I think the middle part of the continuum that I see the most value in is honing IDS into something which is used to build solid blacklists based on client compromises which can be used as an API by other technologies. So, I would definitely say that I'm in the server-side camp in that I don't want anything to do with client-side code other than providing a list that somebody else's client-side code could use. I hope my "Proposal" didn't insinuate otherwise. I meant it as a place to start discussing specific technology we would like to use, but it was apparently a bit premature.<br>
<br>--Martin<br><br><div class="gmail_quote">On Tue, Oct 21, 2008 at 6:21 PM, David Glosser <span dir="ltr"><<a href="mailto:david.glosser@gmail.com">david.glosser@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Where does granny's ISP fall into this and the Server-supply ISP?<br>
Is it more of a continuum between granny and the server and back?<br>
<br>
Basically, following the bouncing malware packet back and forth...<br>
Just brainstorming and attempting to identify ALL possible and<br>
potential places to inject this new project...<br>
<div><div></div><div class="Wj3C7c"><br>
<br>
<br>
On Tue, Oct 21, 2008 at 6:44 PM, <<a href="mailto:robert.jamison@bt.com">robert.jamison@bt.com</a>> wrote:<br>
> It seems we're a split camp with:<br>
><br>
> [Keynesian CAMP]<br>
> Client Side Product/Service with ability to protect/detect compromise on<br>
> grannyx home user<br>
> *scope most thoroughly represented by Martin's " RFC: Proposal for<br>
> Analysis Framework"<br>
><br>
> [Supply Side CAMP]<br>
> Focus on server side protection for net critical assets<br>
> *Andre/Jack "What is absolutely horrible in its current state is<br>
> IDS/IPS" / "Client side is simply not possible due to political and<br>
> religious issues."<br>
><br>
> Additional notes gathered (I've just caught up on my reading;-)<br>
><br>
> (a) Consideration for re-write defanging capability as inline protection<br>
> (b) Efficiency in stream storage--essentially normalize data inspection<br>
> so it doesn't have to be redone by multiple engines<br>
> (c) XML vs. Binary distribution of verbose alerts vs. instruction<br>
> inferred datapoints<br>
> (d) Consideration for extending existing project Bro<br>
><br>
> Anything I'm missing?<br>
><br>
> Rob<br>
><br>
> -----Original Message-----<br>
> From: <a href="mailto:discussion-bounces@openinfosecfoundation.org">discussion-bounces@openinfosecfoundation.org</a><br>
> [mailto:<a href="mailto:discussion-bounces@openinfosecfoundation.org">discussion-bounces@openinfosecfoundation.org</a>] On Behalf Of Matt<br>
> Jonkman<br>
> Sent: Sunday, October 19, 2008 12:48 PM<br>
> To: Martin Holste<br>
> Cc: <a href="mailto:discussion@openinfosecfoundation.org">discussion@openinfosecfoundation.org</a>; <a href="mailto:rMslade@shaw.ca">rMslade@shaw.ca</a><br>
> Subject: Re: [Discussion] What are we making? -- CLIENT Side<br>
><br>
> Martin Holste wrote:<br>
>> I'm guessing that the intent is to be the "detection" component of the<br>
>> Trusted Internet Connection (TIC)<br>
>><br>
> (<a href="http://taosecurity.blogspot.com/2007/12/feds-plan-to-reduce-then-monito" target="_blank">http://taosecurity.blogspot.com/2007/12/feds-plan-to-reduce-then-monito</a><br>
> r.html),<br>
>> in which the mandate is to protect all federal assets, especially the<br>
>> federal desktop environment.<br>
><br>
> Certainly a sound approach to tackle such a problem. Glad I don't have<br>
> to solve that one, it's huge among gov't agencies. Especially in the US,<br>
> but surely similar everywhere.<br>
><br>
><br>
> Even if DHS has different goals, I think<br>
>> that this group could do a great service by providing the TIC's<br>
>> protection geared toward the client-side, and I think for most<br>
> sectors,<br>
>> that's where the most imminent threats lie. Again, I'm certainly not<br>
>> saying that defending servers is out of scope, just that IDS has<br>
>> historically been about defending servers as the primary goal, with<br>
>> clients secondary, and I think that needs to be reversed now.<br>
><br>
> I agree. At emerging threats we've been lately heavy into post-infection<br>
> signatures in our research. There are many vulnerabilities out there in<br>
> client apps, but I'd venture to say that a very high percentage of the<br>
