TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

IIS attacks against apache servers? IIS signatures are only for ISS
servers. There are no correlation between IIS signatures and apache
signatures. Most hackers use script kiddies that specifically target IIS
servers, which triggers those signatures. A better early detection warning
would be port scans or service scans as detected by IDS. I would pay more
attention to these scans rather than having IIS signatures on my network as
an indication that someone is trying to break into my apache servers.

Vincent Tan [MCSE, CNE, CIP]
Security Consultant
101 Cold Harbor Dr.
Frankfort, KY 40601
502-564-1093
vtanmail.state.ky.us
 

-----Original Message-----
From: ktimmserver1.stingrey.com [mailto:ktimmserver1.stingrey.com]
Sent: Tuesday, September 11, 2001 6:03 PM
To: Scott C. Kennedy
Cc: Fitch, Brian (ISS Atlanta); Semerjian, Ohanes; 'issforumiss.net';
'focus-idssecurityfocus.com'
Subject: Re: Truth about False Positives

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any
problems!
----------------------------------------------------------------------------

I am saying if you are running apache it still makes sense to look at IIS
decodes (you may not need to react as quickly) and here is the reasoning.
An attacker may try several different attacks before a successful one.
The first few attacks may be looking for IIS attacks against apache
servers. If you know someone is attacking you at that point you can remove
the threat. If you do not look for IIS attacks you will not be able to
remove the threat as quickly. This leaves you more vulnerable. An attacker
has a greater chance of success.
K

On Tue, 11 Sep 2001, Scott C. Kennedy wrote:

