Skip to main content

Applying "Getting Things Done" to IPSs

Getting Things Done, or "GTD" for short, as I've blogged about before, several times, is a method of personal organization with a focus on accomplishing tasks.  It's great for applying to email (Inbox Zero) and it's great for organization of your personal life (read some of the articles I've written before, particularly this one).

Some IDS and IPS courses and teachers will tell you to turn on everything, and log everything because that's the only way you'll find anything.  I don't disagree with that, but there are several problems with this philosophy, design, bandwidth, dropping packets, time, money, and performance.  Just to name a few.  Plus, who wants to sit there and look for everything.  Most IDS analysts I know are just trying to keep their head above water.  They want to just figure out a better way to deal with the information that is coming in, not increase the amount of information coming in.  Some people have this same problem with email, which is why I am such and advocate to Inbox Zero and GTD to learn to deal with the increased amount of information that we are being subjected to.

What if we took this same philosophy to IDS/IPS?  While this can primarily work with a Snort based device, such as Sourcefire, it can work with about anything.

Step One:  Turn everything off.
Yup.  Just as a test, create a new IPS policy and turn everything off, if you can.  (If you can't then just move on to Step 2.)  Now the focus of this exercise is only to turn on what is relavant to you, so that's what we are going to do, reset expectations.

Step Two:  Use RNA
(If you don't have RNA, obviously you can skip this step, but go ahead and read it so that you know what you are missing.)  Go to your new policy, use your RNA Recommended Rules Configuration to essentially tie the IPS policy to a certain sensors or series of sensors.  RNA Recommended Rules will take the vulnerabilities that RNA has detected in Realtime (or that it received via the Host API or Qualys or Nessus or Nmap...) and uses the information to give you suggestions about what to turn on in your network.  Use the R3 (RNA Recommended Rules) to provide you those recommendations and then go over them with the common sense test.  As you know RNA tells you what you could be vulnerable to.  Your system is "Guilty until Proven Innocent", hopefully you can take the time and tell your system what your network is not vulnerable to, but lets leave that for another day right now.  Turn on the rules that are relevant to you and your network.  Don't turn on ICMP Port Unreachable.  You'll see why in Step Five.

Step Three:  Turn on any rules that are relavant.
Want to look for Spyware?  Turn on the spyware rules.  Want to look for Chat clients?  Turn on the chat rules, etc.

Step Four:  Push the policy, and wait.
Give the new policy 24 hours if you are on a slow network, or maybe just let it run over your lunch period.  Let the policy run on your network for an acceptable amount of time, you be the judge with your common sense hat.

Step Five:  Look at your alerts.
Now, go back and look at your alerts.  Time to start cleaning out.  For each event I want you to follow a flow, I want you to decide if it is an actionable alert.  Are you going to physically do something with this event?  Are you going to report it to the Desktop security people?  Are you going to block the port at the firewall?  Update the Antivirus?  What are you going to do with the event?

If you think about the next "actionable" event you are going to do with the alert, and you decide, well, I am going to do nothing with the event, then shut the rule off.  No point in running a rule if you aren't going to react to it's logging.  Do you allow AOL Instant Messenger on your network, and your AIM rules are alerting?  What are you going to do about it?  You allow it right?  So you are going to do nothing?  Okay, then shut the rule off.

What if you don't want to shut off the rule, but only want to shut it off going to a particular machine?  Well, the suppress it based on IP.  What if you don't want to shut off a rule, but it's alerting too much?  Then threshold it.  My point is, do something.

Do that for all the events in the period that you set in Step Four.  Do this once a day, and after you do it, at the end of each time, repush your policy, then do it again the next "period".  Do this for several days.  This step, in case you haven't noticed will need to be done every day.  Every update there will be new things for you to explore and catch.  Begin at the beginning.

Step Six:  What are you going to DO now?
Now, you have a bunch of alerts you intend to do something with.  Now, do you create trouble tickets?  Do you start working with various teams?  You get the point.

Step Seven: Now that your head is above water, you can experiment
After you have done the first six steps satisfactorily to a point where you can handle your IDS and IPS, you can deal with anything that comes in.  You have a process, now you have best practices.  Now, you can turn on rules that you are interested in.  Things that you don't (or might) have to deal with.  Things that you may have had on before but never got a chance to look at.  Rules that alert on obfuscated javascript for instance.  You can go play.

Warning:  Just a word before you start this process. Warn your coworkers and boss that you are about to become much more efficient and start filing more tickets.  Because you will.

Oh, and make backups of your policies before you make changes.  In fact, create new policies based off of your old ones and work off the new ones.

Please leave comments below.


Popular posts from this blog

Offset, Depth, Distance, and Within

Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people sometimes misunderstand.  They aren't difficult, and hopefully after this explanation and a few examples, I can clear some of the air around these five modifiers.

The five modifiers that I am talking about are
OffsetDepthDistanceWithinnocaseThese five modifiers are not keywords of themselves, but rather they apply as modifiers to another keyword.  That keyword is "content". The content keyword is one of the easiest pieces of the Snort rules language as all it does is look for a particular string.  So for instance if I wanted to look for the word "joel" within a packet.  A simple:
content:"joel";Would allow me to do that.  The interesting part comes into play when you want to specify where inside of a particular packet you want the string "joel" to be looked for.  If you are running just a plain content ma…

Writing Snort Rules Correctly

Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical.  I don't want to discourage this person from writing articles about Snort rules.  It's great when people in the Snort community step up and explain some simple things out there.  There are mistakes, it comes with the territory.  If you choose to be one of the people that tries to write Snort rules, you also choose to be someone who wants to learn how to do it better.  That's why I write this blog post, not to bash the writer, but to teach.

I noticed this post today over at the "Tao of Signature Writing" blog, and to be honest I glanced over most of it figuring it was a rehash of things I've already read or things that have already been written from countless people about "Here's how you write Snort rules!".  I scrolled down quickly skimming, not reading at all really, and noticed this part:
Now, let us look at the second questio…

Safari 5.1.4 now available

Safari 5.1.4 now available, fixes issues and improves performance | TUAW - The Unofficial Apple Weblog:

Improve JavaScript performanceImprove responsiveness when typing into the search field after changing network configurations or with an intermittent network connectionAddress an issue that could cause webpages to flash white when switching between Safari windowsAddress issues that prevented printing U.S. Postal Service shipping labels and embedded PDFsPreserve links in PDFs saved from webpagesFix an issue that could make Flash content appear incomplete after using gesture zoomingFix an issue that could cause the screen to dim while watching HTML5 videoImprove stability, compatibility and startup time when using extensionsAllow cookies set during regular browsing to be available after using Private BrowsingFix an issue that could cause some data to be left behind after pressing the "Remove All Website Data" button