|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: on TASL correlation rules
From: Augusto Paes de Barros (augusto
paesdebarros.com.br)
Date: Wed Dec 28 2005 - 05:46:30 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
"I think its a dirty little secret that much fewer customers customize
NIDS rules than the NIDS vendors think..."
Totally true.
I believe that's because they sell their products as something that
doesn't need to be customized. I like to say that IDSes are more like
ERP systems than Antivirus. A lot of customization is required to make
it work.
Regards,
Augusto.
On 12/23/05, Anton Chuvakin <antonchuvakin.org> wrote:
> Ron and all,
>
> > In general though, the issue we've found while writing these types of rules
> > is that whatever the algorithm, there is always a trade off between being
> > exact and being general.
> That is *exactly* the discussion I wanted to start! Thanks for picking
> it up. When one provides canned correlation rules (such as your TASL
> scripts), this question comes up in full force. And, unlike NIDS
> rules, where people expect them to work pretty much out of the box (I
> think its a dirty little secret that much fewer customers customize
> NIDS rules than the NIDS vendors think...), this one gets real
> subjective real quick. And this is where the site-specific rules or
> scripts come in.
>
> > Site-specific rules can get much more interesting. For example, writing
> > a rule that can alert on any "SSH login failure" not coming from the
> > SOC is very simple, but you have to know about the DNS server, the SOC
> > and the trust relationship between them before hand.
> This is one of my favorite examples: its an extremely simple and just
> as useful custom rule ("if SSH not from SOC, alert") but an impossible
> default vendor -provided rule. The main question is: how many people
> will go and create it? Will the "NIDS disease" (mentioned above) hit
> it as well and thus devalue the correlation software?
>
> Best,
> --
> Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
> http://www.chuvakin.org
> http://www.securitywarrior.com
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>
--
Augusto Paes de Barros, CISSP-ISSAP(r)
http://www.paesdebarros.com.br/indexpb.html
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]