|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: combination of IDS and scanner
From: Teicher, Mark (mark.teicher
NETWORKICE.COM)Date: Mon Dec 04 2000 - 12:09:21 CST
- Next message: Teicher, Mark: "Re: combination of IDS and scanner"
- Previous message: Joe Shaw: "Re: combination of IDS and scanner"
- In reply to: Joe Shaw: "Re: combination of IDS and scanner"
- Next in thread: Teicher, Mark: "Re: combination of IDS and scanner"
- Reply: Teicher, Mark: "Re: combination of IDS and scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Axent ESM/ITA/NetProwler already has some of this functionality, even
though NetProwler has some other issues related to performance, it can be
more easily integrated than one would think..
On Mon, 4 Dec 2000, Joe Shaw wrote:
> On Mon, 4 Dec 2000, Thomas Singer wrote:
>
> > we are thinking about writing an extension to our existing ID system
> > (Dragon). The idea is to combine the intrusion detection system with a
> > security scanner (Nessus for example). After having detected an attack
> > the IDS communicates the corresponding CVE number and host IP to the
> > scanner which in turn tries to check whether the attacked host is really
> > vulnerable to this kind of attack. It is clear that this does only make
> > sense with some kind of attacks. That's why we will put a third entity
> > in between the IDS and the scanner. This entity will decide for every
> > detected attack whether it makes sense to trigger the scanner.
>
> Several of the 'intelligent' security consoles attempt to do something
> similar to this, and it seems like a good idea if you're on the receiving
> end of alerts for an enterprise to get less false positives. For
> instance, he console is generally configured to know that an Apache
> webserver is not going to be vulnerable to an IIS specific exploit, and
> vice-versa, but it's not the same was the method you're describing. ISS'
> Server Sensor, which is a combination of their Host-based IDS and a
> non-promiscuous Network-based IDS, also does this at the IDS level, or at
> least that's what I was told. We're doing QA testing on it in the lab
> over the next two weeks before deploying it, so I should be able to give a
> better answer on it.
>
> The real problem is will your scanning agent set off your IDS again and
> then cause it to check for the vulnerability, trigger another alert and
> scan until the system fails. Also, checking for the vulerability after
> the fact is probably wasted effort from a security standpoint, but I'm
> sure I'm preaching to the choir.
>
> --
> Joseph W. Shaw
> Sr. Network Security Specialist for Big Company not to be named.
> I have public opinions, and they have public relations.
>
- Next message: Teicher, Mark: "Re: combination of IDS and scanner"
- Previous message: Joe Shaw: "Re: combination of IDS and scanner"
- In reply to: Joe Shaw: "Re: combination of IDS and scanner"
- Next in thread: Teicher, Mark: "Re: combination of IDS and scanner"
- Reply: Teicher, Mark: "Re: combination of IDS and scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]