> infections out there aren't the result of a remotely exploitable<br>
> vulnerability. Most come from users clicking on email attachments,<br>
> installing fake software/codecs, and visiting websites with hostile<br>
> code.<br>
><br>
> We've tried many times to write effective signatures to detect hostile<br>
> html/java/gifs, etc. It's just not feasible as is. Code is too flexible<br>
> for signature-based approaches. You can say the same thing a hundred<br>
> ways, especially in html.<br>
><br>
> So how can we go after client side?<br>
><br>
> I really REALLY am not excited about trying to make a windows client.<br>
> Not only does that open up a huge responsibility in support and the<br>
> inevitable bluescreens, but I have had a difficult time over the years<br>
> believing that any process on ANY os (especially windows) could be<br>
> trusted and independant enough to watch itself. Take into account how<br>
> easy it is for trojans and rootkits to shut down antivirus, or blind it.<br>
> And these are products with hundreds of the most skilled coders around<br>
> working on them.<br>
><br>
> I know we're sharp as a community, but I don't think that's a battle we<br>
> want to get in to. So how can we do it at the network layer?<br>
><br>
> Sandboxing?<br>
><br>
> Virtual emulators?<br>
><br>
> Or do we continue the thinking that for any infection to be of any use<br>
> to anyone it has to generate traffic? It has to call home, send spam,<br>
> report stolen information, something. So we concentrate on detecting and<br>
> stopping the post infection?<br>
><br>
> What does everyone think about that?<br>
><br>
> Matt<br>
><br>
><br>
>><br>
>> --Martin<br>
>><br>
>> On Sat, Oct 18, 2008 at 9:31 PM, Andre Ludwig <<a href="mailto:aludwig@packetspy.com">aludwig@packetspy.com</a><br>
>> <mailto:<a href="mailto:aludwig@packetspy.com">aludwig@packetspy.com</a>>> wrote:<br>
>><br>
>> I doubt the intent of the DHS is to simply do good, they are most<br>
> likely<br>
>> much more focused on producing technology that allows them to<br>
>> detect/mitigate/prevent attacks against critical components. This<br>
> of<br>
>> course means detecting attacks that fly below the threshold of<br>
> detection<br>
>> for todays technology. If it comes to "doing good" or detecting<br>
> state<br>
>> sponsored attacks against critical components (think custom<br>
> attacks<br>
>> against unknown vulns), i'm going to go out on a limb and say they<br>
> would<br>
>> rather protect the critical component vs the enduser.<br>
>><br>
>> What you are discussing still has value and merit but im not so<br>
> sure it<br>
>> is what should be focused on, but of course I am not the person to<br>
>> decide such things.<br>
>><br>
>> Andre<br>
>><br>
>><br>
>> Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote:<br>
>> > Question: what are we making? Oh, yeah, I read the blurb: "The<br>
>> OISF has been<br>
>> > chartered and funded to build a next-generation intrusion<br>
>> detection and prevention<br>
>> > engine. This project will consider every new and existing<br>
>> technology, concept and<br>
>> > idea to build a completely open source licensed engine."<br>
>> ><br>
>> > OK, we're making an IDS. But I think we need to be more<br>
> specific.<br>
>> In particular,<br>
>> > we need to answer the question of "who."<br>
>> ><br>
>> > Since the DHS has provided money, I suspect there would be an<br>
>> automatic<br>
>> > assumption that this is a heavy-duty device intended for use to<br>
>> protect major<br>
>> > servers and nodes in the critical information infrastructure.<br>
>> (Whatever that<br>
>> > means.) This kind of thing is built by professionals, for<br>
>> professionals. Trained<br>
>> > people.<br>
>> ><br>
>> > However, given the current computing environment, I think it<br>
> would<br>
>> be relatively<br>
>> > easy to make a case that such a device is not going to do all<br>
> that<br>
>> much good. That<br>
>> > a more accessible device, intended for "Grannyx" users, would<br>
>> actually do more to<br>
>> > protect the infrastructure. After all, it isn't major nodes on<br>
>> the net that make up<br>
>> > botnets, it's the little guys. Protect them, and you reduce the<br>
>> threat. This is the<br>
>> > "low hanging fruit" for the blackhats, so protecting that crop<br>
> is<br>
>> going to give us<br>
>> > the greatest benefit for the commitment of resources.<br>