> In this case, I would have to argue, that unless you are 101% sure there
is no
> IIS servers on your network. For instance, at one site they were sure
there was
> no IIS server, all they had was a PBX, and a few laptops. But, their PBX
ran
> IIS,
> and got hacked. Other sites have just installed a 3rd party application
that
> bundled an IIS server in it, but neglected to mention it. (It ran on a
high
> number
> port so "no-one" could find it.)
>
> So, the point is unless you are the only person at your site to install
all
> computers
> and can verify all the computers OS and packages then you can label this a
false
>
> positive for in-bound traffic only.
>
> However it is always a true-positive for out-bound traffic.
>
> Scott
>
> "Fitch, Brian (ISS Atlanta)" wrote:
>
> > So you're saying if someone is running all Apache Web Servers that they
> > should still include checking decodes for IIS vulnerabilities? Wouldn't
it
> > make sense to not check for IIS vulnerabilities (ie, Code Red) if there
are
> > no IIS servers on one's network?
> >
> > -Brian
> >
> > -----Original Message-----
> > From: ktimmserver1.stingrey.com [mailto:ktimmserver1.stingrey.com]
> > Sent: Tuesday, September 11, 2001 11:54 AM
> > To: Semerjian, Ohanes
> > Cc: Klaus, Chris (ISSAtlanta); 'issforumiss.net';
> > 'focus-idssecurityfocus.com'
> > Subject: RE: Truth about False Positives
> >
> > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
> > majordomoiss.net Contact issforum-owneriss.net for help with any
> > problems!
> >
----------------------------------------------------------------------------
> >
> > Totally incorrect. You are increasing your threat that way. An attacker
> > has more chances to find something vulnerable in your network before you
> > are notified. The only way to do it is through network analysis and
> > exlusionary rules.
> > Kevin
> >
> > On Tue, 11 Sep 2001, Semerjian, Ohanes wrote:
> >
> > > When using any kind of IDS wether it is host or network based first
thing
> > to
> > > do before deploying it is to go through the signatures and disable the
> > ones
> > > that are not required. How do u that is depend on your environment and
> > your
> > > network infrastructure and also application used.
> > >
> > > Best Regards
> > >
> > > Ohanes Semerjian
> > > Security Administrator, AsiaPac
> > > International Security Group (Central Services)
> > > WorldCom International
> > >
> > > Ph:(02) 9434 5636
> > > Mob: 0410 657 249
> > >
> > > PGP kEY
> > > 6604 2A46 E64F BEBF A4B7 9D01 9E08 399C 9D45 3254
> > >
> > > Best Regards
> > >
> > > Ohanes Semerjian
> > > Security Administrator, AsiaPac
> > > International Security Group (Central Services)
> > > WorldCom International
> > >
> > > Ph:(02) 9434 5636
> > > Mob: 0410 657 249
> > >
> > > PGP kEY
> > > 6604 2A46 E64F BEBF A4B7 9D01 9E08 399C 9D45 3254
> > >
> > >
> > > -----Original Message-----
> > > From: Klaus, Chris (ISSAtlanta) [mailto:CKlausiss.net]
> > > Sent: Friday, 7 September 2001 3:46
> > > To: 'issforumiss.net'; 'focus-idssecurityfocus.com'
> > > Subject: Truth about False Positives
> > >
> > >
> > >
> > > One of the biggest problems facing IDS is the number of false
positives
> > and
> > > false alarms. Each alert from IDS that gets researched costs in time
and
> > > money, and keeps the security operator from being able to focus on the
> > > really important alarms, because they get swamped with unimportant
alarms
> > as
> > > well and its not always easy to tell the difference.
> > >
> > > This message includes the following: info on upcoming RealSecure 7.0,
> > > defining false positives & false alarms, and what steps we are taking
to
> > > reduce and remove them.
> > >
> > > Quicknote: Making a lot of progress integrating BlackIce technology
and
> > > RealSecure technology together. We just released an updated
RealSecure
> > > Server Sensor 6.0.1, which combined both the blackice engine code and
our
> > > log analysis and management console system together. The result is a
very
> > > stable and robust host IDS with log analysis and the most
comprehensive
> > > protocol analysis and signatures combined together.
> > >
> > > RealSecure 7.0 is coming along very nicely. We are integrating the
> > BlackIce
> > > engine with the RealSecure network engine together. A big part of
this
> > > process is going through and combining all signatures and protocol
> > analysis
> > > algorithms into having the most comprehensive set of IDS attack
> > algorithms.
> > > Any redundant checks where we had the same signature or protocol
analysis
> > in
> > > both engines, we are evaluating those checks for which ones had the
best
> > > performance and reduced false positives. By going through this
process,
> > we
> > > will have a big reduction in false positives and be left with the best
> > > algorithms.
> > >
> > > One of our major goals in RS 7.0 is to remove any and all false
positives.
> > > We've been collecting all reported false positives from our
techsupport,
> > > consultants, product managers, directly from customers. We've put
> > together
> > > a list of false positives that we are stomping out for RS 7.0. If you
> > know
> > > of any false positives, feel free to email me with what is the false
> > > positives, what was triggering it, and any additional information you
can
> > > supply, and we'll work to improve the algorithm to remove the false
> > > positive.
> > >
> > > Truth about False Positives
> > >
> > > "BEEP! BEEP! RED Alert - Intruder scanning Firewall." This message
pops up
> > > on the administrator's computer monitor. With new computer security
> > burglar
> > > alarm technology called IDS (Intrusion Detection System), it is now
easier
> > > to identify when intruders are attacking and take action. Once the
> > > administrator sees the alert, they can investigate and determine if
the
> > > attack was real or not. In many cases, the alert turns out to be
nothing
> > > serious and may get classified as a false positive.
> > >
> > > In the security industry, IDS is often said to be plagued with too
many
> > > false positives. While many people blame the IDS technology itself,
there
> > > are two separate distinct issues that are confusing the problem.
Being
> > > lumped under the false positive issue, there is a separate issue
called
> > > false alarms.
> > >
> > > Both false positives and false alarms are serious issues, but they
