IDS deployment {was: Re: [Snort-users] Not able to catch internal attacks}

Dragos Ruiu dr at ...381...
Wed Oct 18 02:37:49 EDT 2000

On Tue, 17 Oct 2000, David Harris wrote:
> I always thought one of the advantages of IDS systems were that they were
> able to detect attacks coming from the internal network.  But with the way
> the rules are set up this is not going to happen as most signatures are
> based on "Outside -> Inside" or "Inside -> Outside" so its wont log any
> "Inside -> Inside" attacks.

One configuration I like to use occasinally/often is one IDS watching for stuff
in the DMZ, another wired tighter watching the inside of the firewall for stuff
from/to the outside and a third IDS system watching for inappropriate traffic
between local hosts.  Call me paranoid.   But since snort probes are fairly
economical and the CPU use is light enought to be piggybacked on servers 
doing other useful work....  multiple IDSes can be a life saver in case of
a good hack where the IDS integrity may be compromised.  Defense by depth
and all is stronger with multiple alarm layers.  This would be one argument
against the utility a central hacking point err... console provides but I'm not
sure enough of that idea yet to declare it good methodology....  It all depends
on how much log-check bandwidth you have.

One should always remember that a _good_ attacker will have tools that will
elude all the off-the shelf IDS signature collections... There are literally
dozens available... only by customizing the setup to your specific network
utilization and calling certain kinds of traffic off-limits will you gain all
the benefits that are available with such alarming systems. Then when the
unwary interloper sends something that crosses one of these booby trap
traffic red-lines you will know.  That final internal to internal IDS will
tell you about insiders (more often a problem than not), or if you already 
have a _big_ external  intruder problem. :-) 

So the flip side to that is that the good defender will always have defenses
the attacker doesn't know about. The moral of the story is that it is a good
thing to become familiar with the snort rules syntax, and by just using a
canned ruleset you are missing out on the largest portion of the power 
of snort.


More information about the Snort-users mailing list