Re: [logs] Re: [TSG] intrusion detection and log analysis [was: book advice]

• Previous message: Eric Fitzgerald: "RE: [logs] Monitoring Windows Security Events"
• In reply to: Williams Jon: "RE: [logs] Re: [TSG] intrusion detection and log analysis [was: book advice]"
• Next in thread: Bennett Todd: "Re: [logs] Re: [TSG] intrusion detection and log analysis [was: book advice]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 04, 2003 at 11:48:52AM -0600, Williams Jon wrote:
> One thing that continually surprises me in reading the mailing lists,
> particularly the IDS and snort-* lists, is how much people _who really
> should understand their environment_ rely on signatures that either don't
> apply at all or have very little chance of triggering.

Yes. When we rolled out IDS over our WAN infrastructure as well as our DMZes
- we gained something else besides IDS. Due to the way they must operate, we
ended up with FREE WAN sniffers in our major sites! (wow! what a BARGIN! ;-)
That means our network engineers now have boxes they can go to when there
are WAN performance problems, and they can sniff to their hearts content. We
now know more about our own networks than we possibly could before.

> blaster sig in, and it never fires.  On the other hand, we've got a sensor
> that watches the default route and alerts on any TCP 135/139/445 connection
> attempt that's following it.  We've got thresholds set up that generate a
> bunch of emails/pages if a single source tries connecting to X number of
> unique destinations in Y period of time.  This has caught not only
> blaster-like attempts but also people with Randex, which wasn't even out
> when we set the system up.

Ditto. I rolled up centralized logging with the IDS project, and now we have
formal places for our routers/firewalls to log to, AND HAVE SOMETHING TO
TRIGGER ALERTS OFF THE DATA CONTAINED THEREIN.

That being the definitive point of course: a LOT of people put in
firewalls/IDS/whatever and then don't ever monitor them afterwards.

Oh yeah - thresholding is the other key. Alerting gets turned off without it
:-) You can't underestimate the power of annoyance. If the quality of the
alerts is low, or the amount of alerts during real events is too high, then
people start disabling alerting systems...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Crispin Cowan: "Re: [TSG] Re: [logs] intrusion detection and log analysis [was: book advice]"
• Previous message: Eric Fitzgerald: "RE: [logs] Monitoring Windows Security Events"
• In reply to: Williams Jon: "RE: [logs] Re: [TSG] intrusion detection and log analysis [was: book advice]"
• Next in thread: Bennett Todd: "Re: [logs] Re: [TSG] intrusion detection and log analysis [was: book advice]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 04 2003 - 19:43:03 PST