OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: More: combination of IDS and scanner
From: David Masten (dmastenPIRATELABS.ORG)
Date: Fri Dec 08 2000 - 22:46:07 CST

Thomas Singer wrote:

> Thanks to all who responded for the valuable input.
>
> Of course scanning after the incident is a problem, because the incident
> could have changed the way the attacked host is behaving. Therefore we
> are trying to classify attacks based on their impact on the host
> behaviour. That is, we try to distinguish between attacks which after
> completion could fool our scanner, and attacks which do not change the
> way a system behaves (or rather change the way the system behaves only
> in a way not affecting the results of the scanner).
>
> Our IDS extension would then - after having caught an alert from the IDS
> - do sort of something like this:
<snip>

> What do you think? Does implementing something like this sound feasible?

While your approach starts to address the problem I brought up
previously, I don't think it catches the real problem of a very limited
time frame set by the attacker. What you are describing requires a
single application to understand and deal with most if not all of the
nuances to the many protocols and the many different implementations of
those protocols that may be in a network along with all of the commands,
library routines, and op codes that might exist on hosts and gateways on
that network. Many (if not all) IDSes have problems keeping up with
large amounts of traffic already.

If I were an attacker looking to bypass your IDS, I would launch
multiple, almost simultaneous attacks (from multiple unrelated hosts and
networks). All but one of those attacks will be designed to DOS the IDS,
by giving them the hardest to determine signatures (a combination that
requires the most CPU cycles, memory read/writes, and disk I/O). By the
time my attack is done, your IDS will have launched many scans of the
network (possible DOS of the network?), not given any alerts (or the
opposite, too many alerts), and very likely missed the actual attack, or
at least reacted in the wrong way to it. It is an extremely noisy
attack, but aren't all diversion tactics loud and flashy? And if my
intent is DOS then the IDS has aided me quite well.

On the other hand, if the IDS has a good "picture" of the network state
prior to the attack, we can take a look at the packet headers and
discard all of the noise and concentrate on the packets that may be an
actual attack, by which time any additional vulnerability scanning is
superfluous. Also, the IDS only has to evaluate enough of the packet to
determine that it is an attack, it does not need to check any further.

I really think the approach you are suggesting is strategically flawed.
Information warfare is the same as traditional warfare, you must know
yourself BEFORE the battle. Discovering your strengths and weaknesses
during the engagement is much too late.

> Regards,
> Thomas
>
> PS: Is there more information available about John Flowers' talk you
> have mentioned?

There is a white paper on the Hiverworld web site that advertises their
approach to combining IDS and Scanning. My notes are extremely sketchy
owing to the fact that I was not feeling well that day, and I am
terrible at taking notes anyway.

Hope this helps. 

--
David Masten
Information Security Guru, System and Network Administrator,
Rocket Engineer, and Opinionated Freedom Fighter
------------------------------------------------------------
They that can give up Liberty to obtain a little temporary
security, deserve neither. - B. Franklin