OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Chad Skipper (cskippersymantec.com)
Date: Wed May 30 2001 - 12:42:05 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > Robert wrote:
    >How would you validate a half scan? What I mean is a potential attacker
    >conducting the first part of an attack which shows up in the NIDS/HIDS but
    >is never completed. The attacker has gained some information about the
    >targeted network based on the responses (or lack) and may be using that
    >information for a later full attack.

    >Shouldn't this be considered a false positive? Or would (should) it be
    >added to the db for later correlation?

    This is exactly what I meant when I said "Of course this all depends on the
    solution you are looking for. Do you want to know about all the "door
    rattlers" or just the successful attacks. In any case both solution can be
    complicated."

    I personally think that half scans are NOT false positives. If this half
    scan does trigger the alert, then the sensor has done its job. It has
    alerted you that an attack has been attempted. Most signatures look for the
    complete session of the attack and therefore would *probably* only alert on
    the succession of the attack. If there were a signature for a half scan,
    then this would need to be correlated with the other sensors and DB.

    Again, there are thousands of possibilities here. Using AI within security
    products will be different for each organization. This is all conceptual.
    Just putting my thoughts into cyberspace.

    Another 2c

    Chad R. Skipper
    Sr. Software Engineer
    Symantec Corporation

    cskippersymantec.com
    www.symantec.com

    6-210-7830 ESN
    210-403-7830
    210-403-7895 Fax
    210-413-2516 Mobile

                                                                                                                                                       
                        Robert Kinsey - VIS
                        Contractor To: IDS-FocusList <FOCUS-IDSsecurityfocus.com>
                        <robert.kinseysorta.kel cc:
                        ly.af.mil> Subject: Re: Definition of false positive
                        Sent by:
                        rbkinseysecurityfocus.c
                        om
                                                                                                                                                       
                                                                                                                                                       
                        05/30/2001 08:00 AM
                                                                                                                                                       
                                                                                                                                                       

    I have a question on part of Chad's response.

    How would you validate a half scan? What I mean is a potential attacker
    conducting the first part of an attack which shows up in the NIDS/HIDS but
    is never completed. The attacker has gained some information about the
    targeted network based on the responses (or lack) and may be using that
    information for a later full attack.

    Shouldn't this be considered a false positive? Or would (should) it be
    added to the db for later correlation?

    TIA,

    Robert 

    --
ROBERT KINSEY - Analyst
Virus Analysis Team
AFCERT