require
> > > different methods to resolve each. In this paper, false positives and
> > false
> > > alarms are defined. The current strategies and future plans are
outlined
> > > for reducing both false positives and false alarms.
> > >
> > > Defining False Positives and False Alarms.
> > > A false positive is where an attack detection algorithm misidentifies
> > normal
> > > traffic as an attack. This is usually where network traffic that may
> > > contain similar patterns to an attack, and the IDS algorithm
recognizes
> > > these patterns and triggers on it. To reduce these false positives,
the
> > > algorithm needs to be further modified or tweaked to be more accurate
and
> > > not trigger on normal traffic. The IDS vendor is responsible for
> > improving
> > > these algorithms.
> > >
> > > A false alarm is where an attack detection algorithm properly
identifies
> > the
> > > pattern as what it is, but it does not signify a real problem for the
> > > security administrator. The IDS technology may be configured for
alerting
> > > on any Web traffic and any HTTP gets. This will get triggered on
anyone
> > web
> > > surfing. These alerts are useful to detect someone violating the web
> > > surfing policy against viewing gambling, pornographic, and hacking
> > content.
> > > With this configuration, even normal web surfing traffic would cause
> > alerts
> > > within the IDS as well. Most of the web alerts are not serious
attacks
> > nor
> > > critical, therefore most of them end up in the false alarm category.
> > Today,
> > > the user is responsible for improving the configuration for reducing
false
> > > alarms.
> > >
> > > For a false alarm example, we put a motion sensor inside a busy mall,
and
> > > was alerted every time someone walked by. The security person would
be
> > > flooded with alerts and the end result after awhile would be to ignore
> > these
> > > false alarms. The motion sensor algorithm needs to be further
enhanced
> > and
> > > configured with a magnetic strip identifier to alert only when someone
> > walks
> > > out of the mall with products not purchased.
> > >
> > > While many people complain about false positives in IDS, the majority
of
> > > these issues are false alarms. RealSecure network sensor has fewer
than
> > 5%
> > > false positives within all the attack detection algorithms. Our goal
is
> > to
> > > eliminate all false positives and help end-users properly configure
IDS to
> > > significantly reduce false alarms.
> > >
> > > Reducing False Positives and False Alarms.
> > > At Internet Security Systems, false positives are taken very
seriously.
> > Any
> > > false positives reported to supportiss.net <mailto:supportiss.net>
are
> > > sent to the ISS X-Force team to analyze and refine the attack
detection
> > > algorithm to improve on accuracy and not trigger on normal traffic.
> > >
> > > The security quality assurance process has added something unique in
the
> > > security industry. Before releasing the ISS X-Press Updates with the
> > latest
> > > security intelligence and algorithms to the customer base, these
updates
> > now
> > > go through a beta process with our 24 x 7 IDS monitoring service
within
> > > Managed Security Services (ISS MSS). By putting these new attack
> > detection
> > > algorithms into real world environments with vastly varied traffic,
many
> > > false positives get immediately identified and with further
refinement,
> > > these false positives are eliminated.
> > >
> > > For false alarms, Internet Security Systems offers a full solution to
> > > resolve this issue in several ways:
> > >
> > > * ISS SecureU offers educational classes on how to
configure
> > > and tweak the IDS. By going through a class on IDS, users can take
> > > advantage of all the features and avoid the pitfalls of false alarms.
> > > * ISS Consulting has an offering for doing a security
> > > assessment and configuring IDS deployments for optimal settings.
With
> > ISS
> > > consultants performing a security assessment and understanding the
network
> > > layout, the IDS can be properly configured to only alert on what the
> > > organization considers serious and minimize false alarms.
> > > * ISS Managed Security Services offers a 24 x 7 monitoring
> > > capability around IDS. Very few customers can afford to set up a
> > > round-the-clock 24 x 7 security operation center (SOC). Our SOC
operators
> > > can monitor and analyze continuously. With their security expertise,
they
> > > separate false alarms with real attacks and inform the customer of any
> > > serious issues.
> > > * ISS Global Threat Operation Center (GTOC) has global
fusion
> > > and correlation capabilities for reducing false alarms and escalating
> > > serious attack patterns.
> > >
> > > In the IDS technology, there are some new innovative methods to
further
> > > reduce false alarms and false positives.
> > > Attack and Response Fusion. Instead of just detecting an attack
> > > pattern, the detection algorithm is enhanced beyond only looking for
> > > attacks, but analyzing returning network traffic for the vulnerability
> > > response patterns. If an operating system or service is attacked and
is
> > > vulnerable, the response packets can have a pattern that indicates
whether
> > > the attack was successful or not.
> > > Vulnerability and Threat Fusion. By combining attack events and
> > > vulnerability events together, this determines that the system was
> > > vulnerable and was attacked. This helps raise the priority and
> > criticality
> > > of the alert.
> > > Network and Host Based Fusion. Combining events from both a
network
> > > and host-based IDS can produced a fused event that has enhanced
accuracy
> > to
> > > whether the attack was successful from multiple viewpoints.
> > >
> > > Manually, the end-user can reduce false positives by going through
several
> > > methods.
> > >
> > > Iterative tweaking. Many end-users apply this method where they
> > > turn on all detection algorithms and through an iterative process,
turn
> > off
> > > each algorithm that may be producing false alarms until only serious
> > issues
> > > are triggered.
> > > Identify Known Risks. Through a security assessment, identify
known
> > > weaknesses and configure the IDS to only alert on attacks against
those
> > > weaknesses.
> > > Identify Known Exceptions. Through a security assessment,
