Using IDS logs to enforce IPS rules?

Using IDS logs to enforce IPS rules?

am 18.01.2008 17:35:36 von leonardodiserpierodavinci

Hi,

Do you know any solution (better if open source) to compare IDS and
IPS logs in such a way that IDS logs are used to automatically enforce
IPS rules?
I googled around but all I found was a reference to SnortAlog.
Thanks in advance for any hint.

L

Re: Using IDS logs to enforce IPS rules?

am 18.01.2008 17:43:31 von Sebastian Gottschalk

leonardodiserpierodavinci@gmail.com wrote:


> Do you know any solution (better if open source) to compare IDS and
> IPS logs in such a way that IDS logs are used to automatically enforce
> IPS rules?


An Intrusion Protection System is typically defined as a combination of an
IDS and an automatic rule creation as reaction to the IDS log entries.

At any rate, over the time this hasn't become any less stupid. So better
think twice and abandon this idea.

Re: Using IDS logs to enforce IPS rules?

am 21.01.2008 10:30:38 von arjunhegde

try out ISS proventia solution there u can have both simulation and in
line mode....may be that could be of gr8 help to u..

Re: Using IDS logs to enforce IPS rules?

am 21.01.2008 11:48:30 von leonardodiserpierodavinci

On Jan 18, 5:43 pm, "Sebastian G." wrote:
> An Intrusion Protection System is typically defined as a combination of an
> IDS and an automatic rule creation as reaction to the IDS log entries.
>
> At any rate, over the time this hasn't become any less stupid. So better
> think twice and abandon this idea.

You mean because of the circular dependency?
Do you have other suggestions?
Thanks for your answer.

Re: Using IDS logs to enforce IPS rules?

am 21.01.2008 19:29:49 von Sebastian Gottschalk

leonardodiserpierodavinci@gmail.com wrote:

> On Jan 18, 5:43 pm, "Sebastian G." wrote:
>> An Intrusion Protection System is typically defined as a combination of an
>> IDS and an automatic rule creation as reaction to the IDS log entries.
>>
>> At any rate, over the time this hasn't become any less stupid. So better
>> think twice and abandon this idea.
>
> You mean because of the circular dependency?


No, because of spoofing. Consider that an IPS blocks automatically every
hosts that seems to attack them. Now, as an attacker, I'd spoof all relevant
legitimate hosts, and the IPS would block access to them - a wonderful
Denial of Service, trademark "self-created". Without a whitelist, you'll
even disconnect yourself from your very own hosts, f.e. a DNS server.

> Do you have other suggestions?


Dump the idea of an IPS for the mentioned reasons. Carefully calculate the
actual costs of sensibly reading and evaluating the IDS output, and compare
it to the marginal security benefits it offers - and most likely you'll end
up dumping the IDS as well.

Re: Using IDS logs to enforce IPS rules?

am 22.01.2008 08:55:21 von leonardodiserpierodavinci

On Jan 21, 7:29 pm, "Sebastian G." wrote:
> No, because of spoofing. Consider that an IPS blocks automatically every
> hosts that seems to attack them. Now, as an attacker, I'd spoof all relevant
> legitimate hosts, and the IPS would block access to them - a wonderful
> Denial of Service, trademark "self-created". Without a whitelist, you'll
> even disconnect yourself from your very own hosts, f.e. a DNS server.

Well, a decent IDS/IPS is supposed to be smarter than that ;-)

> Dump the idea of an IPS for the mentioned reasons. Carefully calculate the
> actual costs of sensibly reading and evaluating the IDS output, and compare
> it to the marginal security benefits it offers - and most likely you'll end
> up dumping the IDS as well.

So how do you protect your network (and ensure it stays protected)?

Re: Using IDS logs to enforce IPS rules?

am 22.01.2008 13:38:46 von Sebastian Gottschalk

leonardodiserpierodavinci@gmail.com wrote:

> On Jan 21, 7:29 pm, "Sebastian G." wrote:
>> No, because of spoofing. Consider that an IPS blocks automatically every
>> hosts that seems to attack them. Now, as an attacker, I'd spoof all relevant
>> legitimate hosts, and the IPS would block access to them - a wonderful
>> Denial of Service, trademark "self-created". Without a whitelist, you'll
>> even disconnect yourself from your very own hosts, f.e. a DNS server.
>
> Well, a decent IDS/IPS is supposed to be smarter than that ;-)


Spoofing is not just limited to host, and you can't create any general
whitelist, so "smartness" (whatever this is, since AI isn't developed so
far) won't help.

> So how do you protect your network (and ensure it stays protected)?


Host security and firewalling?

Re: Using IDS logs to enforce IPS rules?

am 22.01.2008 15:02:20 von leonardodiserpierodavinci

On Jan 22, 1:38 pm, "Sebastian G." wrote:

> Host security and firewalling?

Of course, these are the basis. So you suggest to avoid IDS/IPS. Is
there any other security layer that can be added?

Re: Using IDS logs to enforce IPS rules?

am 22.01.2008 18:35:43 von Sebastian Gottschalk

leonardodiserpierodavinci@gmail.com wrote:

> On Jan 22, 1:38 pm, "Sebastian G." wrote:
>
>> Host security and firewalling?
>
> Of course, these are the basis. So you suggest to avoid IDS/IPS. Is
> there any other security layer that can be added?


Strong encryption and authentication. Access control for the network, f.e.
via IEEE 802.11X, RADIUS etc.