Focus on IDS
Reputation based IPS/IDS - Cisco's tested Aug 11 2009 03:49PM
Joel Snyder (Joel Snyder Opus1 COM) (1 replies)
Re: Reputation based IPS/IDS - Cisco's tested Aug 22 2009 05:34PM
Frank Knobbe (frank knobbe us) (1 replies)
On Tue, 2009-08-11 at 17:49 +0200, Joel Snyder wrote:
> Some of you may remember our discussion back in November, 2008 about
> using reputation services in IPS. (search for subject line "Email
> reputation for inout to IDSs?" if you want to read it).

From the article:
"This basic use of reputation filters isn't new, but what's interesting
is that Cisco will use this reputation data to change the Risk Rating of
security events identified by the IPS. In other words, an event linked
to a 'bad' IP address will result in an even higher Risk Rating."

Isn't this backwards? The risk to a system of an attack coming from an
known attacker compared to an unknown attacker is the same. Matter the
fact, I'd like to argue the opposite. Since the known attacker has
already been identified (and can be blocked), the Risk Rating of the
alert for that address should be lower. Unknown attackers should receive
a high Risk Rating so they stand out and can be addressed first (like
that laptop in the article's example).

Now, I understand that the *assurance* of the alert is higher, since the
attacker has already been verified as hostile, so the likelihood of a
false positive from that address is lower. But I think classifying the
known attackers as high risk so the user focuses on those first is a
misguided step in the wrong direction. I can already envision the
evasion scenario: Flood your target with SQL injections attacks through
known open proxies (so they receive a high Risk Rating), and slip in the
real attack from an unknown IP (classified now as ... not-so-high risk).
Which would you be more concerned about?

IP intelligence within the IDS console is of course of great benefit.
(we've been doing this for years. Then again, we've been using IP
reputation and blocking known evil IP's in a distributed fashion for
years as well...). Any IP intel for the analyst in the console is a good
thing. I'm just not sure that *interpreting* that IP intel on behalf of
the analyst is the right thing to do.

Thoughts?

Regards,
Frank

--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (FreeBSD)

iD8DBQBKkCxCpIc56HlJ1YARAnq+AJ0Uzs/Tw8crg3O8lwK1n1VLzDi+0QCdEOcV
6NFapIRAqseN6o1Dg6fRFiE=
=pCM7
-----END PGP SIGNATURE-----

[ reply ]
Re: Reputation based IPS/IDS - Cisco's tested Aug 24 2009 04:36PM
Gautam Singaraju (gautam singaraju gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus