Future Of IDS

A reader wrote to us about a summary article regarding IDS ^? . This is an interesting article in so far as it attempts to prognosticate what the future will be for detection, and that draws in some interesting work on security modelling. T: Readers may also want to see this vnunet article on IDS products -- guess what comes out on top?

Hard to install and setup?

The article says it's hard to setup snort. What's so hard about: apt-get install snort?

Re:Hard to install and setup?

That sounds a little like the South Park underpants gnomes' business model:

Phase 1: apt-get install snort
Phase 2:
Phase 3: Security!

Excellent IDS-related site

Check this out for full info on a whole range of IDS systems ... hardware & software.

Network Intrusion [networkintrusion.co.uk] ran by some guy who is extremely helpfull on the Security Focus IDS mailing list.

Large scale correlation

I wonder if the author would credit things like my NetWatchman [mynetwatchman.com] or Security Focus's Aris [securityfocus.com] as large scale correlation efforts? I know it would probably be tough to get much more specific, as you could generate a huge amount of traffic trying to correlate every wierd package that hit many boxes.

Um, details?

That was one of the most content-free articles I've ever seen this side of USA Today. Any chance of tracking down a detailed side by side analysis of the products tested with pros and cons and maybe WHY they thought snort was so much better (not that I disagree, but vagaries don't tend to be terribly convincing when presenting to management).

Re:Um, details?

Go to Snort's website. Note article "One Pig to Rule Them All." Find link directing you to here. [nss.co.uk] Fill in the required info and download 4MB pdf. It's going to take me awhile to digest the nearly 250 pages of this report.

Managers Like Names...

I'm about to deploy an IDS system at my work. When I met with the director and CIO about this they asked for recommendations, of course. I first suggested Snort. It's free, it works well, and I had used it before. But, since it didn't have someone standing behind it, the CIO wasn't interested. They rather spend $20K on another product. To them it is more important to be able to say "Hey, we were using product X from company Y! Don't blame us!" if something goes wrong.

In places where the budget is a bigger concern I still implement Snort. I can't possibly afford to stick a commercial product on every subnet that I'd like to.

Re:Managers Like Names...

If budget isn't a concern, why not install Snort in addition to something else? That way you'll know when to blame company Y and what to blame them for missing. An IDS isn't like a fileserver where you can only really use one or another.

CEO's like $$$

That made it pretty damn easy for me to push Snort where I work.

Only choads that are getting kickbacks from manufacturers are going to push for overpriced commercial solutions in shops that don't have an existing IDS installation or a compelling reason to use the packaged solutions (NetRanger, OpenView, their ilk).

A packet is a packet... NFR and Snort are both designed by well-respected engineers who are more interested in accuracy and correctness than in unit shifting. I trust them for that.

When you get right down to it, unless you're rolling in dough, why blow $20,000 per management station plus consulting costs to implement something your network administrator can probably set up in a week for free? (I know I can) It's stupid. Save the cash for your coke dealer or a rock for the missus.

You pay for performance

That's all well and good, but have you ever tried to put SNORT with a large number of signatures enabled on a really high speed link that is well utilized?

I am afraid if you do you are in for a RUDE awakening. The fact of the matter is that these $20,000 solutions cost that much for a reason, and the reason is they've spent years optimizing them for high speed links. This is something the hobbiest programmers who work on Snort cannot compete with. For instance, what open source coder has a SMARTBITS [spirentcom.com] on their desk? Something like that is essential to test these things, but they cost upwards of $10,000.

So I would say yes, if all you want to do is monitor a T1 or two, and you're willing to tinker alot, something like Snort would work. But if you have a SERIOUS network with lots of bandwidth, you're gonna have to pony up the dough.

Disclosure: I helped build one of the systems [iss.net] that Snort supposedly beat, and I analyzed the source code for another one [networkice.com] that was bought by that company. Snort CANNOT beat either one in a high bandwidth situation. I've seen the code, I've run the tests, trust me.

I no longer work for that company so have little to gain by saying this.

I monitor 2 DS-3's, that's all I need to...

I can't speak to higher-end solutions, because as I mentioned in my response, I suspect they'll already have an architecture in place (eg. when I was at IBM Burlington, before Snort was even born, the setup they had created for monitoring ingress and egress traffic was far beyond what I've seen before or since).

But for my live production hosts, dual-homed on UUNet and Qwest, and all monitored, Snort + Barnyard + ACID have kept up without clipping traffic or interfering with operations. And yes, we DO saturate both of those links on occasion (though not always).

