Announcement

Collapse
No announcement yet.

IPS? General Discussion

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • tepster
    replied
    I've only been using SNORT for a few weeks, as I get about ten people a week try to hack into my CS server. McAfee seemed to be useless to me, as all it did was restrict internet access and potential virus d/'s (which were actually just normal programs). SNORT automatically looks into the potential malicious strings and sorts them out without me having to worry.

    ITS SEXY.

    Leave a comment:


  • d.fi
    replied
    Some past presentations and thoughts on IPS

    I wrote a full-blown, anomaly-detection HIPS for Linux with automated response and also have done a lot of work both developing and deploying NIDS in the past. I have a strong bias AGAINST NIPS. The network is just not the place to detect most kinds of attacks. That being said, certain aspects of network behavior are easy to monitor and detect abnormal traffic that is highly indicative of worm activity etc., and there are systems like Arbor's Peakflow X that do that and implement semi-automated responses to limit the spread of the worm. Understand that such detection of worm activity does not require deep inspection of the network packets.

    Implementing any kind of "deep inspection" and "protocol verification/anomaly detection" requires a large amount of error prone code to implement (how many vulnerabilitiese have been found in Snort, tcpdump and BlackICE/RealSecure?). More code means more bugs, which highly correlates to the presence of vulnerabilities. I will ask this question: why greatly increase your attack surface to detect known vulnerabilities? Some additional attack surface may be worthwhile to detect unknown attacks, assuming that a suitable automated response can stop the attack before it delivers its payload. The following link is to the archive of my presentation on the need for automated response from Black Hat 2004:
    http://www.blackhat.com/presentation...-brezinski.zip
    This link is a great talk from Eugene about circumventing some ill-conceived HIPS technology:
    http://www.blackhat.com/presentation...syrklevich.pdf

    I think certain forms of HIPS are very valuable as a layer of defense against unknown attacks, but there are only a few technological approaches that make sense and are not easily defeatable. Few of the commercial products meet that bar currently. Soem of the products will get better.

    One thing that you should be clear on is that with IPS you are often trading sacrified availablity for protection against a compromise of integrity. A real world example was a worm that exploited a vulnerability in the RPC server service in Windows, and a certain commercial HIPS product detected the exploitation and killed the RPC server process. Windows automatically reboots a short while after it detects the RPC server process has died, which means the HIPS' response caused most of the Windows machines in an organization to do rolling reboots as long as the worm was active in the network. The HIPS did keep the worm from infecting the protected hosts, but the hosts were totally unuseable until the worm was entirely erraticated from the network.
    Last edited by AlxRogan; October 28, 2005, 15:57. Reason: fixed URLs

    Leave a comment:


  • maddhatter
    replied
    Originally posted by skroo
    No worries. BTW, make sure to pay attention to the bindip directive in snortsam.conf - if you don't, it'll listen on all interfaces by default, and you probably don't want to expose that to the outside world.
    hi!

    i will, but i have my hands full with Fedora Directory Services.
    Thanks for your vaiuable input.

    God bless.

    Leave a comment:


  • skroo
    replied
    Originally posted by maddhatter
    maddhatter: Thanks for your valuable input.
    out with snort-inline, and in with SnortSAM.
    No worries. BTW, make sure to pay attention to the bindip directive in snortsam.conf - if you don't, it'll listen on all interfaces by default, and you probably don't want to expose that to the outside world.

    Leave a comment:


  • maddhatter
    replied
    Originally posted by skroo
    Interesting that they chose two worms sufficiently old enough that every AV package on the face of the planet pickes them up, never mind IPS (and even some IDSes).



    Woohoo!



    You might want to check out either Snortsam or snort-2.4.x - both support dynamic blocking, and snort-inline was rolled into snort proper in (IIRC) the 2.3 series.



    1) Tailor the detection set to your specific environment.
    2) Run it live, see what breaks.
    3) Based on 2) above, disable known-false-positive signatures as necessary.
    4) Repeat 2) and 3) above.
    5) Profit.



    http://www.iptables.org/



    And any IPS is only as good as what it knows how to detect. And what kind of IPS are we talking about, signature-based, heuristic, something else?

    maddhatter: it is currently sig based, using unforunately bleeding edge, and some of my own rules, since sourcefire starting charging for rules.

    Anything that has to run on a host machine used by people that aren't you (i.e., every PC in, say, the typical networked enterprise environment) is open to tampering, deliberate or otherwise. Deploy IPS to every desktop and watch how fast the users break it - and the one thing that can be worse than having no tools to work with is having only *broken* tools to work with. Summary: keep watching the network.

    maddhatter: understood

    Yeah, but you wouldn't want to base it on Windows. Sourcefire already does what you're talking about, btw. And fuck GNU and their happy-clappy 'licensing' bullshit.

    maddhatter: sad to hear you feel that way!

    God, if I had a nickel for every time I'd heard this I'd have a shitload of nickels on my desk, so: emphatically, NO. Think, don't buy into marketing hype.
    maddhatter: Thanks for your valuable input.
    out with snort-inline, and in with SnortSAM.

    God bless.

    Leave a comment:


  • skroo
    replied
    Originally posted by maddhatter
    We ran some live attacks using My.Doom and Blaster.
    Interesting that they chose two worms sufficiently old enough that every AV package on the face of the planet pickes them up, never mind IPS (and even some IDSes).

    Entercept was able to pick this up, literally in a matter of seconds, and began to launch preventative measures.
    Woohoo!

    Being a devout Snort user, i decided to find out, how i can configure snort to do something like this, and came accross snort-inline. Seems pretty good, but still needs some tweaking.
    You might want to check out either Snortsam or snort-2.4.x - both support dynamic blocking, and snort-inline was rolled into snort proper in (IIRC) the 2.3 series.

