Friday, November 23, 2007

Passive Fingerprinting by IDS

In a classical situation security administrator needs to deploy: IDS to match signatures against network traffic and send alerts to operator’s console, VA scanner to find vulnerable hosts in network, and correlation mechanism which should somehow collate information about discovered vulnerabilities with triggered IDS’ events and make a decision whether the event is important or not and automatically adjust event’s severity.

Keeping in mind that IDS monitors all traffic between two hosts I don’t understand why commercial IDSs don’t perform passive OS fingerprinting. In my opinion IDS fingerprinting could be even more accurate than that of an active scanner, due to IDS' ability to analyze actual interactions between systems.

Let me summarize some parameters that IDS can check to figure out what OS is used (more information is available below):

and, finally, history of successful attacks. If IDS can see whether attack was successful or not it can guess not only OS but also version of compromised service.

I saw this idea realized in snortpf but it is still absent in commercial products. The main advantage of such NIDS behaviour is that it can decide by itself whether matched signature is important or not, for example, when it sees DCOM Remote Activate BO attack against Linux.

If implemented appropriately, it should be possible for administrator to correct IDS’ assumptions, which will allow correction of system’s misinterpretations.

It is not a secret that a huge number of false positives is the biggest IDS’ disadvantage. To my mind, IDS passive fingerprinting would significantly reduce “noise” in IDS logs.

More information:

3 comments:

Igor Gots said...

Anyway i think it is not absolute decision.
When you work with IDS logs, you not only have to know name of OS, but sometimes patchset, "third number" in software version and so on.
It is good for gathering initial information for analysing or good for lazy administrator.

Sergey Soldatov said...

Igor, what decision you'll call 'absolute'? nmap?
Well, I think my proposal is better than nmap, because it works even for firewalled hosts - it analyses actual traffic regardless of whether scanned host respond to probes or not.
Concerning active fingerprinting (i.e. nmap), I don't understand why IDS can't send special-crafted packets and analyse responses to them - the same idea as sending reset packets to terminate TCP connection (In ISS RealSecure network sensor this response called RSKill - you can find more about it in ISS Knowledge Base on http://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_alp.php #96 - How does a RealSecure Kill (RSKill) work?)

Sergey Soldatov said...

Two news to related to this topic.
1. ISS is planning to implement this idea in nearest future.
2. Cisco has already implemented passive fingerprinting in Cisco IPS 6.0.