many commercial stuff suck, in this case vulnerability scanners: http://www.nwc.com/1201/1201f1b1.html
IMHO IDS systems are close to worthless. At best they lets you know that you have already been broken into
That's what a IDS is designed for. For preventing intrusions you have to patch your system and have a good security infrastructure. Often pattern matching network based IDS are not that usefull, because they just detect attacks, that could be avoided by a packetfilter and a good administrator. NIDS, that use statistical methods or strict-misuse detection (mjr called it buglar alarm detection, AFAIK) may also be able to provide information about unknown attacks, but they produce to much false alarms. Encrypted network traffic is bad for the old sensor (promisc interface) based NIDS approach (these IDS are nevertheless able to detect malicious packet header), but network node NIDS (every host has a agent, that reads the unencrypted data from the stack above the encryption layer) are able to read network traffic, that is encrypted by IPSec or other VPN technologies. Unfortunately application layer encryption, like SSH, couldn't still be read. Host based IDS don't have these limitations. Most of the time they analyse log files, syscalls and access to system objects (Solaris: BSM Logging, AIX: Audit Logging, NT: Event Logging (?)) They are also able to see attacks, that happen on the console or over a dial-in/serial tty. There are some more pros and cons I don't want to discuss. But I think it's better to have a IDS, then not to. I think a IDS is just worthless, if you buy one, that isn't able to fit our needs and if you don't know the strong and weak parts of you product. If you have a pattern matching ID system, then keep your rule/pattern database up to date or it will become worthless too!
at worst, they breed a dangerous false sense of security.
That's not the fault of the IDS. :-)
As a greater percentage of network traffic is being encrypted every day, and an IDS cannot "see" into encrypted traffic, it means that your IDS has a huge blind-spot.
see above.
This is only going to get worse. Test out any of the IIS exploits if you don't believe me (the unicode exploit is a good example because it works against IIS4 and IIS5) this exploit will sail straight past your IDS without raising a murmur, allow you to execute arbitrary programs on the target machine, and even download the servers Private SSL key. FUN!
Hiding attacks for IDS remebers me of hiding virus code for virus scanners. It's the old game on another level. Pattern matching IDS are worthless aginst people w/ a little skill, that's true. But what if you run IIS in a sandbox to analyse it's sys-/libcall bahavior? You will detect it. BTW, what's about adding a new pattern to your IDS's database? Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
Yes an IDS will not detect everything. What it does detect should be usefull and give you an idea of how many people are looking at your network. I recommend "snort" for a network IDS and "tripwire" for a local machine IDS. Logwatch is also a good program to have installed on your local machines. http://www.snort.org http://www.tripwire.com http://www.whitehats.com (ids information and snort rules update) http://www.icewalk.com/softlib/app/app_00341.html (logwatch) Thomas Biege wrote:
On Tue, 9 Jan 2001, Nix wrote:
At 09:25 PM 6/01/2001 +0000, you wrote:
Thomas, Can you advice us a IDS that dont suck? I just use Linux at home so I'll probably keep using many things that suck, at least for try to learning how they suck, but others may need to know other IDS apps, for corporate use. http://website.lineone.net/~offthecuff/HIDS.htm (http://www.networkintrusion.co.uk)
btw ... also many commercial stuff suck, in this case vulnerability scanners: http://www.nwc.com/1201/1201f1b1.html
IMHO IDS systems are close to worthless. At best they lets you know that you have already been broken into
That's what a IDS is designed for. For preventing intrusions you have to patch your system and have a good security infrastructure.
Often pattern matching network based IDS are not that usefull, because they just detect attacks, that could be avoided by a packetfilter and a good administrator. NIDS, that use statistical methods or strict-misuse detection (mjr called it buglar alarm detection, AFAIK) may also be able to provide information about unknown attacks, but they produce to much false alarms. Encrypted network traffic is bad for the old sensor (promisc interface) based NIDS approach (these IDS are nevertheless able to detect malicious packet header), but network node NIDS (every host has a agent, that reads the unencrypted data from the stack above the encryption layer) are able to read network traffic, that is encrypted by IPSec or other VPN technologies. Unfortunately application layer encryption, like SSH, couldn't still be read.
Host based IDS don't have these limitations. Most of the time they analyse log files, syscalls and access to system objects (Solaris: BSM Logging, AIX: Audit Logging, NT: Event Logging (?)) They are also able to see attacks, that happen on the console or over a dial-in/serial tty.
There are some more pros and cons I don't want to discuss. But I think it's better to have a IDS, then not to.
