IDS vs. IPS deployment feedback

On Mon, Apr 03, 2006 at 11:22:01PM -0500, Will Metcalf wrote:
> Yeah Ummm an IPS is nothing more than a layer7 "application layer" firewall

  Hello,
 
  Even if i agree with you on some points, this last assertion is (IMHO)
  false.
  As far i know, IPS/IDS run mainly with rules, a layer7 firewall
  knows the protocol it's watching about and uses differents
  solutions to check out the traffic, not only pattern matching. One i know
  is using neural network for example.
 
  Best regards.
 
 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Number of rules does not equal quality of IDS/IPS technology.

Or in other words, just because a IDS/IPS has a zillion rules doesn't
mean those rules are any good. Or that implementing or using that
technology is good.

Your 500 number is wrong. When you get into the leading commercial IPSs
(TippingPoint, ISS, Juniper, McAfee) these products on average have
2000-3000 signatures. However, in some technologies, one signature
handles an entire class of vulnerabilities. Where Snort needs multiple
signatures for the same vulnerability, ISS can protect against the
vulnerability with 1 signature. TP is the same. I don't know Juniper and
McAfee as well, but I suspect they are similar.

Snort also has a lot of unique signatures that people have designed for
highly specialized purposes. That is definitely a benefit to some
organizations. But, those signatures are only useful in those unique
situations. And all the commercial products support custom signatures -
so you can do the same thing for your TP or ISS box.

Furthermore, Snort rules are developed by volunteers (or Sourcefire). As
such, SNORT is usually behind the curve on new signatures. ISS, for
example, does their own independent security research an has signatures
to protect against things that Snort people don't even know about. Other
vendors buy exploits from the hacker market - again giving them access
to vulnerabilities long before it hits the public and subsequently the
people who develop SNORT signatures.

The 90% thing you're coming up with is just false. You're assuming that
all those signatures represent a serious attack. And you're also
assuming that quantity of signatures is the measure of effectiveness.

A poorly maintained, tuned or implemented Snort sensor is just as
useless as a poorly maintained, tuned, or implemented ISS sensor.

Now, I realize I sound like a ISS or TippingPoint sales person. And yes,
I have a vested interest in such products because my company sells them.
But, I also know that I've seen more than a few organizations throw away
Snort-based protections because the administration and management of
them was too resource intensive. And merely having 5000 signatures
available does not translate to effective security.

-----------------------------------------------
Andrew Plato, CISSP, CISM
President/Principal Consultant
Anitian Enterprise Security

-----------------------------------------------


 

-----Original Message-----
From: Basgen, Brian [mailto:bbasgen@...]
Sent: Thursday, April 06, 2006 10:44 AM
To: focus-ids@...
Subject: RE: IDS vs. IPS deployment feedback

 
 I'm new to the list, but this flame war is a bit odd. This is an IDS
list, yet the usefulness of IDS is being dismissed?

 This debate could generate some interesting data. In snort, for
example, there are around 5,759 rules (3/31/2006, non-subscription rule
base). I don't have the metrics on hand of how many rules commercial
IPS's deploy on by default (and how many total can be turned on), but
I'd guess it is around 500. I'd be interested to know those numbers, if
someone has them. A vendor comparison of rules could also be
interesting.

 What I draw from this ratio is that some 90% of attacks can get through
an IPS solution. That doesn't invalidate the IPS anymore than the IPS
invalidates a firewall, but it does indicate to me that IDS plays an
essential role.

~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Security Architect
Pima Community College
_________________________________________________
NOTICE:
This email may contain confidential information,
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply
to the message and inform the sender of the error
and delete the email and any attachments from
your computer.
_________________________________________________


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

> I'm not saying that an IPS does not have value, I'm saying
> it should be part of an overall security strategy, not your
> end all solution for detecting and preventing intrusions,
> as  the view that it gives even the most novice analyst is
> far too narrow.

Okay Will, here we agree. An IPS must be part of a larger security
strategy. It cannot stand alone. I completely agree with that.

However, I maintain my position that most businesses lack the analytical
capabilities to deploy resource intensive technologies (like SNORT).
Hence, commercial IPS that can filter off a set of known vulnerabilities
reduces the overall workload and offers a layer of protection. Also, the
majority of attacks in the wild are well-known and easily detected and
blocked.

