Snort up For Revamp, says Creator 148
A reader writes:"The creator of Snort, the open-source network-based Intrusion Detection System (IDS), says the software is up for an overhaul. Martin Roesch has told the AusCERT conference IDS has failed to impress the market, citing the inability of many to minimise the number of false alarms triggered by the monitoring devices. The next iteration will include "passive discovery" features."
Worked ok for me (Score:3, Informative)
Re:Worked ok for me (Score:5, Interesting)
Snort just isn't ready for serious use in enterprise. Sounds silly, but... Too many false positives may very well lock network.
Here is a simpler case. On Port detectors.
Why don't port detectors use iptables lock out of port scanners (or even better why it is not suggested).
Most of port scan detectors count actual SYN,FIN and other blocked TCP blocks which are marked as invalid on your firewall. Not even one of them doesn't take to account that some features are completely valid even though they are not. (here is the case: You're running ftp server, that means port 21 is open, does it really matters if SYN,FIN occurs on that port???) Secondary they don't take to account some stupidity. (You don't really care if one machine has scanned your port XXX (yes, your pr0n port) for 50 times), result was always the same. This should count as 1 and not as 50. With this relatively simple logic port scan detectors would exclude false positives in a very simple way. And you could be sure thatsomeone that scanned 50 ports (different and not public open) is really port scanner.
Now go to second level. Porscan detector is just one of many functions that snort provides. And even here there's many false positives.
Actualy I use Snort very differently. Redirected logs to my external processor and this processor excludes invalid information, after that reaction on firewall or server follows. That way was the only possible way to get fairly restrictive measures with not too many false positives.
Not funny (Score:4, Insightful)
Re:Not funny (Score:5, Funny)
Re:Not funny (Score:5, Insightful)
He's not saying Snort has failed to impress the market, but rather that in general, all IDS systems have, which is true.
Re:Not funny (Score:3, Funny)
And I associate the word "snort" with two things: either a sarcastic disbelieving chuckle, or an angry rhino. Umm... maybe you have something there about wanting to distance myself from...
Snort on ACID (Score:2, Funny)
Sad part is, I just got the call 5 minutes ago saying that I didn't get the job. :-(
* (Analysis Console for Intrusion Databases)
Re:Not funny (Score:1)
> called mucus-mouth no matter how good it was.
Not even if it sent naked girls to you in your apartment every day?
Everybody has a tolerance limit...
Cool, but effective? (Score:5, Interesting)
While this would be cool, the nature of TCP/IP says that it will be quickly defeated. There are already programs out there that will make your Linux box masquerade as another type of computer.
If a policy says, thou shalt not run P2P - then the P2P will be reached through proxy. If you use snort regular expression detection (one of the coolest features) then new protocols will be written to look like an innocuous service (P2P though ICMP/Ping).
The worst part, and my buddy Zero Hex [slashdot.org] could talk about this forever, is when ISPs start using this to enforce their will on users. Thou shalt not connect without Windows.
Basically, it's not likely to enforce policies among those who actively want to get around them. Instead, it will enforce policies that push an agenda.
been done (Score:4, Informative)
Re:been done (Score:2)
The above note does speak to one of the points I made. It's difficult to make this work correctly, and effectively (I use ipf on Solaris, and the OS SYN signatures are not reliable).
Re:Cool, but effective? (Score:5, Insightful)
A GOOD firewall will be doing more then just blocking ports. It will analyze packets to determine the type of comunication being used. Which is not to say such things can't be circumvented, but it is much harder then just using a proxy.
The problem, and what this article is in many ways about, is dealing with false positives when checking for spacific types of network traffic.
Re:Cool, but effective? (Score:5, Interesting)
Not quite. Case in point; try blocking instant messengers on your network. Turns out that if you block specific ports, you'll find that they start using port 80.
Ok, block any IM content on port 80, and they move to port 443, that's HTTPS, encrypted.
Ok, so you block some IM server hostnames (there are many) on your DNS server and block access to outside DNS and proxies. Then you find out that there are apps such as htthost/httport [htthost.com] that will happily run on a box outside your network accepting encrypted traffic on the HTTPS port and with HTTPS headers, but that are actually proxies (similar things can be achieved on a linux box with a simple enough shellscript). This works easily enough to be downloaded by your smarter-than-average bear.
P2P programs could easily go the HTTPS route if blocking becomes enough of a nuisance. They went route 80 (HTTP port) a long while ago.
