My thought is that you don't want your IDS to do this type of "analysis" instead you
do the analysis and response at a higher level (threat analysis/correlation) in order
to be more accurate. The problem with current IDS responses to particular events is
selectivity and the lack of filtering. By the reduction of false positives and
prioritization of incidents at a higher level, you can create a better and more
accurate response. GuardedNet has created an application that does this for you, and
enables you to response via OPSEC and a number of other sources. It also maintains a
whois database with latitude and longitude plot points so you can see where the
attacks are coming from and a built in ticketing system for handling the incidents.
Matthew F. Caldwell, CISSP
Chief Security Officer
GuardedNet, Inc
-----Original Message-----
From: Jay D. Dyson [mailto:[EMAIL PROTECTED]]
Sent: Wed 5/29/2002 6:32 PM
To: Security-Basics List
Cc:
Subject: Re: Reacting to IDS alerts
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 29 May 2002, JM wrote:
> Basically, we are currently receiving an ever increasing number of
> intrusion attempts, (isn't everyone) and would like to automate a
> reaction to these attempts.
I need a little clarification here: by "intrusion attempts," do
you mean portscans or actual attempts to breach a specific service (such
as a Nimda attempt)? Putting a finer point on this will help me better
answer your request.
> Firstly, I would like to inform the owner of the address space which the
> attack has come from that this is happening. Secondly, I would like to
> report this address space for permitting this activity.
This is largely do-able since the core of a utility I wrote does
precisely this. However, I've noted that there is a certain amount of
data rot with which one must contend in the ARIN, APNIC and RIPE
databases. This can be either incorrect or outdated netblock assignment
information or bogus e-mail contact addresses.
> Basically the way I see it so far is to take the alerts that are
> generated by the IDS, in a mail format, using some sort of script from
> that alert, extract the source address, do a whois on that source
> address, then find the admin and technical contacts for that address
> space from the whois and mail them a copy of the alert(confidential data
> removed) along with a warning that the information has been passed to
> the relevant authorities.
Early Bird does this, albeit its exclusive focus is on web-based
worm attacks. You could probably adapt its code to suit your purpose.
(http://www.treachery.net/earlybird/)
> Trouble is, who are the relevant authorities. And are they likely to
> take any action.
Law enforcement agencies (LEAs) don't take e-mail notifications of
intrusion attempts seriously. If they did, they'd be scrambling every
which way 'til Sunday handling them...and they aren't. Even the FBI won't
touch a network intrusion case (actual or attempted) unless there's at
least $5,000 in confirmed losses or unless the aggrieved party has some
massive political influence. For all they care, Usama bin Laden himself
could be portscanning you to oblivion and they wouldn't so much as bother
to open an case file on the incident.
That's just the way the ball bounces.
- -Jay
( ( _______
)) )) .---"There's always time for a good cup of coffee"---. >====<--.
C|~~|C|~~|(>------- Jay D. Dyson -- [EMAIL PROTECTED] -------<)| = |-'
`--' `--' `-Because it is bitter...and because it is my heart.-' `------'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.
iD8DBQE89VcFGI2IHblM+8ERApzCAKCXhvpgNa8MSpeK4KpFOqqrEigwIgCfVHoD
DnVfrFqHA4v25x1MvDQyfAo=
=0zaO
-----END PGP SIGNATURE-----