_____________________________________
Andrew Plato, CISSP, CISM
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY

Your Expert Partner for Security & Networking

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________

GPG public key available at: http://www.anitian.com/corp/keys.htm 
_________________________________________________
NOTICE:
This email may contain confidential information,
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply
to the message and inform the sender of the error
and delete the email and any attachments from
your computer.
_________________________________________________


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Andrew,

>some technologies, one signature handles an entire class of
vulnerabilities. Where Snort
>needs multiple signatures for the same vulnerability, ISS can protect
against the
>vulnerability with 1 signature. TP is the same.
 
 Interesting. Can you show me an example of this? I'd like to understand the
design differences that lead the snort signature base to be as ineffecient
as you describe.

> ISS, for example, does their own independent security research an has
signatures to
> protect against things that Snort people don't even know about.

 I don't understand how this differs from the Sourcefire Vulnerability
Research Team. Can you provide some details, specific examples, of where the
Sourcefire VRT has failed and the ISS research has succeeded?

~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Security Architect
Pima Community College

On 4/7/06, Andrew Plato <andrew.plato@...> wrote:
> Where Snort needs multiple
> signatures for the same vulnerability, ISS can protect against the
> vulnerability with 1 signature...

You are not familiar with modern Snort signatures.

> Furthermore, Snort rules are developed by volunteers (or Sourcefire). As
> such, SNORT is usually behind the curve on new signatures. ISS, for
> example, does their own independent security research an has signatures
> to protect against things that Snort people don't even know about.

You are not familiar with modern Snort signature development by the
Sourcefire Vulnerability Research Team. See:

http://www.sourcefire.com/services/sf_vrt.html

For one example:

http://www.sourcefire.com/news/press_releases/pr121504.html

> Now, I realize I sound like a ISS or TippingPoint sales person.

Now that's an accurate statement!  :)

Richard

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Andrew

While I can appreciate what you are saying, your own commercial position
makes it difficult to put much weight behind what you are saying.  The sheer
number of people using snort sensors would seem to indicate other than what
you are saying.  Also, the many products that give pure, vanilla snort a
polished commercial feel, are a fine match for many of the products you
mention.  Our own freeware IPS, strata guard free
(http://www.stillsecure.org), which is snort based, is a perfect example of
this.  It probably does as good a job on the false positives as any of the
"commercial" products you mention.

It is a wide market out there!

alan


 
StillSecure
Alan Shimel
Chief Strategy Officer

O 303.381.3815
C 516.857.7409
F 303.381.3881
email ashimel@...
blog http://ashimmy.typepad.com

www.stillsecure.com
The information transmitted is intended only for the person
to whom it is addressed and may contain confidential material.
Review or other use of this information by persons other than
the intended recipient is prohibited. If you've received
this in error, please contact the sender and delete
from any computer.

-----Original Message-----
From: Andrew Plato [mailto:andrew.plato@...]
Sent: Friday, April 07, 2006 12:05 PM
To: Will Metcalf
Cc: focus-ids@...
Subject: RE: IDS vs. IPS deployment feedback

> I'm not saying that an IPS does not have value, I'm saying
> it should be part of an overall security strategy, not your
> end all solution for detecting and preventing intrusions,
> as  the view that it gives even the most novice analyst is
> far too narrow.

Okay Will, here we agree. An IPS must be part of a larger security
strategy. It cannot stand alone. I completely agree with that.

However, I maintain my position that most businesses lack the analytical
capabilities to deploy resource intensive technologies (like SNORT).
Hence, commercial IPS that can filter off a set of known vulnerabilities
reduces the overall workload and offers a layer of protection. Also, the
majority of attacks in the wild are well-known and easily detected and
blocked.

_____________________________________
Andrew Plato, CISSP, CISM
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY

Your Expert Partner for Security & Networking

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________

GPG public key available at: http://www.anitian.com/corp/keys.htm 
_________________________________________________
NOTICE:
This email may contain confidential information,
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply
to the message and inform the sender of the error
and delete the email and any attachments from
your computer.
_________________________________________________


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Yes...SOURCEFIRE customers get those signatures early. They get handed
out to the Snort world well after the fact. SourceFire is a commercial
company and you must PAY to get their product.

