-1

I have been given the task of configuration audit as my first task in my first job. As a challenge I have to find vulnerabilities by reading the logs of the PuTTy session and I do not have access to the console.

Please share if you have any links to read and learn about doing config reviews of IDS/IPS. Particularly,

What are some of the common mistakes that are found during the configuration audit of IPS/IDS?

EDIT

I am looking for something along the lines of this. Only since I have do not have access to the console, I have to read in between lines to find vulnerabilities. Through the configuration, if I find something like: manage telnet status set enable. I know that telnet is enabled, so I will report it as a finding.

xandfury
  • 1,351
  • 3
  • 10
  • 19
  • 1
    What did Google say? Did you also search for best practices and tips? – Neil Smithline Sep 06 '15 at 03:16
  • @NeilSmithline Yes. I didn't get anything specific. Most whitepapers discuss "about" IPS and IDS. They do not give details about hardening security or configuration review audit. Also, I was able to find MBSS for specific IPS. But I am more interested in finding vulnerabilities. Such as Telnet should be disabled etc. – xandfury Sep 06 '15 at 03:28
  • Because you are asking about "configuration", it's going to depend on the specific software being configured. Also, this sounds like a contrived challenge. There won't be "classic" mistakes to point you towards, you'll have to use your imagination and deductive logic. – schroeder Sep 06 '15 at 03:51
  • To provide a direct answer, I've only seen whitebox IDS testing, and tests are performed specifically towards the known configuration, trying variations and tweaks on typical attacks while evading the IDS ruleset. I do it with custom scripts. – schroeder Sep 06 '15 at 03:54
  • @schroeder I understand that. I am looking for some sort of a checklist and/or learning resources from where I can develop "instinct". An example would be to check the versions of SNPM(say). Please check the description of my question. I have edited it to provide some details. – xandfury Sep 06 '15 at 04:16
  • Unfortunately, my answer is the same. Each environment is going to be different, and what is "allowed" is up to the rules and policies in place. If your systems require SNMPv2, then it needs to be allowed by the IDS. Maybe that's the place to start: to ask what the standards are for your organization and compare that to what you see in the logs. – schroeder Sep 06 '15 at 04:28
  • @schroeder Isn't there anything I can read? It could be scenario-wise analysis or a case study. Please share anything that could be helpful. – xandfury Sep 06 '15 at 04:58

1 Answers1

1

As schroeder said, your job seems to pinpoint whether the IDS/IPS correctly enforce the company policy, ie. raise an alert when something goes against the policy and remain quiet when the traffic complies with the policy.

So there is just no way you can correctly check if the IDS/IPS is "correctly configured" without having a clear knowledge of the current policy.

In order to find "vulnerabilities", ie. traffic allowed by the IDS/IPS while not allowed by the policy, you indeed need to have a clear view of things like:

  • Who is allowed to connect,
  • To what resources are they allowed to connect,
  • From where are they allowed to connect,
  • When are they allowed to connect,
  • How are they allowed to connect.

Once you know this, you will be able to pinpoint rules which can be too strict (false positives), too lax (false negative), or just missing.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104