[Snort-sigs] New idea in change tracking for nets

Frank Knobbe frank at ...1978...
Tue Aug 31 22:21:05 EDT 2004


On Tue, 2004-08-31 at 22:49, Matt Jonkman wrote:
> A new idea came our way to augment an organization's change control 
> measures. We're writing signatures to track when devices on the network 
> have config changes made remotely.
> 
> First step is routers and switches. Most are managed via telnet (even 
> though ssh is better), and the configuration modes are easily recognizable.

Why do you need signatures for that? Can't normal profiling identify
configuration/telnet attempts? When we profile networks, we construct a
behavior matrix of what is normal and expected traffic, and alert on
abnormal conditions. Such abnormal condition could be telnet access into
a device from an non-authorized IP. That can be caught without a content
based signature, and is therefore more flexible.

Further, why would you want to alert when a user has successfully
authenticated to a network component? Wouldn't you want to watch for
failed logon attempts instead of successful logons?

Another advantage in going the signature-less way is that you don't have
to assemble a ton of sigs for known devices (which still leaves the
unknown, or lesser known, devices out in the dark, such as an old
Wellfeet router or *gasp* a Motorola router, or something ...uhm...
antique. How about Ascend Pipelines? No wait, let me get a catalog and
inventory a comprehensive list of manufacturers first... :)

And then if you do have a signature set, you need to keep it maintained
as it can changed after firmware upgrades. 

Before I sound too much of a party-pooper, I'll just leave with the
excuse of playing devils advocate. :)

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040831/ef60ca91/attachment.sig>


More information about the Snort-sigs mailing list