Hi,

Do you know any solution (better if open source) to compare IDS and
IPS logs in such a way that IDS logs are used to automatically enforce
IPS rules?
I googled around but all I found was a reference to SnortAlog.
Thanks in advance for any hint.

L

leonardodiserpierodavinci@gmail.com wrote:


> Do you know any solution (better if open source) to compare IDS and
> IPS logs in such a way that IDS logs are used to automatically enforce
> IPS rules?


An Intrusion Protection System is typically defined as a combination of an
IDS and an automatic rule creation as reaction to the IDS log entries.

At any rate, over the time this hasn't become any less stupid. So better
think twice and abandon this idea.

try out ISS proventia solution there u can have both simulation and in
line mode....may be that could be of gr8 help to u..

On Jan 18, 5:43 pm, "Sebastian G." <se...@seppig.de> wrote:
> An Intrusion Protection System is typically defined as a combination of an
> IDS and an automatic rule creation as reaction to the IDS log entries.
>
> At any rate, over the time this hasn't become any less stupid. So better
> think twice and abandon this idea.

You mean because of the circular dependency?
Do you have other suggestions?
Thanks for your answer.

leonardodiserpierodavinci@gmail.com wrote:

> On Jan 18, 5:43 pm, "Sebastian G." <se...@seppig.de> wrote:
>> An Intrusion Protection System is typically defined as a combination of an
>> IDS and an automatic rule creation as reaction to the IDS log entries.
>>
>> At any rate, over the time this hasn't become any less stupid. So better
>> think twice and abandon this idea.
>
> You mean because of the circular dependency?


No, because of spoofing. Consider that an IPS blocks automatically every
hosts that seems to attack them. Now, as an attacker, I'd spoof all relevant
legitimate hosts, and the IPS would block access to them - a wonderful
Denial of Service, trademark "self-created". Without a whitelist, you'll
even disconnect yourself from your very own hosts, f.e. a DNS server.

> Do you have other suggestions?


Dump the idea of an IPS for the mentioned reasons. Carefully calculate the
actual costs of sensibly reading and evaluating the IDS output, and compare
it to the marginal security benefits it offers - and most likely you'll end
up dumping the IDS as well.

On Jan 21, 7:29 pm, "Sebastian G." <se...@seppig.de> wrote:
> No, because of spoofing. Consider that an IPS blocks automatically every
> hosts that seems to attack them. Now, as an attacker, I'd spoof all relevant
> legitimate hosts, and the IPS would block access to them - a wonderful
> Denial of Service, trademark "self-created". Without a whitelist, you'll
> even disconnect yourself from your very own hosts, f.e. a DNS server.

Well, a decent IDS/IPS is supposed to be smarter than that ;-)

> Dump the idea of an IPS for the mentioned reasons. Carefully calculate the
> actual costs of sensibly reading and evaluating the IDS output, and compare
> it to the marginal security benefits it offers - and most likely you'll end
> up dumping the IDS as well.

So how do you protect your network (and ensure it stays protected)?

leonardodiserpierodavinci@gmail.com wrote:

> On Jan 21, 7:29 pm, "Sebastian G." <se...@seppig.de> wrote:
>> No, because of spoofing. Consider that an IPS blocks automatically every
>> hosts that seems to attack them. Now, as an attacker, I'd spoof all relevant
>> legitimate hosts, and the IPS would block access to them - a wonderful
>> Denial of Service, trademark "self-created". Without a whitelist, you'll
>> even disconnect yourself from your very own hosts, f.e. a DNS server.
>
> Well, a decent IDS/IPS is supposed to be smarter than that ;-)


Spoofing is not just limited to host, and you can't create any general
whitelist, so "smartness" (whatever this is, since AI isn't developed so
far) won't help.

> So how do you protect your network (and ensure it stays protected)?


Host security and firewalling?

On Jan 22, 1:38 pm, "Sebastian G." <se...@seppig.de> wrote:

> Host security and firewalling?

Of course, these are the basis. So you suggest to avoid IDS/IPS. Is
there any other security layer that can be added?

leonardodiserpierodavinci@gmail.com wrote:

> On Jan 22, 1:38 pm, "Sebastian G." <se...@seppig.de> wrote:
>
>> Host security and firewalling?
>
> Of course, these are the basis. So you suggest to avoid IDS/IPS. Is
> there any other security layer that can be added?


Strong encryption and authentication. Access control for the network, f.e.
via IEEE 802.11X, RADIUS etc.