How to Misuse an Intrusion Detection System
I was dismayed to see the following thread in the bleeding-sigs mailing list recently. Essentially someone suggested using PCRE to look for this content on Web pages and email:
(jihad |al Qaida|allah|destroy|kill americans|death|attack|infidels)
(washington|london|new york)
Here is part of my reply to the Bleeding-Sigs thread.
These rules are completely inappropriate.
First, there is no digital security aspect of these rules, so the "provider exception" of the wiretap act is likely nullified. Without obtaining consent from the end users (and thereby protection under the "consent exception"), that means the IDS is conducting a wiretap. The administrator could go to jail, or at least expose himself and his organization to a lawsuit from an intercepted party.
Second, the manner in which most people deploy Snort would not yield much insight regarding why these rules triggered. At best a normal Snort user would get a packet containing content that caused Snort to alert. That might be enough to determine no real "terrorism" is involved, but it might also be enough to begin an "investigation" that stands on dubious grounds due to my first point.
Third, does anyone think real terrorists use any of the words listed in the rules? If anyone does, they have no experience with the counter-terrorism world.
An IDS should be used to provide indicators of security incidents. Otherwise, it becomes difficult to justify its operation, legally and ethically.
Unfortunately, I saw both rules (at least commented out) in the latest bleeding ruleset.
What do you think?
(jihad |al Qaida|allah|destroy|kill americans|death|attack|infidels)
(washington|london|new york)
Here is part of my reply to the Bleeding-Sigs thread.
These rules are completely inappropriate.
First, there is no digital security aspect of these rules, so the "provider exception" of the wiretap act is likely nullified. Without obtaining consent from the end users (and thereby protection under the "consent exception"), that means the IDS is conducting a wiretap. The administrator could go to jail, or at least expose himself and his organization to a lawsuit from an intercepted party.
Second, the manner in which most people deploy Snort would not yield much insight regarding why these rules triggered. At best a normal Snort user would get a packet containing content that caused Snort to alert. That might be enough to determine no real "terrorism" is involved, but it might also be enough to begin an "investigation" that stands on dubious grounds due to my first point.
Third, does anyone think real terrorists use any of the words listed in the rules? If anyone does, they have no experience with the counter-terrorism world.
An IDS should be used to provide indicators of security incidents. Otherwise, it becomes difficult to justify its operation, legally and ethically.
Unfortunately, I saw both rules (at least commented out) in the latest bleeding ruleset.
What do you think?
Comments
Sadly, I have gotten a few e-mails asking me if I support terror groups after I posted to the list complaining that the rule is a bad idea. Hopefully you won't get the same.
You are 100% right on this. Thanks for raising awareness on this.
Those "terrorist rules" per se are vague and allow me just plain stupid. Maybe in some weird context it makes sense to the author.
PS: Jim, those people asking if you support terrorist groups...did I mention stupid before? ;)
:)
Chuck
If an 11 yr old can figure out how to get past simple filters just to communicate with another 11 yr old, what makes someone think that someone out to take innocent lives is going to spell out "Washington, DC" or "London".
Come on! Whomever wrote those rules has way too much time on their hands...and not enough of that time is spent in the real world. You should have taken the blue pill!!
H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
But this isn't content filtering - it's content alerting. Filtering for words that commonly appear in the news seems like a way to keep someone busy chasing "events" and exposing the company to legal liabilities for wiretapping.
Bleeding Snort rules are *VERY* useful, but it's also useful to keep an eye on what´s new. You can do it with Oinkmaster [1] or through RSS:
Syndication Feeds
http://www.bleedingsnort.com/staticpages/index.php?page=feeds
The rules in question are under bleeding-policy.rules [2] individual ruleset. I would also recommend implementing individual rulesets, not bleeding-all.rules [3].
Regards,
--
Ronaldo C Vasconcellos
CAIS/RNP
Security Incidents Response Center
Brazilian Research and Academic Network
http://www.rnp.br/en/cais
[1] Oinkmaster
http://oinkmaster.sourceforge.net/
[2] bleeding-policy.rules
http://www.bleedingsnort.com/bleeding-policy.rules
[3] bleeding-all.rules
http://www.bleedingsnort.com/bleeding-all.rules
Note: This is a joke. This is not real.
On second thought, maybe we should leave the keyword stuff to the NSA ;^)
There's a lot to not like here...