|Security isn't thin|
<---Mark "Fat Bloke" Osborne
Together we can erradicate IDS false positives
For about 100 years (i.e. since 2000) I have been banging on at conferences and security forums that IDS often don't work, not because the concept is bad but because the
At the time, I believed that techniques like anomalous detection held the key to the future of IDS but in the short term, education plus care deployment and tuning based on a server weighted methodology (here) and a careful deployment strategy (here) could radically improve the detection rate and effectiveness.
I put in practice what I preached and enjoyed many happy engagements (engagements = job in consultant speak ) making IDS work - It was fun and the people who contacted me found the work useful. During this time, I discovered that before tuning most customers were getting stats of about 1/20 i.e. 1 "interesting" alert out of say 20. And generally this was because:
In early 2003, nobody had volunteered to collaborate (although some chaps from London 2600 did share some info) so in-between versions of WIDZ and whilst I was resting ( consultant speak for having a huge falling out with several dumb-ass Scottish accountant types, then running away to find a new job with a big bag over one shoulder with swag written on it ), I wrote I-am-doh as a proof of concept (i.e. I don't programme worth a damn) to demonstrate how the above techniques can be used.
The concept of product re-useably is continued, all gui's are based on existing products like gnome-terminal, which provides the ability to scroll and to open browser windows on to bug track or nessus.org. These features would have taken ages to code !!!.
I wasn't going to release the code ever because you'd all been so bloody unco-operative but in view of the comments from the G**TNER last week about IDS being dead I thought I'd better release early
BOTTOM-LINE - I-AM-DOH filters greater than 75% of the false-positives.
Give it ago, the code is as flaky as hell but it proves a point.
I-am-doh [I DS-Attack Monitor-Desktop-DOH also because I think Homer Simpson is a role model
I-AM-DOH Screen Shots
Here is the basic I-AM-DOH desktop. One screen shows a rolling log-display of all alerts on the
alert file(this could be made to read it from a syslog). The other terminal has a rolling log-display of all alerts that I-AM-DOH has processed and considered more worthy of attention.
This shows the screens in more detail.
This screen shows why I used a basic gnome-terminal instead of a simple HTTP display. Not only can I browse up and down.
But I can open the CVE or BID information from the alert in a browser window.
Here it shows a session enquiry of a vulnerability on white hats.
Now onto I-am-doh, here we see an alert fireing. It pops up a window, again i could have made this a bit of html. But I decided to go for gmessage. This message times out after 30 seconds and retrys for 3 attempts but that is configurable.
The menu offers u a number of choices. These include:
And here we see the last of those options - list all events associated with this address