Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: RE: Firewall Activity analysis

RE: Firewall Activity analysis

From: Anton Chuvakin <anton_at_chuvakin.org>
Date: Thu, 12 Dec 2002 14:21:33 -0500 (EST)

Matt,

>analyst aka a REAL ROI - Time (money) X Incident. For example if you see
>the multitude of attack signatures that indicate Nimda from an IDS, and
Well, I doubt that one needs a rule to ignore Nimda, surely you can just
filter it out especially if you know you are patched against it. Or you
can deploy one of those fancy "anti-CodeRed/Nimda" devices (aka IPS)...

>measured (rate of false positives/actual events) and thusly can have
>impact to system that does Risk or Threat Modeling.
Yes, indeed, but knowing the rate will likely not help the response
procedures, since even knowing that e.g. you have 20% FP rate does not
mean that you know which 20% of incidents you can ignore...

>correct (for the top 20% of uberhackers) IF you're only using a NIDS
This is one curious number! I am wondering how people come up with those.
The author of the article I forwarded thought it was actaully 90% and not
20%, but I do not understand how *either* is justified...

>(and maybe HIDS). My point is that the correlation/anomaly detection
>system would catch most of the 20% if the logs that the system was
>receiving where adequate. For example, any new attacks that the attacker
This is a very interesting point. The evidences might be there, but
piecing together the picture from some diverse logs to catch the attack
that IDS missed (i.e. new or modified attack) - wow, that sounds like a
challenge.

>I'm going to try to address the issue Matt Harris was talking about as
>well. What you need to do is create rules for the known not unknown.
Well, this is the tricky part - at what level of detail do you *know* the
known part? It looks like there is a trade off here (similar to NIDS
case, but potentially worse) - you can either make the system create false
positives (like in the case of firewall connection attempts presented by
the previous poster) or false negatives (like, I suspect, systems that
send "marked" data and then respond if an attacker uses it). It is really
interesting how you would create those rules to be in the middle?

Best, 

-- 
  Anton A. Chuvakin, Ph.D., GCIA
     http://www.chuvakin.org
   http://www.info-secure.org
Received on Dec 12 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos