OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Symantec IDS Experts????????????????????
From: Swen Schisler (sschislerVIRBUS.DE)
Date: Wed Oct 18 2000 - 07:03:41 CDT

Dear Elliot,

about we speak is a basic problem of NIDS, they have to capture packets and
look for the content of this. I repeat every NIDS have to do that, even
commercial do that. If the NIDS captured the package
the NIDS engine want to know what the package will do. How they will do that?
They have to look inside, if it (the NIDS) is state based, it has to know were
the package belonging to. How it will figure out this information? Snort only
build a chain with rules and the first matching rule will be taken, every
incoming package will be compared to the rule base, this is not very
sophisticated but there efforts to improve this. A state based (analysis)
engine, is like a tree, it (implicitly) know what was before and what can
happens next. This is the difference between many commercial (not all)
products and snort. But every NIDS capture package from the wire and look
inside. If we use encryption no NIDS, even not commercial will now know
something about the package. A NIDS will never reliable predict the impact at
the targetet system. That's the reason why NIDS are an out-dated technology. It
is only a small part in modern Intrusion Detection Systems. This statement will
cause trouble on this list, but in my opinion is it the truth.

For this you should really use a HIDS, because the behaviour from your System
is the only reliable source to gather information of that what happens.

-- writing new protocol decoding modules

If you start to do that, then you hav to employ a team of specialists that will
do that job. They want also earn money. I think if you use a commercial NIDS
then you won't do that, because the vendor have to supply the module.

-- writing new signatures

Have a look at www.whitehats.com, there is an hourly updated
signature file. I think such service even commercial vendors don't supply.

-- preventing new evasion tactics

Every NIDS will be vulnerable through such tactics as I stated above.

At last I want to say, if implementing a state based NIDS you have to implement
every known protocol that every package can be inspected. Maybe the vendor
will sell you these additionally to the NIDS. That's an horrible effort and for
what you do that? A NIDS will inspect the packages and see that there is
something wrong (maybe a DoS), but what now, in the same time the target is
death. You can't prevent such attacks with NIDS, and a lot of others too.

Ok this may be enough at first, please don't care about my poor english.

I look forward to the following discussion.

Yours

--------------------------------------------------------------------------------
Swen Schisler Germany
VIRBUS AG Tel.: +49-341/9797407
Leipzig E-mail: sschislervirbus.de
--------------------------------------------------------------------------------
The difference between 'involvement' and 'commitment' is like an
eggs-and-ham breakfast: the chicken was 'involved' -- the pig was
'committed'.