[Snort-sigs] New idea in change tracking for nets
frank at ...1978...
Tue Aug 31 22:21:05 EDT 2004
On Tue, 2004-08-31 at 22:49, Matt Jonkman wrote:
> A new idea came our way to augment an organization's change control
> measures. We're writing signatures to track when devices on the network
> have config changes made remotely.
> First step is routers and switches. Most are managed via telnet (even
> though ssh is better), and the configuration modes are easily recognizable.
Why do you need signatures for that? Can't normal profiling identify
configuration/telnet attempts? When we profile networks, we construct a
behavior matrix of what is normal and expected traffic, and alert on
abnormal conditions. Such abnormal condition could be telnet access into
a device from an non-authorized IP. That can be caught without a content
based signature, and is therefore more flexible.
Further, why would you want to alert when a user has successfully
authenticated to a network component? Wouldn't you want to watch for
failed logon attempts instead of successful logons?
Another advantage in going the signature-less way is that you don't have
to assemble a ton of sigs for known devices (which still leaves the
unknown, or lesser known, devices out in the dark, such as an old
Wellfeet router or *gasp* a Motorola router, or something ...uhm...
antique. How about Ascend Pipelines? No wait, let me get a catalog and
inventory a comprehensive list of manufacturers first... :)
And then if you do have a signature set, you need to keep it maintained
as it can changed after firmware upgrades.
Before I sound too much of a party-pooper, I'll just leave with the
excuse of playing devils advocate. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-sigs