So what are your alternatives? Perhaps degrade network performance by interrupting (apparent) HTTPS sessions once in a while so that people won't be able to use certain applications? Or disallow any kind of encrypted communications?
Creative people will always find a way around it. You're better off dealing with those sorts of threats from the inside by dealing with the people rather than the technology. That's probably also true for outside hackers, script-kiddies and virusauthors, but those you typically don't know.
Re:Cool, but effective? (Score:5, Informative)
Re:Cool, but effective? (Score:5, Interesting)
I can have a policy - don't install this - don't use this, but most people do anyway just to make that damned message go away. "Wouldn't you like all the benefits of adding a .NET password to XP?". Sure, I can remove it, but the service packs put it back again. I turned it off through the registry, and a security update restored it. MSN Messenger is pervasive, and annoying. No user intervention necessary.
Back to "smart detection" -- After the first blocked attempt, it talks using standard http then as https (also over the correct ports). I don't want to block any web page that 'could' actually be a web page though.
Re:Cool, but effective? (Score:1)
Re:Cool, but effective? (Score:2, Informative)
Re:Cool, but effective? (Score:2)
Re:Cool, but effective? (Score:1)
http://www.microsoft.com/windows2000/techinfo/p
http://www.active
Check it out locally by running gpedit.msc
For details on how to disable Messenger see here:
http://techrepublic.com.com/5100-6270-5029
Re:Cool, but effective? (Score:1)
Re:Cool, but effective? (Score:2)
So, yes, I could break down and pay 10 times the price for the same server power, but - really, the price doesn't justify the functionality.
Re:Cool, but effective? (Score:2)
I have initial set-up automated, but not after-the-fact. (too small a user population for price to functionality to make it fiscally plausible).
Re:Cool, but effective? (Score:3, Informative)
Hold on now, just because something is using port 443, which also happens to be the standard HTTPS doesn't mean that it's automatically encrypted. Both sides of the connection have to be using an agreed upon encryption method. If they IM program was going to jump to port 80 just to run encryption, it could've done it just as easily on port 80. It's probably using 443 because that's the next "most-common" available por
Re:Cool, but effective? (Score:2)
I know we don't block the firewall for these applications, however, SMS will uninstall them if detected on your PC when you logon.
That means P2P is out, and IM is out except any of the web based IM such as AIM express etc...
The application people just have to keep on top of what P2P and IM applications are out there so they can add "definitions" for SMS to look for.
Re:Cool, but effective? (Score:2)
Re:Cool, but effective? (Score:2)
But I do know that gaim was placed on our SMS remove list, along with all the other popular multi-protocol clients. :(
Re:Cool, but effective? (Score:1)
As an aspiring network security professional, I am very impressed with your skills in tracking down traffic that you don't want on your network. I have to ask though, wouldn't it be simpler to have a desktop policy that will take away the users ability to install p2p/IM apps?
Thanks!
Re:Cool, but effective? (Score:2)
Can't use SNORT to do that
Seriously though, there are some useful policies you can define for windows desktops if your workstations are hooked up to a domain/active directory.
Most useful perhaps are the Windows XP (you must use
Trip to HR (Score:2)
Why isn't IM hit by DCMA ? (Score:2)
The apply different techniques to circumvent company firewalls, and whatever else is needed to no comply to company policies. And the suppliers does all they can to make it impossible to block. I.e. placing servers on different subnets where they also place other servers that people needs access to for other reasons.
I think something should be done to kill this plague.
Re:Cool, but effective? (Score:3, Interesting)
So, even if I get 'smart' detection, how will this better protect me from getting false positives for P2P by users whom are hitting IP dotted addresses to find legitimate web sites.
Computers can only get so smart, before they become smarter than you are...
Gnutella? No problem... IPS is the solution. (Score:2)
University love these IPS products as a form of bandwidth saving measure.
The unit usually pays for it own cost in form of bandwidth reduction (or avoidance of shelling out $$$ for additional bandwidth) in less than a year (or two).
Oh, it also blocks those pesky HTTP tunneling proxy that student uses to defeat cheaper and less effective IDS vendors.
Not to mention bl
Re:Cool, but effective? (Score:2)
You can raise the marginal cost for getting around them really high, to the point where the labor and possibly diminished performance isn't worth the effort.
