OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: combination of IDS and scanner
From: Teicher, Mark (mark.teicherNETWORKICE.COM)
Date: Mon Dec 04 2000 - 12:23:00 CST

Concordance is always a nice feature to have.

This type of theory is similiar to the approach "HiverWorld" was taking in
network probing/network discovery. I could be wrong, but I thought that
what was preach at DEFCon.. something like Active Network Scrubbing or
something like that??

*sorry, my memory is fading, it is so hard to keep everything straight*

/m

At 04:27 PM 12/4/00 +0100, Thomas Singer wrote:
>Hi,
>
>we are thinking about writing an extension to our existing ID system
>(Dragon). The idea is to combine the intrusion detection system with a
>security scanner (Nessus for example). After having detected an attack
>the IDS communicates the corresponding CVE number and host IP to the
>scanner which in turn tries to check whether the attacked host is really
>vulnerable to this kind of attack. It is clear that this does only make
>sense with some kind of attacks. That's why we will put a third entity
>in between the IDS and the scanner. This entity will decide for every
>detected attack whether it makes sense to trigger the scanner.
>
>The primary goal of this extension is to decrease the amount of false
>alerts our IDS generates. We do not want to see alerts reporting attacks
>against hosts which aren't vulnerable to this kind of attack (let's say
>for example a dot-dot-attack against a webserver running apache). The
>straight forward approach to this would of course be to maintain a
>database with information about the hosts we want to protect but this
>isn't possible in our case.
>
>Could you please tell us what your opinions are. Did someone already try
>to do something like this? Which security scanner would you choose to
>use?
>
>Thanks for your information.
>
>Regards,
>
>Thomas