In other words - Sourcefire is no different than TP, ISS or any other
commercial vendor in this regard. As such, we're all just selling what
we know.

___________________________________
Andrew Plato, CISSP
President/Principal Consultant
Anitian Enterprise Security



-----Original Message-----
From: Richard Bejtlich [mailto:taosecurity@...]
Sent: Monday, April 10, 2006 10:36 AM
To: Andrew Plato
Cc: Basgen, Brian; focus-ids@...
Subject: Re: IDS vs. IPS deployment feedback

You are not familiar with modern Snort signature development by the
Sourcefire Vulnerability Research Team. See:

http://www.sourcefire.com/services/sf_vrt.html

For one example:

http://www.sourcefire.com/news/press_releases/pr121504.html
_________________________________________________
NOTICE:
This email may contain confidential information,
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply
to the message and inform the sender of the error
and delete the email and any attachments from
your computer.
_________________________________________________


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Andrew Plato wrote:
> Number of rules does not equal quality of IDS/IPS technology.
>
> Or in other words, just because a IDS/IPS has a zillion rules doesn't
> mean those rules are any good. Or that implementing or using that
> technology is good.
>
> Your 500 number is wrong. When you get into the leading commercial IPSs
> (TippingPoint, ISS, Juniper, McAfee) these products on average have
> 2000-3000 signatures.

I'd be very interested to know how you would know this, since their
"signatures" are proprietary.  Does TP have a list of their "signatures"
somewhere that I can look at?  (Trust me, I've asked.)

> However, in some technologies, one signature
> handles an entire class of vulnerabilities. Where Snort needs multiple
> signatures for the same vulnerability, ISS can protect against the
> vulnerability with 1 signature. TP is the same.

Interesting.  I use both snort and TP daily.  Please explain how you
know this.  Please provide one single example of proof of a single TP
signature that equals multiple snort signatures yet both cover only the
exact same vulnerability.

> I don't know Juniper and
> McAfee as well, but I suspect they are similar.
>
> Snort also has a lot of unique signatures that people have designed for
> highly specialized purposes. That is definitely a benefit to some
> organizations. But, those signatures are only useful in those unique
> situations. And all the commercial products support custom signatures -
> so you can do the same thing for your TP or ISS box.
>
Interesting.  Please provide the documentation for custom signatures on
TP.  I could definitely use them.  (I'm hoping you don't mean the
fill-in-a-box GUI they provide.  I'm looking for the type of
customization I can only get with snort.)

> Furthermore, Snort rules are developed by volunteers (or Sourcefire). As
> such, SNORT is usually behind the curve on new signatures. ISS, for
> example, does their own independent security research an has signatures
> to protect against things that Snort people don't even know about.

Interesting.  Please provide an example of where ISS was detecting a
vulnerability before snort was.

I suspect the folks at VRT would be highly offended by the implication
that they're not professional enough to recognize vulnerabilities, but
I'll let them defend themselves.  They're certainly an "independent
security research" team.

> Other
> vendors buy exploits from the hacker market - again giving them access
> to vulnerabilities long before it hits the public and subsequently the
> people who develop SNORT signatures.

Ignoring the ethics of funding the hacker market,  please provide proof
that Sourcefire never knows about vulnerabilities until they hit the public.

> Now, I realize I sound like a ISS or TippingPoint sales person. And yes,
> I have a vested interest in such products because my company sells them.

Have you ever installed snort?  Used it?  Run it side by side with TP?
Or ISS?  Or both?  Done any comparison tests?

> But, I also know that I've seen more than a few organizations throw away
> Snort-based protections because the administration and management of
> them was too resource intensive. And merely having 5000 signatures
> available does not translate to effective security.
>
Really?  I find my snort install much more useful than the TP install
for tracking down things that don't fit the cookie cutter scenarios that
most IDSes work with.  One-size-fits-all exploits are a dime a dozen.
It's the oddballs that should get your attention, but TP doesn't "see"
those (nor would I want it to.  That's not its purpose.)

Your analysis doesn't strike me as fact-based.  Perhaps you can convince
me otherwise?
--
Paul Schmehl (pauls@...)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

On 4/10/06, Andrew Plato <andrew.plato@...> wrote:
> Yes...SOURCEFIRE customers get those signatures early. They get handed
> out to the Snort world well after the fact. SourceFire is a commercial
> company and you must PAY to get their product.
>
> In other words - Sourcefire is no different than TP, ISS or any other
> commercial vendor in this regard. As such, we're all just selling what
> we know.

