[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISSForum] RE: Adv RSSP students guide



Hi list!
I'd like to share my correspondence about how RNE triggers events if more
then one signature were found in packet or session. I've got to know that
"the most important" event will be seen in console and I think that it
isn't correct for IDS, because knowledge about priority in which events are
triggered can give an attacker the opportunity to evade IDS and hide the
real invasion. May be I don't understand something, please, correct me if
I'm wrong.

ANY feedback will be appreciated.

---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50 (1613)
----- Forwarded by Sergey V Soldatov/DKB/HQ-MSK/TNK on 20.12.2004 09:39
-----
                                                                                                                   
              Sergey V Soldatov                                                                                    
                                               To:      "Ballerini, Jean Paul (ISS EMEA)"                          
              08.12.2004 10:53                 <JPBallerini@xxxxxxx>@TNK                                           
                                               cc:                                                                 
                                               Subject: RE: Adv RSSP students guide(Document link: Sergey V        
                                               Soldatov)                                                           
                                                                                                                   



Hope, that I still have not bothered you enough, but it's very serious, I
think. As I've understood you if some packet or number of packets in
analysed session match a lot of signatures I'll get "the most important" in
console, but the only one ?!
It isn't right for sensor, _all_ matched signatures must be shown in
console or analysed by correlation engine (if it is). If RNE really shows
only one event - it's bug that has to be fixed.
In this case I have another question, - where can I get a list with
signatures priorities to get to know which signature will be displayed in
case when a number "high" events were found?

You can post answers on ISSForum, I think, this topic may be interesting
for all.
Good luck.
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50 (1613)


                                                                                                                    
              "Ballerini, Jean Paul                                                                                 
              (ISS EMEA)"                      To:       "Sergey V Soldatov" <SVSoldatov@xxxxxx>                    
              <JPBallerini@xxxxxxx>            cc:                                                                  
                                               Subject:  RE: Adv RSSP students guide                                
              07.12.2004 19:10                                                                                      
                                                                                                                    
                                                                                                                    




Sergey,

We detect the all events but generate only one, the one with highest
risk because it is the most important for blocking.

Jean Paul

-----Original Message-----
From: Sergey V Soldatov [mailto:SVSoldatov@xxxxxx]
Sent: Monday, December 06, 2004 3:19 PM
To: Ballerini, Jean Paul (ISS EMEA)
Subject: Adv RSSP students guide

Reading Adv RSSP students guide (05/23/03) on p. 79 within server sensor
data path explanation I've found interesting phrase:
'Unlike Network Sensor, Server sensor allows events to match more than
one
signature at a time.' Does it mean that in case of RNE one packet can
trigger only one signature if matches? As I can see in SP Console it
isn't
so, and it's QUITE RIGHT. But if it's so and I've understood this
correctly
it is awfully, because it presumes to intruder to hide really important
events among informationl ones and so pass over IDS. Early versions of
Snort had such vulnerability, but it was corrected a long time ago. Is
it
so? Please, let me know.

Good luck!

---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50 (1613)










_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.