I think a IDS is just worthless, if you buy one, that isn't able to fit our needs and if you don't know the strong and weak parts of you product. If you have a pattern matching ID system, then keep your rule/pattern database up to date or it will become worthless too!
at worst, they breed a dangerous false sense of security.
That's not the fault of the IDS. :-)
As a greater percentage of network traffic is being encrypted every day, and an IDS cannot "see" into encrypted traffic, it means that your IDS has a huge blind-spot.
see above.
This is only going to get worse. Test out any of the IIS exploits if you don't believe me (the unicode exploit is a good example because it works against IIS4 and IIS5) this exploit will sail straight past your IDS without raising a murmur, allow you to execute arbitrary programs on the target machine, and even download the servers Private SSL key. FUN!
Hiding attacks for IDS remebers me of hiding virus code for virus scanners. It's the old game on another level. Pattern matching IDS are worthless aginst people w/ a little skill, that's true. But what if you run IIS in a sandbox to analyse it's sys-/libcall bahavior? You will detect it.
BTW, what's about adding a new pattern to your IDS's database?
Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi2all First of all, thanks for the replies, they make me feel good since it seems that everybody is handling well old code, bugy software and outdated books =;o) (a nice new book to buy, probably outdated too ... http://www.penguinputnam.com/catalog/nfiction/books/19281_description.html - Crypto) About IDS being worthless, i suppose it depends to each one answers to Thomas questions (what we want to protect, how much we can spend, and so on ...), and how the rest of the system is protected or not. For home use i suppose the issue is well covered, so what about IDS systems like: - they use information collected from remote IDS agents; - they apply IDS signatures to input from other security tools; - they accept input from other IDS tools; - they not just centralize syslogs without adding any analysis. Like ... Dragon Server or RealSecure Manager (or others like those) are worthless?
This is only going to get worse. Test out any of the IIS exploits if you don't believe me (the unicode exploit is a good example because it works against IIS4 and IIS5) this exploit will sail straight past your IDS without raising a murmur, allow you to execute arbitrary programs on the target machine, and even download the servers Private SSL key. FUN!
Nix, i believe in you, but from my point of view things are going better and better, since my money come from tech support :> If i beleave in IIS with my eyes closed, I shouldn't be in this list or using any linux distro, in the other hand, since I run at work IIS servers, I don't need to use somebody else exploits to know *how* IIS is weak. In fact, usually a browser is the only tool i use for test IIS servers. But since bad code and/or bad admins are all around, for some Apache servers a browser can be very usefull too *g*. This is just and example on how a 'bad' query can give you some info that you didn't asked for ... (html output on my browser) Tue, 9 Jan 2001 10:59:11 GMT ORA-06550: line 7, column 2: PLS-00306: wrong number or types of arguments in call to 'DETAILS' ORA-06550: line 7, column 2: PL/SQL: Statement ignored XXXXXXX: SIGNATURE (parameter names) MISMATCH VARIABLES IN FORM NOT IN PROCEDURE: VSITE NON-DEFAULT VARIABLES IN PROCEDURE NOT IN FORM: DAD name: XXXXXXX PROCEDURE : XXXXXXX URL : XXXXXXX PARAMETERS : =========== ID: 2189 V_LNG: 5 VSITE: ENVIRONMENT: ============ PLSQL_GATEWAY=WebDb GATEWAY_IVERSION=1 SERVER_SOFTWARE=Apache/1.3.9 (Unix) mod_perl/1.21 ApacheJServ/1.1 GATEWAY_INTERFACE=CGI/1.1 SERVER_PORT=7777 SERVER_NAME=XXXXXXX REQUEST_METHOD=GET QUERY_STRING=id=2189&v_lng=5&vsite= PATH_INFO=XXXXXXX SCRIPT_NAME=XXXXXXX REMOTE_ADDR=XXXXXXX SERVER_PROTOCOL=HTTP/1.0 REMOTE_USER=XXXXXXX SCRIPT_PREFIX=XXXXXXX HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) HTTP_HOST=XXXXXXX HTTP_ACCEPT=image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */* HTTP_ACCEPT_ENCODING=gzip, deflate HTTP_ACCEPT_LANGUAGE=XXXXXXX Just a kid using WinME and IE5.5, so who cares? Without a single portscan or any kind of scan, I did get some info, didn't I? There is no IDS protection against this ... [ ]'s bacano
participants (4)
-
bacano -
dany allard -
Nix -
Thomas Biege