    I still need to figure out a way to make sure that false intrusions, do not cause problems with trusted traffic.
    1) Tailor the detection set to your specific environment.
    2) Run it live, see what breaks.
    3) Based on 2) above, disable known-false-positive signatures as necessary.
    4) Repeat 2) and 3) above.
    5) Profit.

    Also, need to be able to use iptables well (a bit lazy, I use firestarter to setup firewalls!)
    http://www.iptables.org/

    I also aggree that IPS should be focused on the hosts, rather than the perimeter gateway, as threats not only appear from the wild, but internally as well.
    And any IPS is only as good as what it knows how to detect. And what kind of IPS are we talking about, signature-based, heuristic, something else?

    Anything that has to run on a host machine used by people that aren't you (i.e., every PC in, say, the typical networked enterprise environment) is open to tampering, deliberate or otherwise. Deploy IPS to every desktop and watch how fast the users break it - and the one thing that can be worse than having no tools to work with is having only *broken* tools to work with. Summary: keep watching the network.

    There is a snort win32 binary available....
    With the right packaging, and configuration (Central DB, rules, etc) it would be possible to implement/design a completley GNU IPS?
    Yeah, but you wouldn't want to base it on Windows. Sourcefire already does what you're talking about, btw. And fuck GNU and their happy-clappy 'licensing' bullshit.

    I still have many IDS´s in various networks based on snort, and was wondering:
    Is it the end for IDS?
    God, if I had a nickel for every time I'd heard this I'd have a shitload of nickels on my desk, so: emphatically, NO. Think, don't buy into marketing hype.

    Leave a comment:


  • maddhatter
    replied
    re: IPS

    perhaps, a bit of both:

    Hosts, and Perimeter - with a central DB?

    Leave a comment:


  • aphax
    replied
    I agree for it to be on the perimeter gateway rather that running it on a hosts

    Leave a comment:


  • maddhatter
    replied
    Ips

    Hi!

    Just came back from a McAfee Live Attack Roadshow, and i must say that it was quite impressive.

    We ran some live attacks using My.Doom and Blaster.

    Entercept was able to pick this up, literally in a matter of seconds, and began to launch preventative measures.

    Being a devout Snort user, i decided to find out, how i can configure snort to do something like this, and came accross snort-inline. Seems pretty good, but still needs some tweaking.
    I still need to figure out a way to make sure that false intrusions, do not cause problems with trusted traffic.
    Also, need to be able to use iptables well (a bit lazy, I use firestarter to setup firewalls!)

    I also aggree that IPS should be focused on the hosts, rather than the perimeter gateway, as threats not only appear from the wild, but internally as well.

    There is a snort win32 binary available....
    With the right packaging, and configuration (Central DB, rules, etc) it would be possible to implement/design a completley GNU IPS?

    I still have many IDSĀ“s in various networks based on snort, and was wondering:
    Is it the end for IDS?

    Leave a comment:


  • IcEbLAze
    replied
    Originally posted by highwizard
    As soon as you say you're sorry to noid.
    Haha, yea I apologize for that. However for the record I direct quoted him in the first post before he added netscreen. Then again I did not know intrusion had IPS capabilites.

    Leave a comment:


  • highwizard
    Guest replied
    Originally posted by IcEbLAze

    keep em comming!

    As soon as you say you're sorry to noid.

    Leave a comment:


  • IcEbLAze
    replied
    Originally posted by AlxRogan
    You are talking about two different beasts, host IDS (hIDS) and network (nIDS), just for the record.

    I've used Snort as an IDS, and also with Hogwash to make Snort an IPS. Hogwash was a very early effort, but Snort-Inline has taken it's place. http://snort-inline.sourceforge.net/ Note you can use Snort as a nIDS or hIDS depending on how robust your workstation is.

    As far as other hIDS, hIPS my experience has been with Enterasys Dragon, not favorably, but I can't impress enough the impact of *tuning* your device.

    Of course keeping patched boxes and "tuning" are musts, however I just wanted to kinda give a larger sight here to how very handy IPS can be. Having a Front line network IDS coupled with IPS services can prove to be very effective. If some small company cannot afford 1u antivirus defense systems, so you have everything going through a linux box, I especially believe these technologies can prove to be a *very* nice compliment on top of mainstream AV programs. I also suppose I am more interested in how they can kill processes on the host box that prove to have poor code and result in buffer overflow.

    keep em comming!

    Leave a comment:


  • AlxRogan
    replied
    Originally posted by IcEbLAze
    Also these things are meant to be implemented on the host machines, rather then a front lines deal like IDS. Just wanted to point that out as well
    You are talking about two different beasts, host IDS (hIDS) and network (nIDS), just for the record.

    I've used Snort as an IDS, and also with Hogwash to make Snort an IPS. Hogwash was a very early effort, but Snort-Inline has taken it's place. http://snort-inline.sourceforge.net/ Note you can use Snort as a nIDS or hIDS depending on how robust your workstation is.

    As far as other hIDS, hIPS my experience has been with Enterasys Dragon, not favorably, but I can't impress enough the impact of *tuning* your device.

    Leave a comment:


  • noid
    replied
    I'd suggest reading up on those packages before making blanket generalizations on them. Both the Intrusion and Netscreen products are NIDS packages with IPS functionality.

    Leave a comment:


  • IcEbLAze
    replied
    Originally posted by IcEbLAze
    Heh, i believe those are a little bit different buds. Intrustion Detection, yea, it detects, however it doesnt really do anything, which gives major overhead to the admin. Intrustion Prevention creates a set of rules and acts accordingly, which is one of the major benefits of IPS :)

    Also these things are meant to be implemented on the host machines, rather then a front lines deal like IDS. Just wanted to point that out as well

    Leave a comment:

Working...
X