That's all I can speak to. When I worked at XOOM we saw traffic up to about 0.75Gbps steady and never bothered running an IDS, just were real fucking careful about what went live and keeping everything audited. An HP OpenView installation with some sort of IDS support was looking like $300K in bills. We said "fuck that" and to this day I wouldn't do any differently.

But, my situation may be very different from yours. If you need a $20K solution and its presence saves you $40K, you sure as hell don't need my blessing to buy it!

ya know....

My biggest issue with IDS's is "So, what now?"
For example, Yesterday I get hit with about 90 attempts to get cmd.exe on my webserver from one specific IP addy. So, a quick nslookup / whois later and I get the server name and contact info for the suspected malicious box.
Since it's from a major site, I decide to contact them to let them know they may have a potentially compromised box on thier network.
Three v-mails and two emails later, no word back from them.

I'm all for IDS's, but aside from possibly dishing out some Louisville Slugger style 'cease and desist' requests, what good is the info?

argent out

Re:You misunderstand.

SNORT is a Network IDS. What you are describing is Host IDS. Two different things. SNORT tells you what is going on in your network. HIDS tells you what is going on on and to your host.

The point is to be aware, not to come down on them. If they knocked on the door, trying some exploit.. it's not worth your time to chase them down if it has no effect. On the other hand.. what if it turns out to be a rival company?

The point is _detection_ as in the three prongs of security, Protection, Detection, and Response.

Having a firewall (protection) without IDS (detection) is betting that your firewall is blocking everything bad, and not wanting to know if it isn't. Putting sensors inside and outside of your firewall allows you to see what is being attempted and what is being blocked. The IDS will flag things as possible attacks that will pass through the firewall, what you do when you IDS alarms is as important as having it in the first place.

The Firewall is the lock on your front door, the NIDS is your motion detector, and response is the alarm company sending the police.

New IDS model

Cool... the distributed IDS model (lots of listeners spread throughout the network reporting back home for analysis) is what we [trellisinc.com] engineered our product for. It's the only effective way to keep an eye on the whole network so you can see a distributed attack or an internal-to-internal attack.

ACID and Barnyard for Snort users -- great stuff!

I would have thought SecurityFocus could handle a /.'ing, but I guess not. It's a shame since they are one of the good, unbiased sources for security info out there.

Anyways, I want to throw in a shill for ACID [sourceforge.net] for anyone who runs Snort. It makes my job SO INCREDIBLY MUCH EASIER that, well, I bother to do it every day, maybe two or three times a day, and haven't had any major incidents to speak of. If you run Snort, you ought to log to a centralized database that can handle the traffic from all your sensors, and then grind through it with ACID for starters. Yes, you should keep a packet vault; yes, you should run Nessus; yes, you still need to use TripWire or Integrit for filesystems. But having a friendly, capable frontend to Snort sensors is a HUGE help.

If you're running a lot of sensors and they get a ton of attacks in production, you should also look into the Barnyard plugin for Snort. It's nice for keeping things from slowing down.

If I were to take a stab at what would MOST help IDS and ISS research in the near future, I'd guess at the integration of tools like Nessus and Snort with a predictive intelligent agent like Intravenous [packetninja.net] or similar. I wish I could comment intelligently on the article, but mostly I wanted people using Snort to be aware of HOW helpful the ACID frontend is, so that more people use it, and I have less subnets to blackhole ;-).

It's in the process, stoopid

Installing and monitoring a large-scale IDS installation is a complex and involved process which is not simple!

Snort may be cheap and easy to install, but many corporations buy IDS on the strength of the management and reporting capability.

One of my clients went with Cisco Netranger IDS because it offers excellent Monitoring screens that are then staffed by a 24/7 response unit waiting for alerts on the border/dmz/back office networks. It then made it straightforward to sit semi-skilled staff in front of the consoles to monitor activity and alert a skilled technician (i.e. me in this case) if an amber or red warning occurred.

While Snort may be free, you would have to roll your own management stations (though I guess someone has done this), and thus management costs creep in.

PleasePleasePlease remember software costs are rarely in the price ... it's the process and management of deployment and operational running that costs the earth!

DANGER: I'm not flaming snort, I just haven't had to chance to try and scale it up into an enterprise-type situation.