Andrew,

You call five days "well after the fact"?  Snort rules are free for
registered users, by the way.

Here's another difference between ISS and Snort -- I can read Snort
rules, even those developed by Sourcefire.  Can you point me to the
place where I can download and review ISS rules, even assuming I am a
registered owner?  Cisco?  Other?

One of the ways to build trust in a product is to see how it works.  I
trust Snort more than similar products because I can understand its
decision-making process.

Richard

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Brian,

I work in ISS' research department. This puts me in a somewhat unique
position to answer your question.

One example is the signature coverage for MS05-039/CVE-2005-1983. When
the vulnerability was initially announced, the SNORT community (I do not
know which exact group created these signatures) added approximately 300
different signatures to provide vulnerability-based coverage for the
vulnerability. That is to say, these were not 300 different overlapping
signatures from a variety of sources all designed to solve the same
problem. These were a single group of 300 signatures designed to work in
concert to provide protection against unknown exploits (no known
exploits existed at the time that these signatures were added.)

The fact that 300 signatures were necessary was due to weaknesses of the
SNORT engine itself (it doesn't have a proper MSRPC parser), not the
research community. Even so, judging from what is lacking in the 300
signatures, it seems extremely likely that the SNORT research community
is unaware of all of the different vectors through which the
vulnerability can be exploited since they could have easily added
coverage for these had they been aware of them. It also seems likely
that the research community is unaware of all of the evasion techniques
available via MSRPC and SMB as there are evasions for which I have never
seen SNORT signature coverage.

It is interesting to note that once a proof of concept exploit became
available, the 300 signatures disappeared and were replaced by a small
number of signatures to just provide coverage for the known proof of
concept exploits.

ISS, which has proper SMB and MSRPC parsers, needed to add only one
signature to provide vulnerability-based coverage for the buffer
overflow attack (there is another signature for a related, but different
DoS-only vector). Other vendors vary in the number of distinct
signatures they require for coverage. However, I have seen none that
come close to the ~300 fielded by SNORT.

Paul

-----Original Message-----
From: Basgen, Brian [mailto:bbasgen@...]
Sent: Friday, April 07, 2006 12:28 PM
To: focus-ids@...
Subject: RE: IDS vs. IPS deployment feedback


Andrew,

>some technologies, one signature handles an entire class of
vulnerabilities. Where Snort
>needs multiple signatures for the same vulnerability, ISS can protect
against the
>vulnerability with 1 signature. TP is the same.
 
 Interesting. Can you show me an example of this? I'd like to understand
the design differences that lead the snort signature base to be as
ineffecient as you describe.

> ISS, for example, does their own independent security research an has
signatures to
> protect against things that Snort people don't even know about.

 I don't understand how this differs from the Sourcefire Vulnerability
Research Team. Can you provide some details, specific examples, of where
the Sourcefire VRT has failed and the ISS research has succeeded?

~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Security Architect
Pima Community College

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Paul,

 Thanks for your response. I'd love to hear you qualify differences a bit
more.

 Every IPS ships in "silver bullet" mode with a certain set of recommended
protections activated -- the understanding being that these signatures have
extremely low false positives. Yet, these IPS have a larger signature base
that, if enabled, can stop both threats and normal traffic. Naturally, they
aren't enabled because the product is, after all, a silver bullet; like your
ISS Proventia claims. ;)

 I think metrics would be interesting here -- whether numeric or
qualitative. You explained poor SMB and MSRPC parsers in snort, and that is
interesting data. While I'm interested in getting the details as to where
Snort is imperfect, I'm also interested in getting better qualitative data
on the IPS/IDS divide. How much can the IPS drop without false positives,
versus how much can an IDS detect (with, of course, false positives). Put in
another way, how many false negatives can get through a default IPS?

~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Security Architect
Pima Community College

-----Original Message-----
From: Palmer, Paul (ISSAtlanta) [mailto:PPalmer@...]
Sent: Monday, April 10, 2006 1:38 PM
To: Basgen, Brian; focus-ids@...
Subject: RE: IDS vs. IPS deployment feedback

Brian,

I work in ISS' research department. This puts me in a somewhat unique
position to answer your question.

