thiebaut.adslWANADOO.FR

• Next message: Crist Clark: "Re: Fooling NIDS"
• Previous message: Matías Bevilacqua: "Fooling NIDS"
• In reply to: David Masten: "Re: combination of IDS and scanner"
• Reply: thiebaut.adsl: "Re: combination of IDS and scanner"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Masten wrote:

> Thomas Singer wrote:
>
>> Hi,
>>
>> we are thinking about writing an extension to our existing ID system
>> (Dragon). The idea is to combine the intrusion detection system with a
>> security scanner (Nessus for example). After having detected an attack
>> the IDS communicates the corresponding CVE number and host IP to the
>> scanner which in turn tries to check whether the attacked host is really
>> vulnerable to this kind of attack. It is clear that this does only make
>> sense with some kind of attacks. That's why we will put a third entity
>> in between the IDS and the scanner. This entity will decide for every
>> detected attack whether it makes sense to trigger the scanner.
>>
> The integration of an IDS and Scanner is a good idea, but do regular
> scans BEFORE the incident, and adjust the alerts accordingly.
> For example a regular scan run notes that a new FTP server is up and is
> running wu-FTP 2.6. This information would be passed to the IDS, so that
> when a wu-ftp 2.5 exploit signature shows up, it would be logged, but
> not send an alert. If a wu-ftp 2.6 exploit shows up, the IDS would send
> an alert.
>

What about firewall integration or active IDS ?
That would be interesting too : sending alerts + adjusting my IPCHAINS
rules, on the fly for each host.

Just my 200 $
;-)

ThD

• Next message: Crist Clark: "Re: Fooling NIDS"
• Previous message: Matías Bevilacqua: "Fooling NIDS"
• In reply to: David Masten: "Re: combination of IDS and scanner"
• Reply: thiebaut.adsl: "Re: combination of IDS and scanner"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]