Wednesday, March 23, 2011

IDS Signatures

I'll soon be moving into a new job, where I'll be supporting an IDS with a closed signature set. If you're new to NetSec and are tasked with researching out a companies first IDS/IPS, NOT buying a system with a closed signature set is a really good idea. What I mean by a closed set is that the signatures are not editable, or even viewable, by the analyst. Companies will claim "that's our proprietary information and we can't let anyone see it to prevent theft of our intellectual property".
Amazingly enough, other IDS companies have open signature sets and do not have any those predicted issues. What closing the signature set DOES do, to the analyst using the system, includes:

  • Blinding the analyst to what traffic actually triggered the alert, making it difficult at best to determine if the alert was a false or true positive.
  • Prevents the analyst from modifying the signature to narrow the scope to prevent too many false positives, or using it as the template for a new signature customized the company's individual needs.
  • It keeps the analyst from sanity checking new signatures, to see if the vendor is putting out intelligent, well researched signatures, or just throwing out a very generic signature that will also trigger on hundreds of other packets with similar packet data. Companies will do this to allow them to say their signature base detects threat xyz, regardless of whether it's a well written signature or not.
One of the first questions you should ask any vendor (in my opinion) is whether or not they have an open signature set and can the analyst/admin modify or remove signatures (through the GUI, and not through a request process to the vendor), AND, can custom signatures be added.
Another thing to ask, if the signature set is open, is whether or not the signatures are written in a proprietary language or not. Being able to write signature by just following the prescribed format (like Snort or Dragon) is a great boon to the analyst, and cuts way down on the learning curve to get operational. Anyone can learn to write a Snort signature in a short time. However, learning to write a good Snort signature takes a good deal more investment of time..

No comments:

Blog Archive