One example is the signature coverage for MS05-039/CVE-2005-1983. When the
vulnerability was initially announced, the SNORT community (I do not know
which exact group created these signatures) added approximately 300
different signatures to provide vulnerability-based coverage for the
vulnerability. That is to say, these were not 300 different overlapping
signatures from a variety of sources all designed to solve the same problem.
These were a single group of 300 signatures designed to work in concert to
provide protection against unknown exploits (no known exploits existed at
the time that these signatures were added.)

The fact that 300 signatures were necessary was due to weaknesses of the
SNORT engine itself (it doesn't have a proper MSRPC parser), not the
research community. Even so, judging from what is lacking in the 300
signatures, it seems extremely likely that the SNORT research community is
unaware of all of the different vectors through which the vulnerability can
be exploited since they could have easily added coverage for these had they
been aware of them. It also seems likely that the research community is
unaware of all of the evasion techniques available via MSRPC and SMB as
there are evasions for which I have never seen SNORT signature coverage.

It is interesting to note that once a proof of concept exploit became
available, the 300 signatures disappeared and were replaced by a small
number of signatures to just provide coverage for the known proof of concept
exploits.

ISS, which has proper SMB and MSRPC parsers, needed to add only one
signature to provide vulnerability-based coverage for the buffer overflow
attack (there is another signature for a related, but different DoS-only
vector). Other vendors vary in the number of distinct signatures they
require for coverage. However, I have seen none that come close to the ~300
fielded by SNORT.

Paul

-----Original Message-----
From: Basgen, Brian [mailto:bbasgen@...]
Sent: Friday, April 07, 2006 12:28 PM
To: focus-ids@...
Subject: RE: IDS vs. IPS deployment feedback


Andrew,

>some technologies, one signature handles an entire class of
vulnerabilities. Where Snort
>needs multiple signatures for the same vulnerability, ISS can protect
against the
>vulnerability with 1 signature. TP is the same.
 
 Interesting. Can you show me an example of this? I'd like to understand
the design differences that lead the snort signature base to be as
ineffecient as you describe.

> ISS, for example, does their own independent security research an has
signatures to
> protect against things that Snort people don't even know about.

 I don't understand how this differs from the Sourcefire Vulnerability
Research Team. Can you provide some details, specific examples, of where
the Sourcefire VRT has failed and the ISS research has succeeded?

~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Security Architect
Pima Community College

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I agree with Alan here.

Andrew, I've watched several of your posts now over the past months and
on several occasions bit my tongue, but I do have to step up here. You
represent several COTS (Commercial off-the-shelf) IPS vendors and have
admitted to, so please be careful when posturing them against open
source tools such as Snort -- know what you're talking about when it
comes to Snort's capabilities if you are going to make claims as to what
its unable to do when compared to COTS solutions.

I agree that tailing snort alert files in an Enterprise is not exactly
the pretty GUI you get with ISS or Tipping Point. But thats after a
vanilla untar and compile. Their does exist commercial Snort management
solutions that offer polished GUIs for managing Snort rules and events,
such as ours, and Alan's as he noted.

Your point about Snort not having those commercial IPS capabilities is
plain wrong and shows that you know very little about the market and
commercial landscape and its adoption of Snort in the enterprise. Snort
is used by organizations with analysts that can translate HEX on the fly
and those who have no idea what HEX is. Its not just for packet monkeys
my friend. Large Fortune 5 organizations and a lot of large military and
defense networks will take a Snort sensor over a $30,000 COTS IDS/IPS
any day and have even see some organizations throw out commercial
solutions for open source Nessus or Snort. Its clear you just don't know
enough about open source adoption in the enterprise to make the
statement you made.

We have over 600 installations of our Snort management suite and a lot
of those organizations lack the "analytical capabilities" as you put it,
and still use Snort. Also, I beg to ask how it is you think a commercial
IPS capable of "filtering out known vulnerabilities offering a layer of
protection" is something Snort is unable to do. Your contrast  between
the two doesn't make sense.

If you are going to boast commercial IDS/IPS solutions on mailing lists
because you sell them, great, but be careful when choosing to say they
are better than Tom, Dick, or Harry when you have no idea if the reasons
you are citing are even true.