FIrewall Firewall Firewall

Once a system is compromised there is no way I would trust anything on it again until I pulled it off of the 'Net and did a complete reinstall. IDS is good to let you know your box is cracked and perhaps what may have been accessed/tampered with, but it's the last stage in security. Build yourself a good firewall, be careful with your access rights, and have a good password policy.

The Future of IDS

The future of IDS obviously lies in improving overall Webcurity.

Future of IDS

The future of IDS is that he will stand down as leader of the Conservative Party after they lose the next election, at which point he'll get a big fat job with some big firm in The City and disappear into obscurity.

What?

Intrusion Detection Systems? You mean this isn't about Iain Duncan Smith?

Demarc Console frontend for Snort

I agree, snort is the best. But the area that needed inprovement for the sysadmin is the frontend. You might want to check out http://www.demarc.org/ Their frontend is very nice. But does take a bit to get installed correctly.

Where's the proof?

All in all this article is nothing more than an excuse for open-source zealots to toot their own horns a bit. Don't get me wrong, but Snort is a great application - you won't find a better feature/price ratio.

The thing is that it's just a summary - no methodology is discussed - no results from the tests with any of the vendors - no reasons at all are given for crowning Snort the king.

Hell, for 10 minutes of work, I'll put up a web page that says Apache running off my wristwatch is the ultimate in web serving. Doesn't make it true...

mirrored

Since SecurityFocus is already /.'d I've mirrored the article on my site. http://www.computersecuritynow.com/article.php?sid =192 [computersecuritynow.com]

a world of 100% encryption?

Not likely. This is an assertion I've seen being made by the IT media for the last two years that I've been doing IDS. IPsec & IPv6 were touted as making IDS obsolete.

The fundamental fact is that we will never get to the point where all traffic sent out over the great big I is encrypted. Its a matter of simple economics. Things like publicly available web sites, DNS, and even email don't need to be encrypted, nothing is gained by protecting that data. That's why it's a public service. Therefore, content providers (those deploying IDS) will never fork out the $$$ to buy equipment which can handle the load produced by millions of daily transactions that come down to just to encrypting index.html and decrypting GET index.html requests.

As an IDS analyst for the last two years in a Fortune 10 company, I can tell you from first-hand experience that 90%+ of the attacks we see on a daily basis are HTTP-based. DNS comes in second, because guess what? It's one of the needed public services offered by content providers on the Internet. Why encrypt data you're offering out to the whole world?

Nice article for CIOs, but I'm getting tired of hearing that encryption is going to get rid of NIDS. It's an omega point that we'll just never get to.

IDS Performance, False Positives, and The Future

So, having read both of the articles, I don't see anything in here about the "future" of IDS. Everything in the IDS world relates to pattern matching and speed.

The problem with that is that the number of alerts does not determine the efficiency and efficacy of an IDS does. As Stefan Axelsson points out in his paper "The Base Rate Fallacy and its Implications for the Difficulty of Intrusion Detection [raid-symposium.org], the real limiting factor in IDS performance will ALWAYS be the number of false positives generated.

Unfortunately, not many people seem to be working in the direction to deal with that problem. Most of the major IDS vendors are talking only in terms of getting faster, and having more rules.

The only company I've actually seen that is looking at any new paradigm to deal with this problem is nCircle [ncircle.com]. Their system has an IDS and a vulnerability scanner working together to accomplish the reduction in false positives.

It's not a perfect system, but it performs significantly better than any of the IDS products that I've seen. And it definitely shows some sort of vision into the future, and into dealing with the real problems with the way IDS is currently done.

Just my $0.02...

How to get round the slashdot filter

They (VNU) seem to be blocking on the HTTP_REFERER header. Copy & paste the URL into a separate browser tab (or window for the non-moz / Konq users :) and hit return. Or use wget.

Writing Linux viruses is easy (slightly OT)

I was browsing the other vnunet articles and saw that according to another article on vnunet.com writing Linux viruses is easy. They claim that "It is a stable OS, but it's not a secure OS." so it will most likely be a target next year.

I could try submitting this to /. but they'll probably think we've had enough security articles for one day and it'll get rejected and no one will read it.

The State of IDS

Hi, I currently work in the UC Davis [ucdavis.edu] sec lab [ucdavis.edu] (current project(s): HACQIT).

The basic problem with all IDS is in the confidence level of determining if something is an attack or just random garbage. Also, IDS have to be fast. If there's too much traffic (if you've been /.'d), you may not be able to check all attacks. Some methodogies start from the approach that deviating from a set of known safe operations is considered suspect. Other IDSes approach it from checking against a known-attack database. We're currently working on genetic algorithms and expert systems to correlate sensors and systems to detect and respond to attacks. The best approach I've seen is a complete kernel-level instrumentation of all system calls that's transparent and mostly undetectable. It would probably be DoS-able as well. The main prob is that you realy gotta have another comp to offload IDS checking.

Right now, nearly all IDSes are extremely primitive and consist of nothing more than snort [snort.org] rules [snort.org] and Perl [perl.com] scripts that call ipchains [samba.org] or something.

Btw, I went to RAID 2001 [raid-symposium.org] this year (hosted at UCD), it was fairly interesting.

prognosticate?

Heh... I thought he made that word up, but it appears to be in the dictionary [dictionary.com]. (popup ad warning)

But when is Snort going to get good sigs?

I'm sure i'm going to get mod'd down or marked flamebait for this, but here it goes...

Has anyone ever bothered to actually READ the Snort signatures? I actually spent quite a few hours going over them and found a number of things:

1) Massive false postives. Almost all of the HTTP signatures only look for a request to a vulnerable CGI/ASP/etc, not for the actual exploit. This means perfectly normal/valid requests generate alerts.

2) Many sigs are easy to avoid. For HTTP sigs that actually try to look for the exploit it's generally a matter of putting a fake &var=value between the ? and the exploited param since Snort can only do simple string matching.

3) Many sigs are just plain stupid. I love the one that looks for the string "I love you" everywhere in all SMTP traffic. Heaven forbid someone at your company email their wife/husband/etc.

4) There's a number of sigs that have hard-coded strings for specific BROKEN exploits. Basically, they'll detect the broken exploit, which will catch the scriptkiddies, but anyone with half a brain who fixed the exploit won't be detected.

Unforunately, tuning the IDS (turning off signatures) isn't a valid means of reducing false positives since it makes you completely blind to the attack. Which means you either get deluged with alerts or miss legitimate threats to your network.

Honestly, I got so fed up with Snort and wasting my time with it, that I finally decided to get rid of it and spend the saved time being more proactive in securing my systems.

Links

Here are some links to Intrusion Detection systems being developed at Iowa State. They [issl.org] are offering fellowships [issl.org] for those interested in doing graduate work in computer security. Here is a link to one of their papers on distributed intrusion dection.

Automated Discovery of Concise Predictive Rules for Intrusion Detection [iastate.edu]

Snort & BigBrother

Snort combined with the equally free BigBrother [bb4.com] gives every admin exactly what he wants. Secure net with an easy to monitor interface. If I'm not mistaken there was an article in SysAdmin [sysadminmag.com] not long ago about hooking Tripwire into BigBrother [samag.com]. The same should be able to do with Snort, shouldn't it?

/Haeger

The false positive myth, & escalation vs detec

I've been doing enterprise network security monitoring for over three years, in military and commercial sectors.

First, most IDS users focus on eliminating "false positives." This mindset, and especially ISS' goal of "zero false positives," is misguided.

I treat every IDS event as an "indicator," in the military intel idea of "indications and warnings." If I tell my IDS to find "X", and it reports "X", is that a false positive if "X" doesn't mean compromise? No, it's my responsibility to evaluate that indication by performing correlation and looking at the bigger picture.

Second, most IDS developers seem to focus on the detection aspect, i.e., can we detect at gigabit speeds? Can we detect Unicode-encoded attacks? This is necessary but not sufficient to perform network security monitoring.

IDS vendors need to understand that ESCALATION is the goal, not just detection. If the IDS doesn't provide enough supporting data to help me make a judgement without physically inspecting the target, why bother alerting at all? Why flash the red alert light if I must call the customer or do computer forensics to find out if the box is hacked?

Expect more rants in the form of a book (hopefully) late next year or sometime in '03.

Helevius

Get the real report from NSS.

You can get the real IDS report from the NSS group at http://www.nss.co.uk [nss.co.uk]. at no charge.

Save yourself a few hours

I found this to be underdocumented when recently configuring snort.

in snort.conf:

change

var EXTERNAL_NET any

to

var EXTERNAL_NET !$HOME_NET

Otherwise, you'll see all your local hosts matching rules meant for external traffic. That's a little confusing.

Yet another clueless magazine...

Security consultant NSS Group tested 16 IDS products from big vendors including Cisco, ISS, Computer Associates and Symantec, along with one freeware open source product called Snort.

Why oh why do they always call it freeware wrongly [gnu.org]?

The past of IDS

Much of what he writes is the Network ICE business plan from three years ago:

• To combat switches, we created the concept of putting network-IDS on the host.
• We also produced the first gigabit IDS (several customers are running today at a full 1-gbps, many are above 500-mbps).
• The issue of "noise" is always an issue (especially "true positives" -- how many care about port 80 probes from the Internet these days?), but BlackICE has exceedingly few false positives -- it is not a major issue our customers complain about (the "protocol-analysis" technique we use results in a fraction of false-positives that "pattern-search" technology most other IDSs use).
• The author claims "more rules hurts performance". Nope, BlackICE doesn't have that problem -- it doesn't even have the ability to turn off rules. You can either disable protocol-analysis modules (like HTTP, FTP, etc.), or you can ignore events after they trigger (like PHF), but you can't really turn off individual rules from triggering in the first place.
• The future of networking is IPsec. BlackICE already integrates well with virtually all VPN engines, and we are working tightly with Microsoft to make sure that we can always decrypted traffic (making sure APIs are always available). We are doing nifty stuff with SSL integration with web-servers as well. Again, this is part of the idea of putting network-IDS on the host.
• The author mentions Hogwash, which is inline Snort. He isn't aware that BlackICE Guard inline IDS has been shipping for much longer.

As I said, this was the Network ICE business plan from three years ago. We built a product to address these issues, we shipped it, we were successful, and this product is being mixed with the rest of ISS's technologies to become RealSecure 7.

I hate to come out with a "vendor" message, it is just that the author is most familiar with Snort, where these things are issues. He makes the assumption that other products are just commercialized versions of Snort. This isn't true -- at least in the case of our commercial product, it isn't related to Snort at all. He is maybe describing "The Future of Snort", but this is three years old for BlackICE.

Several comments

NOTE: I'm the author of Snort, so I may be opionated on this topic...

I just got in from a busy day and what do I find but a little Snort action on ole Slashdot...

So, I've got a few comments about the comments:

Snort signatures and the quality thereof. Anyone who complains about the quality of Snort signatures is a lazy bastard, they're open source and easy to modify, if you find that much wrong with them make the appropriate changes and mail them back to me or Brian Caswell [mailto], our own official Snort Rules Nazi. Just because we write Snort sigs doesn't mean you have to use them, the original concept behind Snort and the rules files that came with the distro was that the users could look at examples of how to write them and develop their own set for the site they were protecting. This has gotten way out of hand over the past three years and has blossomed into the approximately 1300 rules we have now. The quality isn't always the best, but we're working on it (and if you've been tracking them over the past 6 months they've gotten much better.

Performance. People from ISS talking about the superior performance of their solution is laughable, it's been shown repeatedly in third party IDS [networkcomputing.com] roundups [nss.co.uk] that Snort performs on par with or better than almost all of the other commercially available NIDS solutions out there. In fact, I know of one large entertainment company that sank a decent chunk of money into hardware that's running Snort at OC-12 speeds on their network successfully with no packet loss at all. Moral of the story? IDS performance is tied directly to the configuration and horsepower of the sensor hardware. No big revelations there. The fact of the matter is that's Snort's capabilities and performance keep increasing as we continue to develop it. We're also about to revisit some major architectural components of the system as we begin development on Snort 2.0 this month, but that's a different topic...

Love Snort but need a commercial company to back it? Check out Sourcefire [sourcefire.com], a company that I founded this year precisely to do that. We are selling network IDS appliances complete with a web-based GUI, data analysis console, and full blown configuration management system built in. We're also working on a Management Console appliance that will allow you to deploy and manage a distributed Snort NIDS infrastructure and manage all the data that comes out of the system and perform multi-sensor correlation.

Rapid response. When the shit hits the fan on the Internet, Snort is usually the leader in getting out new sigs to the user community. Case in point, the W32/Voyager MS SQL worm [cert.org] that recently came out, we were the first with sigs to pick it up.

So in the end, Snort gives you speed and accuracy (in that I mean you can identify specific exploits very precisely), has an active development and user community and is flexible to meet users needs. I think that this is a really good combo for most people's needs. Now that Sourcefire is out there, I think that the needs of "pro" users can be satisfied as well as those of the open source world.

On the other hand I might be biased, as I did write the thing... ;)

-Marty