tsingerEE.ETHZ.CH

• Next message: Joe Shaw: "Re: combination of IDS and scanner"
• Previous message: Martin Roesch: "Re: network based IDS"
• Next in thread: Joe Shaw: "Re: combination of IDS and scanner"
• Reply: Joe Shaw: "Re: combination of IDS and scanner"
• Reply: David Masten: "Re: combination of IDS and scanner"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

we are thinking about writing an extension to our existing ID system
(Dragon). The idea is to combine the intrusion detection system with a
security scanner (Nessus for example). After having detected an attack
the IDS communicates the corresponding CVE number and host IP to the
scanner which in turn tries to check whether the attacked host is really
vulnerable to this kind of attack. It is clear that this does only make
sense with some kind of attacks. That's why we will put a third entity
in between the IDS and the scanner. This entity will decide for every
detected attack whether it makes sense to trigger the scanner.

The primary goal of this extension is to decrease the amount of false
alerts our IDS generates. We do not want to see alerts reporting attacks
against hosts which aren't vulnerable to this kind of attack (let's say
for example a dot-dot-attack against a webserver running apache). The
straight forward approach to this would of course be to maintain a
database with information about the hosts we want to protect but this
isn't possible in our case.

Could you please tell us what your opinions are. Did someone already try
to do something like this? Which security scanner would you choose to
use?

Thanks for your information.

Regards,

Thomas

• Next message: Joe Shaw: "Re: combination of IDS and scanner"
• Previous message: Martin Roesch: "Re: network based IDS"
• Next in thread: Joe Shaw: "Re: combination of IDS and scanner"
• Reply: Joe Shaw: "Re: combination of IDS and scanner"
• Reply: David Masten: "Re: combination of IDS and scanner"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]