Best Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC


- ---------------------------------------------

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
1095 Pingree Road
Suite 213
Crystal Lake, IL 60014
Toll Free: (877) 262-7593 ext:327
Direct: (847) 854-2725 ext:327
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
Email: eric.hines@...

- --------------------------------------------

"Enterprise Open Source Security Management"


Alan Shimel wrote: -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEOth5bOqF2QHgUK0RAjJwAJ4hp73dl7HqF/l+GLTISuija/z0jACcCHl0
Ach8hqc0voP0raIxE57chJI=
=V+rl
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

To add to (or take away) from this thread, I would further
mention that IDS/IPS regardless of make or implimentation,
will only see the past, not the future.  I personally do
not care what people use to detect, even though I have
been able to get snort to match performance of commercial
products.  Some exploits are too late to stop by the time
your devices see them.

My focus has always been instead to see into the future,
such as running continuous network and host based audits
and staying on top of the latest 0 day exploits, latest
patches and so on.  It is not fullproof, but reduces the
probability that a malicious packet will do its job. :)

I only consider IDS/IPS to be documenting devices so that
I may later have evidence, in the rare and highly
improbable circumstance that someone is actually caught.
 The people we should be concerned with will not show up
in an IDS however.

--Aarön



On Fri, 7 Apr 2006 08:54:49 -0700
  "Andrew Plato" <andrew.plato@...> wrote:

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

As I said to Alan: we all sell what we know.

I sell what I know. You sell what you know. Commercial, open source,
closed, open, lost, found, black, white - whatever. Organizations should
pick the best solution for their environment.

That much said, I realize it is pretty much high treason to speak badly
of an open source product on the Internet. I have angered the Gods of
Open Source before. This time is no different.

An unanalyzed IDS/IPS isn't very useful. That is the core problem.
Without analytical capability, the value and effectiveness of any
security product is reduced.

Many organizations have scant IT resources. As such, any technology that
has significant resource requirements is usually passed over for those
that can simplify security while extending the capability of a small IT
staff. Nobody is arguing the technical merits of Snort, but its an
established fact that it tends to be more resource intensive than its
commercial partners. This is true of all open source products. They tend
to be more "raw."

That is why there are COMMERCIAL companies, like yours Eric and like
SourceFire that have made Snort more palatable to enterprises. In this
sense, you are no different than 3com, McAfee, ISS, etc. You're simply
making a technology easier to use.  

Eric, you and Alan are no different than me. You're just hawking a
different product. Doesn't matter if the sensor is Snort or Proventia.
You sell what you know, I sell what I know.

Furthermore, the "I can see a signature so its better" argument just
doesn't fly at a lot of businesses. Again, most IT people do not have
the time to analyze and write signatures. Just as companies outsource
their PC manufacturing, phone centers, and Internet connection - they
outsource their security protections. They trust a commercial vendor to
handle this problem. I can't see that the jet fuel Delta puts in a
plane, but I trust Delta to use real jet fuel. So, I can trust Delta
with my life, but I can't trust ISS or McAfee to write a IPS signature?

Yeah. Whatever.

If you feel better seeing the signatures and their content, then by all
means - get thee to a Snort box. But, for many IT groups, this just
isn't a significant selling point. Ease of use, timeliness of new
signatures and reliability are typically more important factors.

___________________________________
Andrew Plato, CISSP
President/Principal Consultant
Anitian Enterprise Security



-----Original Message-----
From: Eric Hines [mailto:eric.hines@...]
Sent: Monday, April 10, 2006 3:13 PM
To: Alan Shimel
Cc: Andrew Plato; 'Will Metcalf'; focus-ids@...; Applied
Watch Development; sales@...
Subject: Re: IDS vs. IPS deployment feedback

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I agree with Alan here.

Andrew, I've watched several of your posts now over the past months and
on several occasions bit my tongue, but I do have to step up here. You
represent several COTS (Commercial off-the-shelf) IPS vendors and have
admitted to, so please be careful when posturing them against open
source tools such as Snort -- know what you're talking about when it
comes to Snort's capabilities if you are going to make claims as to what
its unable to do when compared to COTS solutions.
_________________________________________________
NOTICE:
This email may contain confidential information,
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply
to the message and inform the sender of the error
and delete the email and any attachments from
your computer.
_________________________________________________


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

>> Where Snort needs multiple
>> signatures for the same vulnerability, ISS can protect against the
>> vulnerability with 1 signature...
>
>You are not familiar with modern Snort signatures.

