IDS experience's

• Previous message (by thread): IDS experience's
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 31 May 2002, Brandon Knicely wrote:

:2.  Have they been useful or just generated noise and excess cycles? (1 -
:waste of time, 10 - water walker)

:3.  Any 'real-world' comparative/useful data and/or opinion on different
:approaches...ie pattern matching, anomoly detection and/or data mining
:approaches?

The only real value from IDS data is based upon your ability to mine
and interpret it. This is something that IDS vendors have utterly 
failed to provide a solution to, and something that most customers 
haven't totally wrapped their head around. 

In fact, a seperate IDS data mining and interpreting industry has 
popped up with players like NetForensics, Intellitactics and I'm
sure there are others. In fact, if SilentRunner took snort logs
(I haven't checked in a while) it would be an ideal solution for
many. 

It is to the point where it really doesn't matter what brand of 
sensor you install, as none of them do data corelation effectively
enough to be used without a third party data mining solution, for 
installations of more than a single sensor. 

I have found that even having 0-day signatures for the most obscure
and dangerous exploits, doesn't add much value to an IDS. This 
is because even a skript kid with 0-day warez is going to probe, 
portscan and reach for low hanging fruit before they will risk exposing
their more valuble toys to a potential honeypot. All an IDS is, is
a policy monitoring device, which you use to make operational decisions, 
and potentially to augment your policy enforcement. 

The value of IDS data is really only uncovered through corelation. 
Anomaly based systems try to do this as part of the detection process, 
whereas signature based systems assume it will be done in post processing. 
Anomalies are ultimately just a different kind of signature anyway. :)

With things like ACID and other front ends to Snort, IMHO, the best
view of the data you can get is a listing of source ip addresses with the 
number of unique alerts they generated over a long period of time. 

The visualization tools from Intellitactics look like they were lifted
from caida.org. This doesn't undermine how useful and cool they are, 
but it suggests that someone with more skills than I, will think of a 
way to parse snort logs into something like NetCDF or some other 
scientific visualization format for use with real visualization and
data mining tools. 

I spend most of my day watching IDS's that generate massive amounts of 
data, and this information is based upon that experience. 

Cheers, 
--
batz

• Previous message (by thread): IDS experience's
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]