"I think its a dirty little secret that much fewer customers customize
NIDS rules than the NIDS vendors think..."
Totally true.
I believe that's because they sell their products as something that
doesn't need to be customized. I like to say that IDSes are more like
ERP systems than Antivirus. A lot of customization is required to make
it work.
Regards,
Augusto.
On 12/23/05, Anton Chuvakin <[EMAIL PROTECTED]> wrote:
> Ron and all,
>
> > In general though, the issue we've found while writing these types of rules
> > is that whatever the algorithm, there is always a trade off between being
> > exact and being general.
> That is *exactly* the discussion I wanted to start! Thanks for picking
> it up. When one provides canned correlation rules (such as your TASL
> scripts), this question comes up in full force. And, unlike NIDS
> rules, where people expect them to work pretty much out of the box (I
> think its a dirty little secret that much fewer customers customize
> NIDS rules than the NIDS vendors think...), this one gets real
> subjective real quick. And this is where the site-specific rules or
> scripts come in.
>
> > Site-specific rules can get much more interesting. For example, writing
> > a rule that can alert on any "SSH login failure" not coming from the
> > SOC is very simple, but you have to know about the DNS server, the SOC
> > and the trust relationship between them before hand.
> This is one of my favorite examples: its an extremely simple and just
> as useful custom rule ("if SSH not from SOC, alert") but an impossible
> default vendor -provided rule. The main question is: how many people
> will go and create it? Will the "NIDS disease" (mentioned above) hit
> it as well and thus devalue the correlation software?
>
> Best,
> --
> Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
> http://www.chuvakin.org
> http://www.securitywarrior.com
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>
--
Augusto Paes de Barros, CISSP-ISSAP(r)
http://www.paesdebarros.com.br/indexpb.html
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
