IDS mailing list archives
RE: how to verify whether an attack attempt is successful?
From: Ron Gula <ronald.gula () verizon net>
Date: Fri, 17 Jan 2003 12:08:19 -0500
->Is there any technology developed in this direction?
A lot of NIDS look for responses with their signatures. Some NIDS (like NFR) look at the entire session and evaluate the results of an attack along with detecting the attack in the first place. Other NIDS like Dragon, have stand-alone signatures which look for post-attack activity. One of my favorite Dragon examples was this sort of log where you can see a buffer overflow occur, and then see the actual shell commands the hacker is running. Other times when you don't know about the buffer overflow, you can still look for things like Microsoft Windows banners on high ports which occur for many of the W2K overflows. Still other approaches like Lancope's Stealthwatch take an entirely different approach. They can identify a 'potentially hostile' scanning IP by watching the IP probe ports and systems. If that particular IP starts to establish a 'long' connection, the assumption is that they scanned for a vulnerability, and then were able to exploit a vulnerability. Pretty interesting because it does not use packet content as a signature source. Lastly, someone mentioned IDS and VA correlation. That is what I am working on now at Tenable. Looking at Dragon, Snort and Realsecure, breaking down the attacks by CVE and then correlating these with vulnerability checks by CVE with Nessus, about 40% of the events generated by these NIDS stands a chance of being directly correlated to a vulnerability. Not all NIDS events correlate to a vulnerability. Think of events like port scans and brute force login attempts. These don't directly correlate. And when you do have a particular vulnerability, the NIDS may have a general check for that which can't be correlated and vice versa. I wrote a short paper on the topic at: http://www.tenablesecurity.com/paper.html It outlines some high level thought on issues with direct VA and IDS correlation. On the host side, tools like Tripwire can catch when key system files have been modified by unsophisticated hackers, but it is a really good way to indicate that your system has been compromised. Ron Gula, CTO Tenable Network Security http://www.tenablesecurity.com
Current thread:
- how to verify whether an attack attempt is successful? Yan Zhai (Jan 15)
- Re: how to verify whether an attack attempt is successful? Huagang XIE (Jan 16)
- Re: how to verify whether an attack attempt is successful? Jose Nazario (Jan 16)
- Re: how to verify whether an attack attempt is successful? Kurt Seifried (Jan 16)
- <Possible follow-ups>
- RE: how to verify whether an attack attempt is successful? detmar . liesen (Jan 17)
- RE: how to verify whether an attack attempt is successful? Ron Gula (Jan 20)
- Re: how to verify whether an attack attempt is successful? Scott Wimer (Jan 21)
- Re: how to verify whether an attack attempt is successful? Yan Zhai (Jan 19)