October 22nd, 2002, 04:34 PM
Network Flight Recorder questions
I was wondering if any of you are familiar with the NFR IDS software/appliance.
I'm running this as an appliance on my network and I had a few concerns. Some of the packages it uses for its ruleset are kind of nebulous in their descriptions at best. I've recently been seeing an increase in "Invalid Network Attacks" from some pretty disparate networks. NFR is reporting these as bad addresses and a possible DOS attack. One of the networks that is sending these bad addresses to me is from icann.org which doesn't make a whole lot of sense. I was wondering if I'm getting flase positives on this and if there is a way that I can filter them out.
Some of the other networks that have been hitting me are from Spain, Denmark and Yugoslavia... those are all in the same address range but in different countries, and they all belong to some huge telecom in Europe it looks like.
Also something has been "resetting" my IDS every few hours. It's only down for about 10-20 seconds before coming up but I'm at a loss as to see what's doing it.
So is there anyone here familiar with this application? Anyone have any ideas as to why icann.org is sending me bad addresses, or why I'm seeing a large increase in bad addresses from Europe? How about why my IDS keeps resetting itself?
Any help you guys can provide will be greatly appreciated.
October 22nd, 2002, 04:39 PM
Haven't ever used NFR and you didn't mention if there is a consistent port that is being used; however, I would suspect that you are seeing these packets as HTTP or SSL packets, in which case, welcome to the wonderful world of worms (yes, code red, nimda, slapper, etc are still floating around rather frequently). My suggestion would be to look at the payload of the packet...see something like default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN ? I think if you will look at that you will probably have a good idea of what is going on.
Back when nimda and code red came out, their scanning/rate of infection was so high, it took on the characteristic of a DDoS attack. Some more information on payload/ports could help me make a better guess.
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
November 5th, 2002, 12:48 PM
We used the older version of nfr's ids. We had issues with SYN floods and the ids crashing. Also we had watchdog timer reboots that basically made us rethink our ids. We've since switced to demarc's pure secure. It allows us to make rules on the fly instead of writing our own N-code or waiting for nfr to release updates.
November 5th, 2002, 04:54 PM
thanks Faust, I was unaware of that problem. I looked in to the link you provided but it seems that the version we are currently running (5.4) isn't vulnerable to this particular "exploit"
BUT I do know what you mean about that damnable N-Code and waiting for NFR to do anything for you. I'll look in to Demarc's stuff and see what it's like. Right now I'm re-evaluating our IDS solution as it is because I'm not real happy with the support level that NFR has provided us.