|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: More: combination of IDS and scanner
From: Thomas Singer (tsinger
EE.ETHZ.CH)Date: Wed Dec 06 2000 - 04:18:38 CST
- Next message: Ron Gula: "Re: network based IDS"
- Previous message: Chowalit Tinnagonsubout: "Re: statistical analysis ? neural networks ?"
- Next in thread: David Masten: "Re: More: combination of IDS and scanner"
- Reply: David Masten: "Re: More: combination of IDS and scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Thanks to all who responded for the valuable input.
Of course scanning after the incident is a problem, because the incident
could have changed the way the attacked host is behaving. Therefore we
are trying to classify attacks based on their impact on the host
behaviour. That is, we try to distinguish between attacks which after
completion could fool our scanner, and attacks which do not change the
way a system behaves (or rather change the way the system behaves only
in a way not affecting the results of the scanner).
Our IDS extension would then - after having caught an alert from the IDS
- do sort of something like this:
Case 1:
If the detected attack could have changed the way the attacked host is
responding to the scanner, the IDS-extension will simply bypass the
alert to the security team.
Case 2:
If the detected attack could have changed the behaviour of the attacked
host only in a way not affecting the results of a scan, the
IDS-extension would first trigger a scan and only bypass the alert if
the scanner says that the attacked host was vulnerable.
Case 3:
If the detected attack was a DOS-only attack against a service, the
IDS-extension would first check the status of the affected service. If
the service hasn't been running before the attack or if the service has
been running before the attack and is still running after the attack,
the alert would be ignored (logged only) otherwise it would be passed on
to the security team.
To implement case 3 we need to regularly scan for services.
To prevent the scanner from setting off the IDS again we have to make
sure that we only allow vulnerability-scans which do not contain the
attack-specific patterns. For example scans which check for
vulnerabilities by banner-fetching.
What do you think? Does implementing something like this sound feasible?
Regards,
Thomas
PS: Is there more information available about John Flowers' talk you
have mentioned?
- Next message: Ron Gula: "Re: network based IDS"
- Previous message: Chowalit Tinnagonsubout: "Re: statistical analysis ? neural networks ?"
- Next in thread: David Masten: "Re: More: combination of IDS and scanner"
- Reply: David Masten: "Re: More: combination of IDS and scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]