[Snort-users] New Trend: Intrusion Prevention
snort_lists at ...7756...
Sun Dec 15 15:36:03 EST 2002
Ok, I will respond once then we should take this offline
I believe you are right in everything you said, I think
you are saying the same thing I am in most cases. IPS is
the future and will become a major "feature" in most
firewalls and possibly IDS's just like signature based
IDS's will merge with anomaly based IDS's. Both Hogwash
and Guardian were referred to in this thread a few times
as IPS so it was fair of me to refer to them as well.
Cisco also talks about "shunning" in their PIX
IDS...etc.etc. I dont know enough about host based IPS to
state a position so this does not include host IPS.
Any auto response is what I am talking about. Let me put
forth a few examples using Snort sigs since this is a
Snort mailing list:
- POP3 PASS overflow attempt SID:1634
I have seen a rash of these over the last few weeks. What
I have determined is that all the sources for this alert
are using an updated Outlook or Outlook express.
Essentially what would have happened if the firewall had
this signature and did not allow packets to pass is that
none of the normal users would have been able to get their
- SMTP HELO overflow attempt SID:1549
If you run Exchange 2k you will be very familiar with this
sig as it would have flooded your db, alert file, etc,
when you enabled it.
The IPS if built into the firewall making decisions would
have blocked most if not all of your sites email until you
determined what the problem was.
When I am talking about this I am not referring to a site
where the admin and the net engineer and the sec analyst
are the same person or sit next to each other. I am
talking more about the larger environments where they may
not even know each others faces. Companies like this are
the commercial target, not the small shops. In
environments like this "white-lists" would be very hard to
maintain in my experience and they would not cover things
such as Google, Yahoo, AOL, etc. Imagine your helpdesk who
supports the 1.5-2k ppl on the site getting calls from
everyone saying that they cannot get to Yahoo :) In your
IIS double decode example you need to be really careful.
What happens if the security analyst doesnt know that the
Web devs just added an "upload a picture" page? That jpg
or gif could easily contain the characters that would
trigger the alert so this would have to be taken into
account when the rule is written or it could waste
Your personal issue with the router statement:
In most cases your firewall or your IDS are not a router.
This means that the next hop is your router, not your
ISP's. Who cares if this dest gets blocked? In ordinary
circumstances nobody does. Imagine this though. Your users
begin complaining that several things are not accessable
on the Internet. The first thing you would check was your
firewall to ensure it is up. The second thing would
probably be your router. You would then waste time
thinking that the issue is possibly a faulty router, you
would then contact the network engineer as you do not have
access to it. Not exactly a dangerous situation but it
would again waste time. I did not say anything about mac
blocking as that would, in every case, be useless.
I hate to get into specific examples. I was just stating
the case that *at this point and time* the technology is
young and is *not there yet*. It does not threaten IDS nor
does it threaten firewalls it is more of a *feature*. *At
this point and time* it is very necessary to be cautious
of the setup as it could waste many peoples time. Of
course in a small one web server 100 person environment
this would probably not be the case but they are *not* the
main commercial target.
kblack at ...7756...
On 15 Dec 2002 16:09:26 -0600
Frank Knobbe <fknobbe at ...652...> wrote:
>On Sun, 2002-12-15 at 12:58, Kevin Black wrote:
>> One thing I have not seen mentioned is the danger
>> associated with the IPS. Most of the time when I hear
>> people talking about IPS they refer to "shunning" the
>> address associated with the alert or the activity.
>I believe you may be misunderstanding what an Intrusion
>Device is. It's absolutely normal that everyone has a
>what makes an IPS since that is a pretty bad term, and
>droid that dreamed this word up deserves a public
>I think what you are talking about is not an IPS, but
>just a reactive
>IDS (like Snort and SnortSam, or Snort and Guardian). I
>thread has been about things like Snort Inline or
>devices, which as also referred to as Intrusion
>Prevention Devices 
>have at their heart a signature or anomaly based engine
>similar to an
>IDS, but they don't use it to alert. Instead the engine
>is used to make
>the decision whether to pass the inspected traffic or
>not. In essence,
>IPS devices behave like firewalls, except that the
>is not based on a static access control list, or access
>policy, but on
>I agree that (static ACL based) firewalls don't go away,
>threatened by IPS'. But those two are indeed starting to
>merge, and in a
>couple years we don't have a 'firewall' or 'intrusion
>per se, but a hybrid. What we are going to call it
>remains to be seen.
>Perhaps an intrusion wall? The merged device will be able
>traffic based on a static policy, and in addition filter
>traffic through a signature engine. A typical policy may
>look like this:
>any -> dns-server | 53/udp | accept
>any -> web-server | 80/tcp | inspect (<- signature check)
>any -> any | any | deny
>> IPS has its place and can be very useful but in a *very*
>> limited capacity IMHO. The setup needs to be carefully
>> thoughtout and the repurcussions need to be fully
>> understood before it is installed.
>I agree, but at the same I'm more optimistic. A lot of
>security in black and white, but it is not that way at
>all. We can let
>the computer make some decisions, but we have to be
>example, above firewall policy could inspect web server
>traffic and deny
>and packets that contain IIS double-decodes or Unicode
>other traffic would be passed. Although we let the IPS
>part of this
>firewall make a decision on it's own, it seems that this
>is a situation
>where we can put this level of trust into the box.
>But you are right. The *current* state of IPS' is a bit
>sorry. We're are
>definetly not 'there yet' (Although all IPS vendors would
>like us to
> So many other things are marketed as Intrusion
>it is becoming redicioulous. But as long as the customer
>marketing slur and buys the devices without asking
>And finally a personal gripe.
>> This is
>> done by modifying the firewall or adding to the
>> hosts.deny, (such as in portsentries case). etc. Suppose
>> you are running IIS and I fired out a few packets at
>> business that would trigger IIS overflow alerts or scan
>> alerts. The source address is spoofed as one of your
>> remote sites. Maybe your mail is relayed and I use that
>> address or even worse I spoof your downstream router or
>> ISP's DNS server.
>In discussions about the viability and risks of SnortSam
>programs like it, the issue of spoofs is always brought
>up. A valid
>point that is always answered with white-lists. And DNS
>always used as examples.
>However, the 'downstream router' play absolutely no part
>equation. So what if you block your default gateway, or
>router downstream?! You don't send packets to the IP
>address of the
>router anyway. You don't receive packets from the IP
>address of the
>router either. It's not like it's acting as a reverse
>something. We're blocking on the IP level, not MAC level.
More information about the Snort-users