Announcement

**noid** · October 26, 2004, 22:24

You can also check out Intrusion

www.intrusion.com

Netscreen also has IDS/IPS project too

And theres always SNORT

**IcEbLAze** · October 26, 2004, 22:26

Originally posted by noid

You can also check out Intrusion

www.intrusion.com

And theres always SNORT

Heh, i believe those are a little bit different buds. Intrustion Detection, yea, it detects, however it doesnt really do anything, which gives major overhead to the admin. Intrustion Prevention creates a set of rules and acts accordingly, which is one of the major benefits of IPS :)

**IcEbLAze** · October 26, 2004, 22:30

Originally posted by IcEbLAze

Heh, i believe those are a little bit different buds. Intrustion Detection, yea, it detects, however it doesnt really do anything, which gives major overhead to the admin. Intrustion Prevention creates a set of rules and acts accordingly, which is one of the major benefits of IPS :)

Also these things are meant to be implemented on the host machines, rather then a front lines deal like IDS. Just wanted to point that out as well

**noid** · October 26, 2004, 23:09

I'd suggest reading up on those packages before making blanket generalizations on them. Both the Intrusion and Netscreen products are NIDS packages with IPS functionality.

**AlxRogan** · October 27, 2004, 09:27

Originally posted by IcEbLAze

Also these things are meant to be implemented on the host machines, rather then a front lines deal like IDS. Just wanted to point that out as well

You are talking about two different beasts, host IDS (hIDS) and network (nIDS), just for the record.

I've used Snort as an IDS, and also with Hogwash to make Snort an IPS. Hogwash was a very early effort, but Snort-Inline has taken it's place. http://snort-inline.sourceforge.net/ Note you can use Snort as a nIDS or hIDS depending on how robust your workstation is.

As far as other hIDS, hIPS my experience has been with Enterasys Dragon, not favorably, but I can't impress enough the impact of *tuning* your device.

**IcEbLAze** · October 27, 2004, 10:11

Originally posted by AlxRogan

You are talking about two different beasts, host IDS (hIDS) and network (nIDS), just for the record.

I've used Snort as an IDS, and also with Hogwash to make Snort an IPS. Hogwash was a very early effort, but Snort-Inline has taken it's place. http://snort-inline.sourceforge.net/ Note you can use Snort as a nIDS or hIDS depending on how robust your workstation is.

As far as other hIDS, hIPS my experience has been with Enterasys Dragon, not favorably, but I can't impress enough the impact of *tuning* your device.

Of course keeping patched boxes and "tuning" are musts, however I just wanted to kinda give a larger sight here to how very handy IPS can be. Having a Front line network IDS coupled with IPS services can prove to be very effective. If some small company cannot afford 1u antivirus defense systems, so you have everything going through a linux box, I especially believe these technologies can prove to be a *very* nice compliment on top of mainstream AV programs. I also suppose I am more interested in how they can kill processes on the host box that prove to have poor code and result in buffer overflow.

keep em comming!

**highwizard** · October 27, 2004, 10:59

Originally posted by IcEbLAze

keep em comming!

As soon as you say you're sorry to noid.

**IcEbLAze** · October 27, 2004, 11:08

Originally posted by highwizard

As soon as you say you're sorry to noid.

Haha, yea I apologize for that. However for the record I direct quoted him in the first post before he added netscreen. Then again I did not know intrusion had IPS capabilites.

**maddhatter** · October 20, 2005, 00:43

Ips

Hi!

Just came back from a McAfee Live Attack Roadshow, and i must say that it was quite impressive.

We ran some live attacks using My.Doom and Blaster.

Entercept was able to pick this up, literally in a matter of seconds, and began to launch preventative measures.

Being a devout Snort user, i decided to find out, how i can configure snort to do something like this, and came accross snort-inline. Seems pretty good, but still needs some tweaking.
I still need to figure out a way to make sure that false intrusions, do not cause problems with trusted traffic.
Also, need to be able to use iptables well (a bit lazy, I use firestarter to setup firewalls!)

I also aggree that IPS should be focused on the hosts, rather than the perimeter gateway, as threats not only appear from the wild, but internally as well.

There is a snort win32 binary available....
With the right packaging, and configuration (Central DB, rules, etc) it would be possible to implement/design a completley GNU IPS?

I still have many IDS´s in various networks based on snort, and was wondering:
Is it the end for IDS?