We've been demoing a Packeteer 2500 packet shaper, and it's a pretty amazing box. It uses content rules to identify specific protocols (as opposed to content-blind port numbers), which you can then apply bandwidth policies to, including "do not pass".
Re:Cool, but effective? (Score:2)
No MSN messenger is a common policy among companies. I'd be quite interested to see if it's effective, without cutting off web access (false positives).
Re:Cool, but effective? (Score:2)
If I define my web proxy as a class and enable class discovery inside this class, I can see all the various classes it handles -- Windows Media Streams, Real Streams, MPEG, Quicktime over http.
I don't know for sure, but I k
Yep, Snort is great, but... (Score:4, Interesting)
Should be used? Yes, except some functions should be disabled
Should be remodeled? Yes
It has the same flaw as port scan attack detectors.
i don't know if i agree, but... (Score:2)
I don't think the features need to be removed. THey need a system to get them to work together. That is one way to reduce false alarms. If the overall system knows how everything interacts. The monitors that is and it makes the determinations. Then when a problem is found it takes the information, diagnoses the problem and lets you know. It's the level and way it is done.
I think it needs a revamp. But not in the same way many have thought of.
Re:i don't know if i agree, but... (Score:2)
Read my other post, what did I think with my comment. It's right on top of the page "Re: It worked for me"
the problem with IDSes (Score:5, Interesting)
if someone wants to attack your network, they can easily implement proxy which will encrypt all the traffic they transfer and thus disabling the IDS's ability to analyze the traffic
Re:the problem with IDSes (Score:5, Insightful)
-- Tim
Re:the problem with IDSes (Score:1)
like in case of false alarm, the IDS would shut down connections from your net to outside world..
that would be nasty to debug in a production environment
Re:the problem with IDSes (Score:1)
Re:the problem with IDSes (Score:1)
Open Source IDS Correlation (Score:5, Informative)
http://quidscor.sourceforge.net/ [sourceforge.net]
Re:Open Source IDS Correlation (Score:2)
How do I fully take advantage of QuIDScor if I'm not a Qualys customer ? [sourceforge.net]
"To try QualysGuard with QuIDScor and Snort, visit http://qualys.com/quidscor and sign up for a free trial."
Great.
Helevius
Re:Open Source IDS Correlation (Score:2, Informative)
Or in general, this shows that there are ways to enhance both tools efficiency by combining them.
ps: I was the lead on Quidscor, so yes, I'm biased
Re:Open Source IDS Correlation (Score:2)
You seem to be a Tcl wizard [demailly.com]. Have you looked at Sguil [sourceforge.net], another Tcl tool? If you're interested in contributing, I know the project would be glad to have your assistance.
Helevius
Re:Open Source IDS Correlation (Score:1)
a way to improve.... (Score:5, Interesting)
I know I can't spell. That's why I am an engineer.
Re:a way to improve.... (Score:2)
You wouldn't have a link or two? Maybe I'm dense but; Diagnostics of what exactly? Medical diagnostics? Computer networks? Car problems?
Will they disable some attack triggers? (Score:5, Insightful)
This have 2 serious drawbacks:
1. If someone is trying to brute-force attack your servers sending probes for every known exploit (aka. nessus), disabling alarms for software/services you don't run will not show the real size of the attack.
2. In case of an infection similar to code red you won't be able to know wich infected servers are "attacking" you, so there is no way to block them in the router, firewall or reporting the virus-generated traffic to their ISP.
Akamai Mirror (Score:2, Informative)
Mirror Here [t28.net].
Snort Internals (Score:5, Interesting)
Re:Snort Internals (Score:1, Informative)
Now people are mailing me directly for patch updates.. I'm not generating anymore since I don't want to keep up with the snort code on their schedule...
oh well.
I don't know how the current code is, but the old database code was kinda ugly; sacrificing code clarity for size.. for example yo
a new DOS tool in the making (Score:2)
If this Comes To Pass, all someone will have to do is fire-up snort on you network (custom knoppix cd anyone?) with a policy to not allow any MS products on the network, and *poof*! Instant, internally-generated DOS!
Re:a new DOS tool in the making (Score:3, Insightful)
"But what if he _installs_ a firewal?" If he has access to the cabling, all he has to do is cut it. Perfect internal DoS.
Besides, if you really want to do that, go grab a copy of FIRE (no, I won't find the URL for you). Give ettercap a go. A couple of ARP packets, and you can take any windows machine off the local network (provided
Re:a new DOS tool in the making (Score:2)
I'll have to go check out FIRE, sounds fun^H^H^H interesting as well.
