[Discussion] a few ideas

Edward Bjarte Fjellskål edward.fjellskal at redpill-linpro.com
Wed Mar 4 15:44:01 UTC 2009


Kevin Ross wrote:
> Hey I have a few more ideas:
>
> 1) rather than have the engine with all the signatures required for
> the environment for the everything it is watching why not be able to
> have directed rulesets? I.e say only process these rules for these
> networks or machines but don't do it for these.
>
> For instance if there was a single sensor watching traffic to and from
> a network segment with a few Linux servers and windows clients, rather
> than enabling all the rules necessary I can say watch the necessary
> rules for windows while not applying the Linux rules and vice versa.
> i.e have netbios rules for 192.168.1.0/24 <http://192.168.1.0/24>
> network but not for hosts 192.168.1.40-45, that way uncessary rules
> are not applied on traffic going hosts/networks which don't need them.
> It may not be a good example for netbios due to specific ports that
> are used but in an IIS/Apache web farm for example it could be useful.
>
> I think the best way to decide on this would be whitelist/blaclist
> approach so you can say apply these rules/rulesets to this entire
> network except for these hosts or say do not apply the ruleset to this
> network except for these hosts. That was a sensor watching a mixed
> network segment can apply the rules more accurately to the traffic.
>
> 2) suggestive rule tuning. i.e the sensor does not see any netbios
> traffic within a learning period, it can then say "no netbios traffic
> has been seen, do you wish to disable this ruleset" or something
> similiar like do you have windows machines?. Likewise if the sensor
> sees something that a ruleset/rule is not enabled for it can suggest
> it is enabled. This suggestive tuning could make it easier for new
> users to tune the system. This would lend itself well to a webgui/gui
> approach where an area could have suggested tuning options.
>

I have been thinking of this to, but I always end up with the same
conclusion...
Have all rules enabled for all hosts :) Then doing the correlation
afterwards...

ie. I dont have control over our lab or our wireless. So I dont know
when there is a Windows machine
or a unix machine there.

I like the way sguil (http://sguil.sourceforge.net/) handles this. You
can set up "auto categorization" on events,
and if you know the event is a false positive, you make a rule for it. I
made a "wish" of having it done easy from the GUI, like right click and
things would be auto-populated, and you can just click "OK" if the data
fits your needs.
(http://nsmwiki.org/Sguil_Feature_Wish_List)

I want to take this one step further, and try to do this automatic... Im
working on a little perl daemon, to sniff the traffic, and detect OS and
Services running on my network. Hopefully, in the future, this could be
used to
automatically help in the "auto categorization" of events... in sguil or
other IDS gui...
( http://www.gamelinux.org/?p=43  and  http://gamelinux.github.com/prads/ )

Basically, I want to have all the events for "historic" reasons... and I
want to filter out what the analysts sees.
If there was an event, that did pass, it would be in the database, and
other anomaly detection running through the
database might pick it up etc.

Im lacking sleep at the moment, and my head is fried... Hope my email
makes sens.

E



More information about the Discussion mailing list