|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: combination of IDS and scanner
From: Joe Shaw (jshaw
INSYNC.NET)Date: Mon Dec 04 2000 - 11:18:54 CST
- Next message: Teicher, Mark: "Re: combination of IDS and scanner"
- Previous message: Thomas Singer: "combination of IDS and scanner"
- In reply to: Thomas Singer: "combination of IDS and scanner"
- Next in thread: Teicher, Mark: "Re: combination of IDS and scanner"
- Reply: Joe Shaw: "Re: combination of IDS and scanner"
- Reply: Teicher, Mark: "Re: combination of IDS and scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 4 Dec 2000, Thomas Singer wrote:
> we are thinking about writing an extension to our existing ID system
> (Dragon). The idea is to combine the intrusion detection system with a
> security scanner (Nessus for example). After having detected an attack
> the IDS communicates the corresponding CVE number and host IP to the
> scanner which in turn tries to check whether the attacked host is really
> vulnerable to this kind of attack. It is clear that this does only make
> sense with some kind of attacks. That's why we will put a third entity
> in between the IDS and the scanner. This entity will decide for every
> detected attack whether it makes sense to trigger the scanner.
Several of the 'intelligent' security consoles attempt to do something
similar to this, and it seems like a good idea if you're on the receiving
end of alerts for an enterprise to get less false positives. For
instance, he console is generally configured to know that an Apache
webserver is not going to be vulnerable to an IIS specific exploit, and
vice-versa, but it's not the same was the method you're describing. ISS'
Server Sensor, which is a combination of their Host-based IDS and a
non-promiscuous Network-based IDS, also does this at the IDS level, or at
least that's what I was told. We're doing QA testing on it in the lab
over the next two weeks before deploying it, so I should be able to give a
better answer on it.
The real problem is will your scanning agent set off your IDS again and
then cause it to check for the vulnerability, trigger another alert and
scan until the system fails. Also, checking for the vulerability after
the fact is probably wasted effort from a security standpoint, but I'm
sure I'm preaching to the choir.
-- Joseph W. Shaw Sr. Network Security Specialist for Big Company not to be named. I have public opinions, and they have public relations.
- Next message: Teicher, Mark: "Re: combination of IDS and scanner"
- Previous message: Thomas Singer: "combination of IDS and scanner"
- In reply to: Thomas Singer: "combination of IDS and scanner"
- Next in thread: Teicher, Mark: "Re: combination of IDS and scanner"
- Reply: Joe Shaw: "Re: combination of IDS and scanner"
- Reply: Teicher, Mark: "Re: combination of IDS and scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]