>> ><br>
>> > This makes a difference. Not, perhaps, in terms of questions<br>
>> about multithreading<br>
>> > analysis streams using graphics co-processors. But certainly in<br>
>> most other areas.<br>
>> ><br>
>> > We've talked about extensibility. If we create a standard<br>
>> template or format for<br>
>> > signatures, the "who" makes a difference. Professionals need a<br>
>> warning and a<br>
>> > packet. Grannyx users need a warning, no packet, a clear<br>
>> explanation of what and<br>
>> > how important, and a recommended course of action. Makes a<br>
>> difference to the<br>
>> > template.<br>
>> ><br>
>> > In terms of my recommendation of a paran-o-meter, it makes a<br>
>> difference.<br>
>> > Actually, I see huge debates over initial settings: do we keep<br>
> it<br>
>> low to keep from<br>
>> > crying wolf, or keep it high to keep people as safe as possible.<br>
>> But one thing that<br>
>> > should be done is make the paranoia settings not-quite-obvious<br>
> up<br>
>> front, so that<br>
>> > somebody needs to know a little about the implications before<br>
> they<br>
>> start fiddling<br>
>> > with settings.<br>
>> ><br>
>> > Heck, if it's a professional device, we don't need to worry<br>
> about<br>
>> the interface at<br>
>> > all. If it's for Granny, we definitely do.<br>
>> ><br>
>> > It also makes a difference in terms of the technology to be<br>
>> included. If it is for<br>
>> > professionals, we can throw in everything. If for Granny, we<br>
> need<br>
>> to make a<br>
>> > careful choice about maximum protection for minimum performance<br>
> drain.<br>
>> ><br>
>> > ====================== (quote inserted randomly by Pegasus<br>
> Mailer)<br>
>> > <a href="mailto:rslade@vcn.bc.ca">rslade@vcn.bc.ca</a> <mailto:<a href="mailto:rslade@vcn.bc.ca">rslade@vcn.bc.ca</a>><br>
>> <a href="mailto:slade@victoria.tc.ca">slade@victoria.tc.ca</a> <mailto:<a href="mailto:slade@victoria.tc.ca">slade@victoria.tc.ca</a>><br>
>> <a href="mailto:rslade@computercrime.org">rslade@computercrime.org</a> <mailto:<a href="mailto:rslade@computercrime.org">rslade@computercrime.org</a>><br>
>> > I'm getting so absent-minded that sometimes in the<br>
> middle of<br>
>> > <a href="http://victoria.tc.ca/techrev/rms.htm" target="_blank">victoria.tc.ca/techrev/rms.htm</a><br>
>> <<a href="http://victoria.tc.ca/techrev/rms.htm" target="_blank">http://victoria.tc.ca/techrev/rms.htm</a>><br>
>> <a href="http://blogs.securiteam.com/index.php/archives/author/p1/" target="_blank">blogs.securiteam.com/index.php/archives/author/p1/</a><br>
>> <<a href="http://blogs.securiteam.com/index.php/archives/author/p1/" target="_blank">http://blogs.securiteam.com/index.php/archives/author/p1/</a>><br>
>> > _______________________________________________<br>
>> > Discussion mailing list<br>
>> > <a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a><br>
>> <mailto:<a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a>><br>
>> ><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
>> ><br>
>> ><br>
>><br>
>> _______________________________________________<br>
>> Discussion mailing list<br>
>> <a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a><br>
>> <mailto:<a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a>><br>
>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
>><br>
>><br>
>><br>
>><br>
> ------------------------------------------------------------------------<br>
>><br>
>> _______________________________________________<br>
>> Discussion mailing list<br>
>> <a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a><br>
>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
><br>
> --<br>
> --------------------------------------------<br>
> Matthew Jonkman<br>
> Emerging Threats<br>
> Phone 765-429-0398<br>
> Fax 312-264-0205<br>
> <a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
> --------------------------------------------<br>
><br>
> PGP: <a href="http://www.jonkmans.com/mattjonkman.asc" target="_blank">http://www.jonkmans.com/mattjonkman.asc</a><br>
><br>
><br>
> _______________________________________________<br>
> Discussion mailing list<br>
> <a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
> _______________________________________________<br>
> Discussion mailing list<br>
> <a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
><br>
</div></div></blockquote></div><br>