Re:a new DOS tool in the making (Score:2)
You don't really think that the firewall will be configured to accept alerts from any old IDS now do you? Likely if some one were to set this up, it would communicate between the IDS and the firewall (if they aren't the same machine) with encrypted TCP/IP packets using pre-shared keys. Unless you could crack the traffic and thus get the key, what shot do you realistically have to just
Intrusion Prevention System is the key (Score:5, Informative)
For the uninitiated, IPS stands for Intrusion Prevention System. What's the main difference?
#1) IDS doesn't block bad traffic. IPS does. #2) IPS handles anomaly variants, IDS doesn't.
IPS is a new technological way of filtering traffic over the simple brain-dead IDS method.
You need to visit many of Tippingpoint's white papers [tippingpoint.com] to get the grift. (registration req. Just fake your email... I know, this is not an official endorsement, but I used to write IPS filters for them and my working real world experience shows that this IPS filter is more effective than any of Snort's filter.)
I would love to write more IPS variant-resistant filters for SNORT but I'm afraid to tread on TPTI's handiwork (much less if I step on the same filter). Nonetheless, the defense industry picked me up. Go figure.
IDS is truly dead. Stop beating a dead horse. Get over it, bud. IPS is your savior.
Re:Sore reader modded me down... (Score:2)
Cheap shot to modding me down.
Lack of functional cohesion to industry-wide IDS (Score:5, Interesting)
But the key issue confronting the IDS industry today is the lack of functional cohesion (or double-speak for functional capabilities working together).
Some of the basic building blocks of network-based inline IPS feature set that is needed to work together perfectly are:
1. Host-OS-based anomaly decision. Both passive and active scan are recommended to be default on.
2. Deep high-speed REGEX support. Some REGEX chip market didn't materialized as robustly as they should (SafeNet/Raqia)
3. Large-scale TCP connection tracking. This has to work at high-speed as well. Goes to protect against DoS, unwarranted connections and terminations of a pattern-hits' connection.
4. Anchored, unanchored and floating pattern match hardware-assist are needed to work together to cover the variety of algorithms set forth today. This would be a current "1000-watt" hardware issue.
5. Basic issue of quick sub-millisecond table update of content-search memory remains undauntedly elusive. Most H/W content-search engine requires intensive compilation of fancy tr[e|i]e algorithms floating around.
How about weaning yourself of SNORT and start coalescing these incoherent IDS functional cohesions into an IPS?
Re:Intrusion Prevention System is the key (Score:2)
Think about this logically: According to gartner, the critical flaw with Intrusion Detection Systems was false positives. The sheer number of false positives generated by IDS system was overwhleming the ability of network admistrators to react.
Gartner's "solution"??? Intrusion Prevention Systems that would automatically act to block inappropriate behaviour.
In what way, shape, or form does automatically locking down
Re:Intrusion Prevention System is the key (Score:2)
How come TPTI doesn't generate false positives (never once did I see one during my Petabit testing tenure there and that is a fact; but the real mask behind the truth is I was testing for solid leads filter, not shaky vacuous filters that TPTI customer still wants, but these shaky filters are not of real values that predominately plague SNORT).
Locking down Network Resources with a sledgehammer is not the answer, controlling them with a surgeon's knife is.
Apparently, they have somet
Re:Intrusion Prevention System is the key (Score:2)
To me the biggest problem with Snort right now is the lack of a good client. You can install ACID or any other number of log analyzers of course, but why wouldn't the Snort people themselves want to offer a nice client interface of some kind? Not a trivial task
Re:Intrusion Prevention System is the key (Score:2)
Disowned? Sure, that's why the Gartner group will no longer be publishing an IDS Magic Quadrant (they're replacing it with an IPS one). Publicity stunt? That's why enterprise customers are flocking to IPS in droves, and former IDS vendors everywhere are frantically trying to play catch-up with those that have been doing prevention from day one (ie the previously referenced TippingPoint).
It only took a quick walk through thi
CISSP certification toward ISP isn't worth squat. (Score:2)
Even the SANS GAIC [giac.org] GCIA (Intrusion Analyst) certification is try to evolve to meet this new IPS technology, but until TPTI releases the ability to let end-user customized filters, the certification would be essentially worthless. Just too many IPS technological-curves for the ordinary IA guys to keep up. Really!