identify
> > > known services that are secure and can be ignored for alerting
purposes.
> > > For example, after a security assessment and penetration test has
> > identified
> > > that the firewall is indeed configured properly and is blocking all
the
> > > appropriate dangerous traffic, the IDS may be configured to only log
and
> > > record port scan events, but not alert on them. Port scanning on the
> > > Internet is very common and the organization may determine that these
> > > attacks are worthwhile to keep on record for evidence purposes, but
with a
> > > properly installed and configured firewall, alerting and taking action
on
> > > these attacks are not worthwhile.
> > > Another known exception is where certain vulnerabilities no
longer
> > > apply to the network being monitored. A security operator can check
to
> > see
> > > if their network is vulnerable to various types of attacks and if not
> > > vulnerable, the IDS can be configured not alert on those attacks. For
> > > example, the Sendmail WIZ vulnerability that only exists in very old
> > > operating system and is not typically vulnerable on most networks can
be
> > > configured off within the IDS policy.
> > >
> > > Future Plans for False Positive and False Alarm Reduction.
> > > Internet Security Systems continues to innovate with new technologies
to
> > > provide the best managed security.
> > >
> > > RealSecure Site Protector. In the near future, the vulnerability
> > assessment
> > > sensors and the intrusion detection sensors will be managed from one
> > > security console and management platform. As part of the security
alert
> > > console, rather than showing the same repeated event twice as separate
> > > events, additional repeated events would just increment the count
field in
> > > the current event. This capability reduces the overall number of
events
> > > displayed to the operator.
> > >
> > > Network Protection System. As vulnerability assessment
technology
> > > identifies vulnerabilities within the network, it can automatically
> > produce
> > > an IDS policy based on those known security weaknesses. Today, this
is
> > done
> > > manually by the end-user.
> > >
> > > Uber-Fusion Throughout the Security Management Platform.
Vulnerability
> > and
> > > threat fusion is happening at the host-based level today. The fusion
can
> > be
> > > extended with having one security management platform, and it will
> > simplify
> > > correlating vulnerabilities and attacks together at the network based
> > level
> > > and across application, host, and network spectrum from a single
> > viewpoint.
> > > This technology will be applicable within the Managed Security Service
and
> > > GTOC for automated analysis for various correlated risk patterns.
Based
> > on
> > > fusion, these risk patterns could be escalated or placed into a false
> > alarm
> > > category depending on the correlated pattern.
> > >
> > > Criticality and Confidence Level. Extending the high, medium, and low
> > risk
> > > categories into finer various degrees of criticality and risk, this
could
> > > help focus on real serious alarms against the false alarms. There
might
> > be
> > > two high-risk attacks, but one is against a vulnerable server, and in
> > > theory, the attacked vulnerable event should get an even higher
priority
> > > than the high-risk attack against the secured server.
> > >
> > > As ISS X-Force develops the detection algorithms, some of them are
looking
> > > for very specific patterns that could only exist as attack traffic,
while
> > > some detection algorithms are looking for more generic patterns that
could
> > > signify an attack, but also may be legitimate traffic. A specific
pattern
> > > based algorithm would get high confidence level, while a generic
pattern
> > > algorithm would get a lower confidence level. Generic SNMP scanning
> > > algorithm would get a low confidence level, since it might be an
intruder,
> > > but it could likely be an HP OpenView manager trying to find devices.
By
> > > providing a confidence level for the security management platform,
this
> > > would help target the more serious security alarms over possible false
> > > alarms.
> > >
> > > Asset Definitions. In RealSecure Site Protector, an organization can
> > define
> > > their assets into various groups. One group may be HR and another is
> > Sales.
> > > Each group may have its own policy to what it is most sensitive to and
> > > therefore reduce false alarms depending on what is critical for that
> > > department.
> > >
> > > In Summary For False Positives and False Alarms.
> > >
> > > Many IDS technologies started with various methods of detecting
attacks
> > and
> > > generating alerts and responses. Future IDS begins to evolve into a
> > > Protection System by piecing together multiple alerts from both an
attack
> > > and vulnerability perspective to reduce the workload and allow
security
> > > operators to focus on the core security issues, and ignore false
alarms.
> > >
> > > IDS is evolving beyond just intrusion detection, but becoming
> > comprehensive
> > > burglar alarm systems that monitor at various levels of applications,
> > > operating systems, and networks. Part of this evolution is that IDS
> > > technology is watching not only for intruders, but denial of service
> > > attacks, viruses, worms, Trojans, and backdoors.
> > >
> > > For commercial IDS, false positives and false alarms are quickly being
> > > reduced with dedicated research staff and can be addressed with many
of
> > the
> > > Internet Security System's offerings.
> > >
> > > With the need for 24 x 7 monitoring for security attacks, many
> > organizations
> > > are evaluating having a Managed Security Service provide this service
as a
> > > cost effective method. Companies can focus on their core business,
and
> > let
> > > a trusted security company deal with the false positives and alarms.
> > >
> > >
> > >
***********************************************************************
> > > Christopher W. Klaus
> > > Founder and CTO
> > > Internet Security Systems (ISS)
> > > 6303 Barfield Road
> > > Atlanta, GA 30328
> > > Phone: 404-236-4051 Fax: 404-236-2637
> > > web http://www.iss.net
> > > NASDAQ: ISSX
> > >
> > > Internet Security Systems ~ The Power To Protect
> > >
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]