Using IDS logs to enforce IPS rules?

Using IDS logs to enforce IPS rules?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Using IDS logs to enforce IPS rules? leonardodiserpierodavinci@gmai 01-18-2008
Posted by leonardodiserpierodavinci@gmai on January 18, 2008, 11:35 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

Do you know any solution (better if open source) to compare IDS and
IPS logs in such a way that IDS logs are used to automatically enforce
IPS rules?
I googled around but all I found was a reference to SnortAlog.
Thanks in advance for any hint.

L


Posted by Sebastian G. on January 18, 2008, 11:43 am
If you were  Registered and logged in, you could reply and use other advanced thread options
leonardodiserpierodavinci@gmail.com wrote:


> Do you know any solution (better if open source) to compare IDS and
> IPS logs in such a way that IDS logs are used to automatically enforce
> IPS rules?


An Intrusion Protection System is typically defined as a combination of an
IDS and an automatic rule creation as reaction to the IDS log entries.

At any rate, over the time this hasn't become any less stupid. So better
think twice and abandon this idea.

Posted by leonardodiserpierodavinci@gmai on January 21, 2008, 5:48 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> An Intrusion Protection System is typically defined as a combination of an
> IDS and an automatic rule creation as reaction to the IDS log entries.
>
> At any rate, over the time this hasn't become any less stupid. So better
> think twice and abandon this idea.

You mean because of the circular dependency?
Do you have other suggestions?
Thanks for your answer.

Posted by Sebastian G. on January 21, 2008, 1:29 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
leonardodiserpierodavinci@gmail.com wrote:

>> An Intrusion Protection System is typically defined as a combination of an
>> IDS and an automatic rule creation as reaction to the IDS log entries.
>>
>> At any rate, over the time this hasn't become any less stupid. So better
>> think twice and abandon this idea.
>
> You mean because of the circular dependency?


No, because of spoofing. Consider that an IPS blocks automatically every
hosts that seems to attack them. Now, as an attacker, I'd spoof all relevant
legitimate hosts, and the IPS would block access to them - a wonderful
Denial of Service, trademark "self-created". Without a whitelist, you'll
even disconnect yourself from your very own hosts, f.e. a DNS server.

> Do you have other suggestions?


Dump the idea of an IPS for the mentioned reasons. Carefully calculate the
actual costs of sensibly reading and evaluating the IDS output, and compare
it to the marginal security benefits it offers - and most likely you'll end
up dumping the IDS as well.

Posted by leonardodiserpierodavinci@gmai on January 22, 2008, 2:55 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> No, because of spoofing. Consider that an IPS blocks automatically every
> hosts that seems to attack them. Now, as an attacker, I'd spoof all relevant
> legitimate hosts, and the IPS would block access to them - a wonderful
> Denial of Service, trademark "self-created". Without a whitelist, you'll
> even disconnect yourself from your very own hosts, f.e. a DNS server.

Well, a decent IDS/IPS is supposed to be smarter than that ;-)

> Dump the idea of an IPS for the mentioned reasons. Carefully calculate the
> actual costs of sensibly reading and evaluating the IDS output, and compare
> it to the marginal security benefits it offers - and most likely you'll end
> up dumping the IDS as well.

So how do you protect your network (and ensure it stays protected)?

Similar ThreadsPosted
??? about ZAF logs April 23, 2005, 7:18 pm
www.tucows.com in LOGS?? December 17, 2004, 11:26 am
help on security logs December 20, 2005, 11:30 am
Router logs September 2, 2006, 11:35 am
Sonicwall - send logs over SSL? February 3, 2005, 4:07 am
IPCOP and proxy logs May 26, 2005, 10:21 am
Accessing and viewing logs December 20, 2006, 2:58 pm
URGENT - Logs - outgoing 443 traffic November 16, 2004, 9:50 am
Something to analyze Kiwi syslogd logs June 26, 2005, 12:15 am
What is NETSpeed:imit in ...\internet logs\lamdb.rdb April 14, 2005, 5:58 pm

The site map in XML format XML site map

Contact Us | Privacy Policy