It is tantamount to handing the wheel to a Formula 500 car over to a 15 1/2 year old t
Re:Intrusion Prevention System is the key (Score:2, Insightful)
My personal opinion is IPS's have been mislabeled since the beginning (aren't marketers wonderful). Take this definition I found in some Usenet archives [google.com] (circa 1992):
"a combination of a security policy with some of the components
above. Specifically, an implementation of the given policy that
is enforced by a combination of screening and/or routing." [1]
Geeze, seems like IPS would fit right in there. Now the
Darwinism at its best for FW/IDS (Score:2)
IDS and FW has already tied for 2004 Darwinism Award for not applying the Moore's Law consistently toward themselves. They simply fell off the chart and has not been able to hold a lighted candle toward IPS.
TPTI cooked and delivered IPS in 2001-2002. (You say IDS vendors gathered in just in 2003, sheesh... no wonder, its a response to the surprise evolutionary newcomer, IPS)
IDS and Layer 4-7 Firewall deftly merged together along with many more HW-based analysis algorithms to become a true inli
False Positive isn't. (Score:2)
One CTO at a well-know Maryland-based HIDS company stated to me personally that it is impossible to attain 0% false-positives. I agreed totally on this point BUT...
Would the customer settled for something like one minus dot 9 nines? (0.0000001%)?
Bammkkkk said:
Re:False Positive isn't. (Score:1)
Protection, Monitoring, and Response
FWs/IPS/etc fall into Protection
NIDS/HIDS/etc are in the Monitoring category
I don't believe any protection (including IPS) will ever be 100% and therefore you better be implementing monitoring and response at some level. When I think IDS, I th
Eliminate large security network centers with IPS (Score:2)
Blocking would-be successful attack is the paramount goal of a basic first-generation IPS. An admin won't even get paged for these events (and along a whole lot of other false-alarm and much less false-positive events, but in the rare case that they are feeling idle, they can even turn that pager-feature on). Why bothered, IPS did its job.
TPTI does capture
Re:Eliminate large security network centers with I (Score:1)
Re:Eliminate large security network centers with I (Score:2)
Ok, ok... I'll suck it up. I, personally, wouldn't go without monitoring myself either.
So, I do agree with you wholely on all your points.
Could you at least agree that prevention is the forefront cornerstone of all defense mechanism?
After all, prevention is a frequent dictum in the "Arts of War."
I haven't found this to be true (Score:3, Interesting)
It is already in the works - I've seen it (Score:4, Interesting)
If Sourcefire's engineering puts out something like this and not their sales reps, then this is really close to being reality. Take a look at Sourcefire's website, you'll see something called RNA. RNA can do passive monitoring of a network and find what machines do what, and what they are running. I've worked with RNA on a production network - it does as advertised very well and even determines patch levels of some machines just by sniffing network traffic. It doesn't take a rocket scientist to put 2-and-2 together that Snort and RNA are on a collision course to work together considering they are from the same company. I would expect something before the end of the year.
RNA though isn't open source, so I'm curious to this announcement if the underlying engine to that product will eventually be opened up.
Re:It is already in the works - I've seen it (Score:1)
These kinds of products seem a good way of finding out what software is really on your network. They can look at banners as well as p0f-style [coredump.cx] operating system versions. And hence deduce whether you have applied all the patches.
Smaller organisations with good control on software versions might find them overkill and just use arpwatch or DHCP logs instead.
I don't think they will eliminate the need for acti
Hank: the response to snort (Score:5, Informative)
It supports XML based network rules, and has really advanced things like an ACBM implementation [silicondefense.com]
Sunny Dubey
False positives are not the primary IDS problem (Score:5, Insightful)
Most IDS vendors focus on ever more accurate alerts, but once they trigger they wash their hands of the problem. The end user must decide if the alert is truly significant to their situation and priorities. It's like having an anti-virus product cry wolf but never give any reasons for its identification of malware or background on its findings.
An alternative to the "alert-centric" point of view is "Network Security Monitoring," which concentrates on giving analysts information to conduct at least rudimentary network-based investigation. Where most IDS care only about alerts, NSM-centric operations combine alert, session, full-content, and statistical data to give analysts a chance to identify and escalate incidents.
A tool which uses Snort to generate alert data, combined with session and full content data from other sources, is Sguil [sourceforge.net].
The April 2004 Sys Admin [samag.com] magazine features Sguil and a few other NSM tools.
A book due in July, The Tao of Network Security Monitoring [taosecurity.com] (also at Amazon.com [amazon.com]) is all about NSM.
Anything vendors can do, like Sourcefire's work with Snort, helps with more accurate identification. Just remember creating alerts is only the first step.
All of the IPS fans out there should remember that their "prevention" depends on correctly identifying intrusions. All IDS and IPS products can be bypassed, which drives the need for audit-centric tools (especially using session data) which are content neutral and don't care about triggers, encryption, and so on.
Helevius
Re:NSM is just another stab at the venerable IPS (Score:2)
There is Prevention, Monitoring and Response in that order. Each stage incurs a tremendous cost-fold as an event progresses each stage. Nip this at the bud where is should be and that is Prevention.
NIPS products are not easily bypassed compared to their heathen-breathen (IDS, NSM, FW) due to their in-line "bump-in-the
New Sourcefire Tshirt (Score:1)
"From the Guys that brought you snort now bring you speed"
Distributors (Score:3, Insightful)
Log Monitoring/Notification tools have same issue (Score:3, Insightful)
If you are interested, read more about how Swatch and syslog [komar.org] are used in a large production environment.
Network Nazis!!! (Score:1, Interesting)
general IDS probs (Score:4, Interesting)
I fear that when attackers learn to make heavy use of triggering massive false positives, crypto & steanography, protocol-tunneling and start to build exploit-engines producing polymorphic code the days of pattern matching IDS are count. Maybe anomaly-detection (using statistics or neural networks) will help.
Just my 2ct. /graf0z
Re:general IDS probs (Score:2)
Try www.TippingPoint.com.
sneeze? (Score:2, Informative)
http://www.phrack.org/unoffical/p62/p62-0x0d.txt [phrack.org]
I want the alerts for pointless attacks (Score:2)
But I want the other alerts - the cmd.exe attempts on Apache servers, etc. - as correlation for the other alerts. I agree there's a huge value in separating the stuff that's merely for correlating with the serious alerts.
You can set an alert level = harmless just to get th
Just need the right config (Score:4, Insightful)
We ended up putting together a little access db that we could generate rules for snort based on critieria like port, os, etc. Eventually we turned this into the first Snort rules site snort.rapidnet.com which is now down. I would imagine that any problems someone might have with Snort (or other IDS) is the correct config for a given scenario or situation.
You have to give props to guys like Marty who make a really great, free product that the little guys can use to conduct homegrown (not homeland) security.
The real problem is not false alerts... (Score:5, Insightful)
This is the true failing of Snort and other IDS systems as well. They require labor to tune the ruleset and configuration to a network. They require constant updates and someone that can create signatures on the fly. They require someone that has a knowledge of TCP/IP protocols, routing, networking and the ability to analyze data and follow leads.
Working with Snort is kind of like being a detective. The alerts are clues and you have to dig through a lot of other logs, traceroutes, whois, calling people on the phone and find out what they are doing, etc. It's all labor intensive and no one in management wants to dedicate the resources necessary to make it really work.
I could spend all day working on Snort, but I have to monitor firewalls, email, viruses, go to meetings, train people and type on slashdot once in a while. And IPS is no different, it is not something you can just put in and leave forever and feel safe.
Management needs to realize they need people on site to deal with the New World Order of constant hacking attempts. IDS admins are jobs needing to be filled, that's why Snort is not living up to the "promise". Management somehow twisted the promise of Intrusion Detection into some automaticlly, always upgraded intrusion prevention system that requires no labor, no upkeep and you never have to spend any more on it. They continue to live in a fantasy world and one day will end up hacked even though they got a raise for cutting their security budgets by 25% for the year.
Re:The real problem is not false alerts... (Score:1)
Exactly.
This perhaps could also be expressed by the old adage (possibly from Bruce Schneier?) that security is neither a product nor a state but a process.
Open letter to management (Score:1)
weird? (Score:2, Insightful)
* too many false positives, then tune your sensors - but then again _YOU_ will have to know and understand your network and its traffic.
* requires too much time/labor/knowledge to use/setup/maintain - since when did the security industry stay static, or more likely since when did the otherside put their feet up and say, "enough is enough", we have created enough virii/worms/ddos apps/exploits...
LOL, 'greyfeld' had it right in the last paragraph. Spend some money on Security you tight-fist
What a letdown! (Score:1)
Nice! (Score:1)
Well shit. If GOD is telling us to do it, how can we possibly condone laws against it?