Modern Snort signatures are definitely an improvement over
what it used to be, but it's still "not there" yet
in some cases... because of the limited protocol decoding
capabilities, etc

>You are not familiar with modern Snort signature development by the
>Sourcefire Vulnerability Research Team. See:
>
>http://www.sourcefire.com/services/sf_vrt.html
>
>For one example:
>
>http://www.sourcefire.com/news/press_releases/pr121504.html

This is mostly "marketology"... Especially the zero-day
protection press release.

The VRT team indeed does a great job developing signatures, but they
still have to work with Snort limitations... which affects the final
result.

What makes ISS X-Force different from SourceFire VRT is the amount
of research being done... and not only on publicly known vulnerabilities
They can afford to do a lot of new vulnerability research, which is
one way of staying ahead of competition :-)

Note:
I'm not associated with ISS in any way and I don't sell anything...
I'm just trying to be objective...

K

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

With the exception of a select few, all Cisco IPS signatures are open,
and can be cloned, edited, added-to, or edited.  Signatures are stored
in an xml format inside the .pkg file which is applied to a Cisco IPS
sensor.  

Gary




-----Original Message-----
From: Richard Bejtlich [mailto:taosecurity@...]
Sent: Monday, April 10, 2006 1:31 PM
To: Andrew Plato
Cc: focus-ids@...
Subject: Re: IDS vs. IPS deployment feedback

On 4/10/06, Andrew Plato <andrew.plato@...> wrote:
> Yes...SOURCEFIRE customers get those signatures early. They get handed

> out to the Snort world well after the fact. SourceFire is a commercial

> company and you must PAY to get their product.
>
> In other words - Sourcefire is no different than TP, ISS or any other
> commercial vendor in this regard. As such, we're all just selling what

> we know.

Andrew,

You call five days "well after the fact"?  Snort rules are free for
registered users, by the way.

Here's another difference between ISS and Snort -- I can read Snort
rules, even those developed by Sourcefire.  Can you point me to the
place where I can download and review ISS rules, even assuming I am a
registered owner?  Cisco?  Other?

One of the ways to build trust in a product is to see how it works.  I
trust Snort more than similar products because I can understand its
decision-making process.

Richard

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Paul Schmehl wrote:

> Interesting.  Please provide an example of where ISS was detecting a
> vulnerability before snort was.

I can give you several off the top of my head:

MS05-039/CVE-2005-1983 (Stack overflow in UPNP BO)
MS05-021/CVE-2005-0560 (Heap overflow in the Microsoft Exchange
X-LINK2STATE verb)
CVE-2006-0058 (the recent race condition in the Sendmail signal handler)

Granted, ISS discovered all three of these and that is why it had
protection in its products before SNORT (in some cases a long time
before SNORT or any other vendor). But, then I believe this is the point
that Andrew was trying to make.

Paul

-----Original Message-----
From: Paul Schmehl [mailto:pauls@...]
Sent: Monday, April 10, 2006 4:28 PM
To: focus-ids@...
Subject: Re: IDS vs. IPS deployment feedback


Andrew Plato wrote:
> Number of rules does not equal quality of IDS/IPS technology.
>
> Or in other words, just because a IDS/IPS has a zillion rules doesn't
> mean those rules are any good. Or that implementing or using that
> technology is good.
>
> Your 500 number is wrong. When you get into the leading commercial
> IPSs (TippingPoint, ISS, Juniper, McAfee) these products on average
> have 2000-3000 signatures.

I'd be very interested to know how you would know this, since their
"signatures" are proprietary.  Does TP have a list of their "signatures"

somewhere that I can look at?  (Trust me, I've asked.)

> However, in some technologies, one signature
> handles an entire class of vulnerabilities. Where Snort needs multiple

> signatures for the same vulnerability, ISS can protect against the
> vulnerability with 1 signature. TP is the same.

Interesting.  I use both snort and TP daily.  Please explain how you
know this.  Please provide one single example of proof of a single TP
signature that equals multiple snort signatures yet both cover only the
exact same vulnerability.

