[Snort-users] [Emerging-Sigs] Matt Jonkman in the new Hakin9

Matthew Jonkman jonkman at ...15020...
Wed Feb 2 15:17:34 EST 2011

On Feb 1, 2011, at 11:58 AM, Jason Wallace wrote:
> "An effective IDS ruleset HAS to cover malware."
> -- In my opinion, I[DP]S is not the answer to malware. "Many of those
> will not happen while the computer is on your network [ ... ]" That is
> why IDS has limited value when it comes to malware. I do not think IDS
> should ignore malware, but at most it should be seen as a second or
> third layer of protection. Patching, privilege reduction, and content
> filtering _at the asset level_ combined with user education will
> always be better primary levels of defense then IDS for this type of
> threat. An infected asset (on or off your network) constitutes a
> failure in your security program. That failure should initiate some
> sort of action/response. If the user was off-site when the infection
> occurred (and ~85% of our malware infections occur off-site, and yes I
> have that data) there is no direct action I can take from a network
> based IDS perspective to prevent a recurrence of that infection. If it
> is not directly actionable, it should not be considered a primary
> defense layer. If it is not a primary defense then it does not HAVE to
> cover it. Coverage would, at that point, be a value add.

It's not the end all answer, nothing is. A lot of technologies have to work together. IDS I think is absolutely definitely no doubt one of them.

We are never going to catch everything on the host with host based tools. And if you think about it, there is one thing malware HAS to do to be of use to it's master. It has to talk to someone and either take commands or slip out information. This is 100% in the purview of IDS. 

You won't catch every attack or exploit, but we can do a lot for catching CnC traffic. And no, we won't catch them all. But lets hope the overlap of what we catch and what the AV vendors don't catch overlaps to get us closer to secure. 

Yes, an infection is a failure. But we will always have failures. And you;ll have hosts that come in from the outside already infected. You MUST focus on CnC channels, I don't see any alternative. 

And on the NSS point, we test our AV vendors by how fast they cover the malware of the day. Why not apply the same standard to our IDS vendors? 

> The biggest issue I had with that article (until I dug deeper) was this...
> "I believe we need to as consumers realign what we read into those
> marketing phrases, and reconsider what we should allow to be
> acceptable for the rhetoric."
> [ ... ]
> "We’ve just gone through launch, and have spent a lot of time
> developing our marketing slang. We purposely chose to use the term
> comprehensive to describe our ruleset."
> [ ... ]
> "We did not choose to use the term Complete. I don’t think any
> security product can nor should give the impression that they’ll catch
> everything."
> Sounds great, but while the main page of the ET Pro web site (which
> will set many potential customer's initial impression) is entitled
> "the comprehensive ruleset" the first paragraph on the ET PRO website
> however is titled "Complete Coverage." That put me off a little bit
> until I read the "the rules > coverage" page which does use
> "comprehensive" as opposed to "complete." Purposeful rhetoric? No, of
> course not, but that inconsistency immediately stood out when I went
> from the article directly to the main page of the ET Pro website.

True, looks inconsistent. Complete there is used in the context that Pro is not just malware, but full range coverage. Whereas the ET Open ruleset is best effort and very much focused on malware and experimental stuff. I'll change the wording to make that more clear. 

We are not the end all, catch everything, last security product you need. No one is. We're another cog in the wheel that should be your overall security program. We think we're a better cog than the equivalents though of course! :)

> All my previous points are obviously my opinion and can be argued
> either way, and I don't think there is a "right answer" that fits
> everyone's views points on IDS/IPS. While I do not agree with
> everything Matt said, I think the article did explain his point of
> view and vision. Thanks for the interesting read.

Thanks. I like to rant, and I know I generalized a LOT in that article. But my overarching hope is that we all become more critical of the marketing hype, and keep in mind that everything we buy and deploy is just one part. None of them are complete, you have to look at the gaps between and make sure you're doing the best to have overlap to get you closest to 100%.


Matthew Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Snort-users mailing list