Snort up for revamp? Hell, I snort up for breakfast.
Ok then... (Score:1)
Setting the record straight (Score:4, Informative)
First off, my presentation was about making the case for Passive Network Discovery Systems (PNDS), a "new" technology that I created over at Sourcefire [sourcefire.com]. The basic idea of a PNDS is to discover the composition and topology of your network via a mix of passive OS fingerprinting and passive application layer protocol discovery and the other information that you can infer from that data, such as network topology and asset vulnerabilities. I sought to show how that technology could improve a variety of network security technologies by using the example of how Snort (and other IDS) works today and how it could be improved by integrating the information that comes from a PNDS.
Sourcefire has developed a product called RNA [sourcefire.com] that performs the PNDS functions that I outlined during my talk. Note that it is a proprietary technology that we developed commercially and it is a completely separate product from Snort or the Sourcefire IDS sensors. We are not going to be integrating the functionality of RNA into Snort, we're going to be modifying Snort to take advantage of the information that a system like RNA can generate. In the best case scenario, RNA has a very different deployment profile than an IDS.
I said that IDS has had trouble in the market because of its complexity and the requirement that users perform extensive tuning of IDSes in general in order to get maximum benefit from them. There are a lot of things that factor into this problem, but the root cause of almost all IDS problems today is that we don't have automated methods for provisioning them nor do we have effective methods of data reduction available that are automated, persistent and real-time. PNDS addresses that problem head on in a way that is appropriate for real-time processes like IDS in ways that traditional scanning technologies have a very tough time providing.
I then went on to say that we're planning on making changes to Snort to enable it to leverage the information that a system like RNA provides and make it into a true target-based IDS [theaimsgroup.com], redefining how IDS operates and hopefully revitalizing it as a technology. Snort will still be available for free and will still operate in "classic" mode where it doesn't leverage this info for people who don't have passive discovery technologies (or even active ones) so that they can still continue to use it.
Snort is not going to be doing the configuration policy enforcement (i.e. the "block OS X on my network" function), RNA is. RNA is capable of seeing devices on the network and discovering their attributes in real-time and communicating that data to our management console where it can be analyzed for policy compliance and where appropriate remediation responses can be executed. Not to get too deep into the marketing, but there are good engineering reasons for wanting to do this that include worm/virus containment, real-time IDS policy updates and some other really useful mechanisms for performing policy enforcement.
We're making mods to Snort because we believe that we can make a truly next-generation IDS capability that is easier to deploy, manage and get valuable information out of due to the effect of RNA. This approach directly addresses all the arguments of the "IDS is dead" crowd while at the same time making IDS a much more impactful technology while greatly reducing the overhead requirements on users.
I hope this clears things up for people!
One more thing (Score:4, Informative)
Once again, with feeling:
IDS is a network monitoring technology
IPS is anaccess control technology
We use IDS to let us know what's happening on our networks, how our policy is being enforced by our access control mechanisms and when there are security failures.
We use IPS to "shoot down" attacks that are in flight before they can complete and affect the target.
Confusing the two is the name of the game for IPS vendors because the FW vendors have deep pockets and the IPS guys didn't want to rock the boat at first. In-line network IPS is only useful as long as you have time to provision new detection signatures before attacks/worms come out, they are deterministic and therefore have a very tough time dealing with the unknown (and yes, I know they have the ability to do rate-based blocking in some cases, that's deterministic too). The natural progression for IPS technology is as a feature on a firewall, not as a stand alone independent product, it's just an enhancement to access control technology after all. The natural progression of IDS will remain as a stand alone product or perhaps it will disappear into the infrastructure of the network itself (e.g. switches), but it is going to be a necessity as long as people need to have visibility into what's happening outside the purview of their access control technologies. In-line network IPS only watches/defends your peering points, NIDS monitors everything if deployed properly.
To claim that IDS is "dead" is to basically say that people should put on blinders and only watch the peering points, not a very realistic proposition in my opinion. IPS is not a replacement for IDS, those who say so either don't understand the role of IDS or they're selling something.
Re:Fatherland (Score:1, Offtopic)
Re:Fatherland (Score:2)
Clearly, he was on coke when he posted it.
Re:Man bites dog. (Score:2, Informative)
Then again, maybe the government doesn't have enough money for the better-quality commercial IDS.