[logs] Re: [TSG] intrusion detection and log analysis [was: book advice]

From: Bruce Potter (gdead@private)
Date: Tue Nov 04 2003 - 05:39:11 PST

  • Next message: Bennett Todd: "Re: [logs] intrusion detection and log analysis [was: book advice]"

    ...incoming...
    
    > this is true...ish.  f'r one thing, lots and lots o' exploits are based on
    > known vulnerabilities, where there's enough information disclosed prior to
    > release of exploit that reliable IDS signatures exist.  nimda's my fave
    > example of this.  especially for its server attacks, nimda exploited
    > vulnerabilities that were anywhere from 4 months to 2 years old.  all the
    > IDS vendors had signatures, which is why nimda was discovered so quickly
    > and so rampantly.  in the limited dataset i had -- counterpane customers
    > with network-based intrusion detection systems watching their web farms --
    > the message counts increased by an order of 100000 within half an hour of
    > the first "public" announcement of nimda (a posting at 9:18 east coast
    > time on 18 sept 2001, on the incidents@private mailing list)
    > (not that i was scarred or anything).
    >
    > so in that particular instance, signature based IDS was certainly highly
    > effective in letting you know that something was up.
    
    I'll bite on this.  How much money/effort (ie: more money) had an
    organization spent on IDS in order to detect nimda?  I mean, medium size
    org ($500MM in revenue a year) probably spent $120k on licencing, hardware
    and man power in a year to do Network IDS the Vendor Way... at least
    $120k.  If the same org also had machines a year out of date on patches
    (or even _4 months_, it doesn't matter) don't you think that money would
    have been better spent on patching the machines?  and I don't just mean
    tactically patching boxes, but rather coming up with an automated patching
    process, testing requirements for patching production machines, etc...
    
    Now in an _incredibly_ uncontrolled environment (ie: Tina's nightmare, a
    university), and IDS is an effective traffic cop.  You can't really
    control student and faculty workstations and your only hope is detection
    and response.  That is just a fact of life in a university.  but in a
    corporate environment, there's no excuse.  You can use the hammer of thor
    to control workstations....  patch or be owned
    
    Seriously, how many zero-day worms have there been?  <crickets chirping> 
    I'm sure there will be one some day, but the current rack of IDS's will be
    just as blind to it as your admins.  Keeping machines current on patch
    levels ensure that your standard issue network IDS will be absolutely
    useless.
    
    ...putting on the asbestos suit after that comment...
    
    In short, if you spend your IDS budget on figuring out how to do patching
    right and mabye even for some external auditing of your network, you'll
    probably not see many valid hits on your IDS.
    
    >
    > several of the signature based IDS vendors claim that they base their
    > signatures on the vulns rather than on a given exploit -- i don't really
    > know what that means, but i do know that several of them
    > detected this summer's RPC exploits, based on the info in the microsoft
    > announcement, and the behavior of the vulnerable code when tickled, as
    > opposed to waiting to write a signature after an attack had been
    > discovered.  we got attack data from ISS far faster than could have
    > been explained if they were strictly writing in response to new attacks.
    
    At the end of the day, when I've patched my servers and workstations, I've
    pretty much put the script kiddie attacks to bed.  What I really start to
    care about is directed attacks against my custom code... attacks directly
    targeted at my business.  My firewall will let port 80 through to my
    webservers.. it won't stop it.  And my IDS has NO idea how my web app
    works, so it doesn't care.
    >
    >> I suspect we'll start seeing products in a few years that are focused on
    >> 'whitelisting' traffic.  Anything that doesn't match this pattern, kill
    >> it.
    >>
    >> While this is a pain with lots-o-crappy protocols, it is possible.  Does
    >> anyone know of a product that functions this way?
    >>
    > there are a couple of IDS vendors that claim to do this -- they tend to
    > call themselves anomaly detection systems rather than intrusion detection
    > systems -- and i've yet to be convinced about any of them.  the only one i
    > can think of is lancope, but rodney probably knows better than i do.  the
    > statistical issues are huge, because you've got to be able to characterize
    > normal traffic in real time with huge numbers of packets.
    
    There are companies that make effectively whitelisting proxies for web
    apps (and some for XML-type apps).  They may be difficult to setup to
    their full extent b/c they require deep knowledge of the application...
    and sometimes getting the ops guys to play nice with the developers is not
    really an option...  and failure to whitelist everything properly means
    service will be denied to the missed items.  w00t!  that's fun.
    
    while not an IDS (application level whitelisting firewall), it is in the
    ballpark.
    
    I am a huge fan of statistical analysis of your own log data in real time.
     YOu know how your app "feels"... you may not know exactly how it works,
    but you end up with log data that you get used to.  You get used to it b/c
    there's a pattern.  .... mmm... stats.  So, do some statistical analysis
    of the data.  Monitor it in real time.  If you suddenly see big deviations
    from the norm, through a flag.  It is really not that hard to roll your
    own detection mechanism here... the math is pretty straight forward.. the
    only thing that changes it he types of data you're dealing with.  Weblogs,
    flow data from routers (my fav for this type of analysis), mail logs, even
    FW logs... take some of that leftover IDS budget you're now not spending
    b/c you have a great patch process, and spend some time figuring out the
    patterns in your log data and how to codify detection of anomolous events.
    
    Tina, I agree that many apps don't log the important stuff wrt security. 
    That is a problem that usually needs to be fixed by the developers...  but
    it's amazing what you can sometimes infer with the log data that you do
    have.
    
    It always amazes me how much money an organization will spend on IDS
    without having the slightest clue what is really running in their
    datacenters and what a targeted attack would even look like.
    
    Anyhoo, I'm ranting.  I better stop...
    
    later
    
    bruce
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Tue Nov 04 2003 - 09:08:31 PST