New Open Source Intrusion Detector Suricata Released 44
richrumble writes "The OISF has released the beta version of the Suricata IDS/IPS engine: The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field. This new Engine supports Multi-Threading, Automatic Protocol Detection (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB! ), Gzip Decompression, Fast IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU cards."
Are these useful yet? (Score:1, Interesting)
I'm not trying to be a troll here or anything, but are IDS/IPS systems actually worth while?
We started using Snort back around 2002 when I worked at a hosting provider and it was one of the biggest waste of resources in the NOC department.
The first issue is that there was no way we were going to inject such a box that could ever modify the packets going through the border routers/switches (no server was fast enough for starters), so that eliminated any "prevention" from happening.
The next issue is that it was constantly an issue of which rules to enable vs. the amount of traffic that needed to be sorted through. The IDS servers had more hardware than most of our database servers and they still couldn't keep up with just a fraction of the rules that we would have liked to have enabled. Traffic was increasing at much faster pace than CPU speed was too at that time.
The final nail in the coffin though was that it was a huge time sink, and resulted in almost zero benefits. It took hours to actually go through the alerts being triggered and investigate them in more detail to determine if they were legit or just a false alarm, but then what... Either a server was compromised or it wasn't, and in many cases its not exactly easy to determine if a server was compromised or not, especially if it was a SQL injection that simply modified a users password or something.
Now you could say without the "prevention" part of the formula the usefulness is severely limited, but I just can't see making something like this take a critical roll in a network, as most of them are dead easy to DDOS unless the vast majority of rules are disabled. It would be easy enough for an attacker to send their attack payload in the midst of a minor DDOS from a cable modem or two and the IDS system would have no way to keep up. Heck, you can DDOS most recursive DNS servers with just a few hundred carefully crafted packets per second.
I know some companies have "wire speed" IDS systems, which the definition of "wire speed" and the number/complexity of the rules involved are surely hidden in the fine print somewhere, but those systems would also break most budgets.
Am I missing something?
Re:Are these useful yet? (Score:5, Interesting)
You are. Your IDS was incredibly poorly-tuned, a very common problem in IT. First guideline: turn off signatures for anything that you're not running. It makes no sense to watch your inbound traffic for Windows signatures if you run Apache on RHEL. If all you have are web servers and they do only HTTP, there's no reason to watch for SMTP.
Making the move to IPS is always tricky. You have to figure out what level of false positives you're willing to accept. If it's zero, well, you don't need an IPS. But odds are that you will come across some strange but innocuous traffic that the IPS doesn't like, and it trips a rule and blocks the traffic.
In addition, you need to get the hardware for the solution. A server-based Snort solution works well for low-bandwidth scenarios, but at most hosting providers, you need a dedicated appliance solution built on ASICs. If you like Snort, you go to Sourcefire. Otherwise, you find solutions from McAfee (Intrushield), Tipping Point, IBM, etc. They have boxes that scale into the gigabit-per-second range, with latencies under 1ms in most cases, and there are a few true-10Gbps solutions out there now. Yes, they can be quite expensive, but the low-end systems (essentially highly-tuned servers) can start at as low as a few thousand dollars.
But in any case, rule tuning is an ongoing item, and anyone that tells you that an IDS/IPS will reduce your time requirements is probably trying to get you to sign a contract. It can reduce overall time requirements by alerting you early in the attempt to compromise a system and save you all the time of recovery, but that is not a certain thing.