|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: combination of IDS and scanner
From: David Masten (dmasten
PIRATELABS.ORG)Date: Mon Dec 04 2000 - 15:41:41 CST
- Next message: Laura Nuņez: "Re: statistical analysis ? neural networks ?"
- Previous message: Teicher, Mark: "Re: combination of IDS and scanner"
- In reply to: Thomas Singer: "combination of IDS and scanner"
- Next in thread: thiebaut.adsl: "Re: combination of IDS and scanner"
- Reply: David Masten: "Re: combination of IDS and scanner"
- Reply: thiebaut.adsl: "Re: combination of IDS and scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Thomas Singer wrote:
> Hi,
>
> we are thinking about writing an extension to our existing ID system
> (Dragon). The idea is to combine the intrusion detection system with a
> security scanner (Nessus for example). After having detected an attack
> the IDS communicates the corresponding CVE number and host IP to the
> scanner which in turn tries to check whether the attacked host is really
> vulnerable to this kind of attack. It is clear that this does only make
> sense with some kind of attacks. That's why we will put a third entity
> in between the IDS and the scanner. This entity will decide for every
> detected attack whether it makes sense to trigger the scanner.
>
The integration of an IDS and Scanner is a good idea, but do regular
scans BEFORE the incident, and adjust the alerts accordingly.
For example a regular scan run notes that a new FTP server is up and is
running wu-FTP 2.6. This information would be passed to the IDS, so that
when a wu-ftp 2.5 exploit signature shows up, it would be logged, but
not send an alert. If a wu-ftp 2.6 exploit shows up, the IDS would send
an alert.
After the fact may present some problems, what if the attack script
fixes the hole first thing, or disables the listener? The scanner might
report back to the IDS that there is nothing to be concerned about, and
the alert would not get out.
I don't have my notes with me and don't remember the details, but at the
last DEFCON, someone gave a presentation on why an IDS needs to know the
network before the attack.
-- David Masten Information Security Guru, System and Network Administrator, Rocket Engineer, and Opinionated Freedom Fighter ------------------------------------------------------------ They that can give up Liberty to obtain a little temporary security, deserve neither. - B. Franklin
- Next message: Laura Nuņez: "Re: statistical analysis ? neural networks ?"
- Previous message: Teicher, Mark: "Re: combination of IDS and scanner"
- In reply to: Thomas Singer: "combination of IDS and scanner"
- Next in thread: thiebaut.adsl: "Re: combination of IDS and scanner"
- Reply: David Masten: "Re: combination of IDS and scanner"
- Reply: thiebaut.adsl: "Re: combination of IDS and scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]