> I don't know Juniper and
> McAfee as well, but I suspect they are similar.
>
> Snort also has a lot of unique signatures that people have designed
> for highly specialized purposes. That is definitely a benefit to some
> organizations. But, those signatures are only useful in those unique
> situations. And all the commercial products support custom signatures
> - so you can do the same thing for your TP or ISS box.
>
Interesting.  Please provide the documentation for custom signatures on
TP.  I could definitely use them.  (I'm hoping you don't mean the
fill-in-a-box GUI they provide.  I'm looking for the type of
customization I can only get with snort.)

> Furthermore, Snort rules are developed by volunteers (or Sourcefire).
> As such, SNORT is usually behind the curve on new signatures. ISS, for

> example, does their own independent security research an has
> signatures to protect against things that Snort people don't even know

> about.

Interesting.  Please provide an example of where ISS was detecting a
vulnerability before snort was.

I suspect the folks at VRT would be highly offended by the implication
that they're not professional enough to recognize vulnerabilities, but
I'll let them defend themselves.  They're certainly an "independent
security research" team.

> Other
> vendors buy exploits from the hacker market - again giving them access

> to vulnerabilities long before it hits the public and subsequently the

> people who develop SNORT signatures.

Ignoring the ethics of funding the hacker market,  please provide proof
that Sourcefire never knows about vulnerabilities until they hit the
public.

> Now, I realize I sound like a ISS or TippingPoint sales person. And
> yes, I have a vested interest in such products because my company
> sells them.

Have you ever installed snort?  Used it?  Run it side by side with TP?
Or ISS?  Or both?  Done any comparison tests?

> But, I also know that I've seen more than a few organizations throw
> away Snort-based protections because the administration and management

> of them was too resource intensive. And merely having 5000 signatures
> available does not translate to effective security.
>
Really?  I find my snort install much more useful than the TP install
for tracking down things that don't fit the cookie cutter scenarios that

most IDSes work with.  One-size-fits-all exploits are a dime a dozen.
It's the oddballs that should get your attention, but TP doesn't "see"
those (nor would I want it to.  That's not its purpose.)

Your analysis doesn't strike me as fact-based.  Perhaps you can convince

me otherwise?
--
Paul Schmehl (pauls@...)
Adjunct Information Security Officer
The University of Texas at Dallas http://www.utdallas.edu/ir/security/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Palmer, Paul (ISSAtlanta) wrote: If snort has ever detected a vulnerability before ISS, then his point is
rather moot, wouldn't you say?

--
Paul Schmehl (pauls@...)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

NFR was doing this 3 years before Snort existed.  (I guess that makes us
"Other")

:)

-MAB


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Juniper, CISCO, McAfee have open or semi-open signatures. And if you
have a big problem with a signature I think that if you call the tec
support of the other two big players (ISS and TippingPoint) they will
help you out with some confidential information about a specific
signature.

Also, AFAIK, in ISS you can use Snort syntax or similar to create your
own signatures (I guess they call it TRONS ;) ) Free to recreate all the
Snort sigs.

BTW, why Snort is called lightweight IDS on SNORT.ORG page?

Thanks,
Mike


-----Original Message-----
From: Richard Bejtlich [mailto:taosecurity@...]
Sent: April 10, 2006 4:31 PM
To: Andrew Plato
Cc: focus-ids@...
Subject: Re: IDS vs. IPS deployment feedback


On 4/10/06, Andrew Plato <andrew.plato@...> wrote:
> Yes...SOURCEFIRE customers get those signatures early. They get handed

> out to the Snort world well after the fact. SourceFire is a commercial

> company and you must PAY to get their product.
>
> In other words - Sourcefire is no different than TP, ISS or any other
> commercial vendor in this regard. As such, we're all just selling what

> we know.

Andrew,

You call five days "well after the fact"?  Snort rules are free for
registered users, by the way.

Here's another difference between ISS and Snort -- I can read Snort
rules, even those developed by Sourcefire.  Can you point me to the
place where I can download and review ISS rules, even assuming I am a
registered owner?  Cisco?  Other?

One of the ways to build trust in a product is to see how it works.  I
trust Snort more than similar products because I can understand its
decision-making process.

Richard

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------