**aphax** · October 20, 2005, 01:50

I agree for it to be on the perimeter gateway rather that running it on a hosts

**maddhatter** · October 20, 2005, 02:47

re: IPS

perhaps, a bit of both:

Hosts, and Perimeter - with a central DB?

**skroo** · October 20, 2005, 09:45

Originally posted by maddhatter

We ran some live attacks using My.Doom and Blaster.

Interesting that they chose two worms sufficiently old enough that every AV package on the face of the planet pickes them up, never mind IPS (and even some IDSes).

Entercept was able to pick this up, literally in a matter of seconds, and began to launch preventative measures.

Woohoo!

Being a devout Snort user, i decided to find out, how i can configure snort to do something like this, and came accross snort-inline. Seems pretty good, but still needs some tweaking.

You might want to check out either Snortsam or snort-2.4.x - both support dynamic blocking, and snort-inline was rolled into snort proper in (IIRC) the 2.3 series.

I still need to figure out a way to make sure that false intrusions, do not cause problems with trusted traffic.

1) Tailor the detection set to your specific environment.
2) Run it live, see what breaks.
3) Based on 2) above, disable known-false-positive signatures as necessary.
4) Repeat 2) and 3) above.
5) Profit.

Also, need to be able to use iptables well (a bit lazy, I use firestarter to setup firewalls!)

http://www.iptables.org/

I also aggree that IPS should be focused on the hosts, rather than the perimeter gateway, as threats not only appear from the wild, but internally as well.

And any IPS is only as good as what it knows how to detect. And what kind of IPS are we talking about, signature-based, heuristic, something else?

Anything that has to run on a host machine used by people that aren't you (i.e., every PC in, say, the typical networked enterprise environment) is open to tampering, deliberate or otherwise. Deploy IPS to every desktop and watch how fast the users break it - and the one thing that can be worse than having no tools to work with is having only *broken* tools to work with. Summary: keep watching the network.

There is a snort win32 binary available....
With the right packaging, and configuration (Central DB, rules, etc) it would be possible to implement/design a completley GNU IPS?

Yeah, but you wouldn't want to base it on Windows. Sourcefire already does what you're talking about, btw. And fuck GNU and their happy-clappy 'licensing' bullshit.

I still have many IDS´s in various networks based on snort, and was wondering:
Is it the end for IDS?

God, if I had a nickel for every time I'd heard this I'd have a shitload of nickels on my desk, so: emphatically, NO. Think, don't buy into marketing hype.

**maddhatter** · October 21, 2005, 04:26

Originally posted by skroo

Interesting that they chose two worms sufficiently old enough that every AV package on the face of the planet pickes them up, never mind IPS (and even some IDSes).

Woohoo!

You might want to check out either Snortsam or snort-2.4.x - both support dynamic blocking, and snort-inline was rolled into snort proper in (IIRC) the 2.3 series.

1) Tailor the detection set to your specific environment.
2) Run it live, see what breaks.
3) Based on 2) above, disable known-false-positive signatures as necessary.
4) Repeat 2) and 3) above.
5) Profit.

http://www.iptables.org/

And any IPS is only as good as what it knows how to detect. And what kind of IPS are we talking about, signature-based, heuristic, something else?

maddhatter: it is currently sig based, using unforunately bleeding edge, and some of my own rules, since sourcefire starting charging for rules.

Anything that has to run on a host machine used by people that aren't you (i.e., every PC in, say, the typical networked enterprise environment) is open to tampering, deliberate or otherwise. Deploy IPS to every desktop and watch how fast the users break it - and the one thing that can be worse than having no tools to work with is having only *broken* tools to work with. Summary: keep watching the network.

maddhatter: understood

Yeah, but you wouldn't want to base it on Windows. Sourcefire already does what you're talking about, btw. And fuck GNU and their happy-clappy 'licensing' bullshit.

maddhatter: sad to hear you feel that way!

God, if I had a nickel for every time I'd heard this I'd have a shitload of nickels on my desk, so: emphatically, NO. Think, don't buy into marketing hype.

maddhatter: Thanks for your valuable input.
out with snort-inline, and in with SnortSAM.

God bless.

**skroo** · October 21, 2005, 09:15

Originally posted by maddhatter

maddhatter: Thanks for your valuable input.
out with snort-inline, and in with SnortSAM.

No worries. BTW, make sure to pay attention to the bindip directive in snortsam.conf - if you don't, it'll listen on all interfaces by default, and you probably don't want to expose that to the outside world.

Announcement

IPS? General Discussion

IPS? General Discussion

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment