TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
I would have to agree that there are pros and cons to publishing the IDS algorithms. It would make analysis of alerts MUCH easier but it would also make a hacker's job easier in writing applications and exploits that will evade the IDS signatures. Many of the signatures are just not very robust...the use of a default port number as was described in your e-mail as the sole criteria whether certain activity is occurring is really bad...with Gnutella being a key example. If we knew which signatures detected in this way, perhaps we could help fix the signatures....or allow us to configure existing signatures...ie letting us add a few ports other than the default port to the signature. I hope things get better in the way events are triggered and what we know about the criteria that set off the alarm. -----Original Message----- From: Becher, Jim (STL) [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 1:41 PM To: 'Palmer, Paul (ISSAtlanta)'; [EMAIL PROTECTED] Subject: RE: Real Secure logs TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Paul, So how does not publishing your algorithms and signatures make ISS more competitive? How does keeping information from your customers, make your customers more secure? Is it your opinion that Snort is/will not be "competitive" because they publish their algorithms and signatures? Alot of trojans, peer2peer applications, etc have the ability to change the default port number. So everytime another one is released, we have to ask ISS technical support whether they are only looking on the default port or if they are looking on any port? This is a rather simplistic example, but hopefully it makes the point. Reminds me of the time I was informed by an ISS Support Engineer that the GNUtella connect signature was looking for the string "GNUTELLA CONNECT" on any port. Of course that just begged the question why I was not receiving events for the e-mail that was going back and forth between us... ;) Once we have information on a particular signature, can we share that information with this list? -jim -----Original Message----- From: Palmer, Paul (ISSAtlanta) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 28, 2002 10:17 AM To: [EMAIL PROTECTED] Subject: RE: Real Secure logs TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- ISS does not publish its algorithms in detail, because we operate in a very competitive industry. However, specific customer requests for detailed information are frequently considered and honored. Contact technical support. High level descriptions of an algorithm are generally included in the on-line help. -----Original Message----- From: Emil D Skrdla/cis/evp/Okstate [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 27, 2002 7:17 PM To: Palmer, Paul (ISSAtlanta); [EMAIL PROTECTED] Subject: RE: Real Secure logs Paul (and anyone else), Where may we turn to gain knowledge of how the many signatures are implemented? >>Use the information from Victim IP and Intruder IP and you will be much less likely to be confused, since to use Source and >>Destination properly requires knowledge of how the signature is implemented. David Skrdla Senior Systems Technician CIS/Network Operations Oklahoma State University (405) 744-7806 (ph) (405) 744-3323 (fax) "Palmer, Paul (ISSAtlanta)" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/26/2002 08:22 PM To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> cc: <[EMAIL PROTECTED]>, (bcc: Emil D Skrdla/cis/evp/Okstate) Subject: RE: Real Secure logs TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Actually, RealSecure does perform stateful inspection for the majority of signatures. However, for legacy reasons, the Source IP and Destination IP always show the IP addresses of the last packet received when the signature triggered. It is a bit ironic that many of the better signatures (those with fewest false positives) trigger not on the initial request from the attacker to the victim, but only after the victim's response has been factored into the signature. Therefore, the last packet seen will often be going the opposite direction of the attack. To help clarify this, RS 7.0 also provides the notion of Victim IP and Intruder IP. Use the information from Victim IP and Intruder IP and you will be much less likely to be confused, since to use Source and Destination properly requires knowledge of how the signature is implemented. Again, Source IP and Destination IP are still provided so that the scripts and reports for long-time customers do not break. However, I would recommend the use of Victim IP and Intruder IP instead whenever possible.
