you say "some NIDS vendors" - ok, which vendor has a NIDS which is capable
of doing those things? You? :) i.e. deal with a highly fragmented traffic,
reassemble it in different ways depending on it's destination (simulating
different OS behaviour) and not die under, say, some thousands packets a
second? (I've already tried eTrust, Cisco IDS and RealSecure - no luck). And
tell me please what do you do with that old problem of CPU usage and
internal bus bandwidth? I doubt if 700MHz CPU can correctly reassemble
50mbps Ethernet traffic...

regards,
W.

P.S. I'd be happy to hear from new IDS vendors - like Network Wizards,
Intrusion.com etc privately.

----- Original Message -----
From: "Aaron Bawcom" <aaron_bawcomintrusion.com>
To: "'Vitaly Osipov'" <vosipovwolfegroup.ie>; <FOCUS-IDSSECURITYFOCUS.COM>
Sent: Sunday, March 11, 2001 6:15 AM
Subject: RE: Statefull inspection on IDS

> > No NIDS can tell you for sure what your host is going to do with this
> > specific packet, it can only guess, but the more clever it becomes, the
> more
> > resources it consumes - so it becomes more and more vulnerable to some
> > stupid denial of services attack. Just give it some really weird
traffic,
> > and it will lock up or crash trying to simulate the behaviour of your
> > 100-hosts network in real time :)))
>
> I disagree. It is possible to efficiently catch attacks
> that use really weird traffic using different types of
> Intrusion Detection algorithms. Just because some NIDS
> vendors have not been able to provide solutions for
> these class of problems does not indicate that these
> problems are unsolvable. This is equivalent to someone
> (in the 1930's) claiming that because no one had built
> a jet engine that it was impossible to build a jet
> engine. Someday, an engineer will questioningly ask
> "that's funny?" and innovation will occur.
>
> -----Original Message-----
> From: Vitaly Osipov [mailto:vosipovWOLFEGROUP.IE]
> Sent: Thursday, March 08, 2001 12:40 AM
> To: FOCUS-IDSSECURITYFOCUS.COM
> Subject: Re: Statefull inspection on IDS
>
>
> Sorry people, but why do you try to make the NIDS do things it cannot do?
if
> you need to detect what _really_ happens to your hosts, why not to use
> _host_ based IDS, and not network based? I know, NIDS is much easier to
set
> up and maybe to deploy, but it's maybe the only advantage... put an agent
on
> each host (khe, could be terrible job :) ) - something from RealSecure
> line, or just hand-made log checkers; if you want secure reporting - make
> your hosts dual-homed and make those agents report only on secure
interface,
> etc...
>
> No NIDS can tell you for sure what your host is going to do with this
> specific packet, it can only guess, but the more clever it becomes, the
more
> resources it consumes - so it becomes more and more vulnerable to some
> stupid denial of services attack. Just give it some really weird traffic,
> and it will lock up or crash trying to simulate the behaviour of your
> 100-hosts network in real time :)))
>
> regards,
> W.
>
> P.S. I wonder why HIDS are so unpopular? hard to deploy or just no good
> marketing? :)
> P.P.S. I saw somewhere an analogy between IDS and burglar alarm... I'm
> afraid that NIDS is some kind of alarm which is installed once per block
of
> houses and has a sensor somewhere on a road near that block :)... HIDS is
> much more of real alarm for a house, but if you have to watch a whole
town,
> it's a bit difficult then...
>
>
> ----- Original Message -----
> From: "Robert Graham" <robert_david_grahamYAHOO.COM>
> To: <FOCUS-IDSSECURITYFOCUS.COM>
> Sent: Wednesday, March 07, 2001 9:29 PM
> Subject: Re: [FOCUS-IDS] Statefull inspection on IDS
>
>
> > This is incorrect. Most network IDS have some sort of stateful
component.
> >
> > This is one of the reasons I've hated the "IDS test suite" in CyberCop
> > Scanner. One of their features would test the statefulness of the IDS.
> > Network ICE would "fail" to detect a certain attack, which indicated
that
> it
> > was stateful.
> >
> > The reason I hated this is because "test" in this case meant "reverse
> > engineering" not "validation". The correct behavior would be to fail to
> > detect that specific attack. I spent a lot of time talking to people
> trying
> > to explain how we "passed" the test rather than "failed" the test by not
> > detecting the non-attack.
> >
> > This is also why my little sidestep.exe utility
> > (http://www.robertgraham.com/tmp/sidestep.html) contains full clients
and
> > not simulated clients. The better the IDS is, the worse it is at
detecting
> > attack "simulations", and the more it requires real attack in order to
> > trigger.
> >
> > Robert Graham
> > CTO/Network ICE
> >
> > Marketing blurb: Network ICE is dramatically MORE stateful than any
> > firewall. Even other IDSs like RealSecure, NFR, etc. contain a lot of
> state.
> > One of the frusterating thing as a vendor is that people learn Snort,
then
> > assume every IDS works like Snort. Network ICE works completely
different
> > than Snort.
> >
> > -----Original Message-----
> > From: Focus on Intrusion Detection Systems
> > [mailto:FOCUS-IDSSECURITYFOCUS.COM]On Behalf Of Waltman, Vern
> > Sent: Wednesday, March 07, 2001 4:51 AM
> > To: FOCUS-IDSSECURITYFOCUS.COM
> > Subject: Statefull inspection on IDS
> >
> >
> > To All,
> >
> >
> > It is my understanding that no current IDS (including ISS's RealSecure)
> does
> > stateful inspection of the connections on the network segment being
> > monitored. Therefore, it is not necessary to establish a legitimate TCP
> > connection in order for the IDS to register an attempted attack. Since
no
> > TCP connection is necessary, could someone with malicious intent spoof
> their
> > source IP address to be any address on the Internet, presuming that the
> site
> > that they are launching from has not implemented egress filtering as
> > described in RFC 2267. The target of the attack (or perhaps an
> intervening
> > firewall or packet filter) will disregard these fake attack packets
> because
> > they are not part of a legitimate, established TCP connection. With that
> > said the IDS will Log all the Fake Attack
> > The IDS will continue to run as normal, registering a large number of
> > attacks. If the attacker simultaneously runs a real attack during this
> > time, it will be difficult to tell from the IDS system alone which
attack
> is
> > real and therefore where the real attack originated.
> > Solution?
> > Could you put firewall in front of the IDS that only configured for
> Stateful
> > Inspection (a simple LINUX box firewall)? (will this cause the IDS to
> miss
> > other attempted attacks as well).
> >
> >
> >
> >
> > Vern Waltman
> > JTF-CND Sr. Technical Analysts
> > Litton TASC
> > E-mail: waltmanvjtfcnd.ia.mil
> > (703) 607-4050 ext. 4481
> > FAX: (703) 607- 4009
> >
> >
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free yahoo.com address at http://mail.yahoo.com
> >

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]