Menu
▾
▴
Re: [IPCop-devel] After The Install
|
From: Richard L. <ce...@l-...> - 2001-12-30 05:33:49
|
>> If current IDS tools (whatever those are) aren't detecting "slow" >> port-scans, can we fix them? > >The people that make Snort are some of the best security people in the >world. If you have ideas about how to make it better, go join their >team and help them. It's not trivial and they've been at it for a >while, so they've covered all of the easy bases, most of the hard >basess and some of the nearly impossible ones. I did not intend to come off the smart-ass -- I was merely trying to stimulate conversation from others who know way more than I do. >> How tricky could it be to detect >> connections that occur at specific intervals? > >It's not tricky, the problem is that when you lower the thresholds to >the point where they are being detected, then the IDS thinks everything >is a slow scan and reports on it. I guess I was suggesting that a slow scan should be detectable by noting the time interval as robot-like, rather than just raw frequency of connection attempts over a given period (which I thought was how Snort worked ATM...) [Disclaimer: Haven't had time to really dig into Snort.] Or are the script-kiddies already *all* randomizing their timing of connections as well as port sequence order? Or does network latency make a hash of any interval detection? Is something like this what a human could spot instead? >There are infinite ways to attack your machine. We know about a finite >number of them. Thinking we can know about all of them is naive. That >is why you must monitor your logs. To look for patterns. Humans are >good at that, machines are lousy at it. Machines are only good at >detecting patterns once they have been taught to do so by a human that >noticed that pattern. Machines don't catch new patterns well at all. So, what can an IPCop user ignore, and what should they look for? Are there any guide-lines of what Snort doesn't detect, but that a human would spot right off? I realize they can't be too trivial, or Snort would already be doing it: But if that's the case, the average IPCop user probably will be wasting their time looking at their logs, simply because they don't have the experience to know what to look for. If we can't tell them what to look for, the logs aren't communication, they're just noise. :-) Should they simply assume that what they see in the beginning is probably "normal" and they should watch for "unusual" things after a week or so? Can we tell them which Snort messages are expected, and normal? Bottom Line: "Monitor your log files" needs some explanation in the docs, but I haven't the foggiest idea what to write there. Disclaimer: Maybe I'm just gun-shy since my SW 0.9.8 logs are about 5M per hour, and there's simply no way I can monitor that in any sane way. Stupid Ameritech cable-modem. -- WARNING ri...@ze... email address is an endangered species Use ce...@l-... instead |