IDS mailing list archives
RE: Views and Correlation in Intrusion Detection
From: "Anton A. Chuvakin" <anton () chuvakin org>
Date: Mon, 30 Jun 2003 15:15:57 -0400 (EDT)
Did you know that that service is vulnerable? Did you know that we'll take you off the network if it stays vulnerable?
Another interesting and largely unsolved issue here is: vulnerable ACCORDING TO WHAT? Just imagine you run 3 scanners and one says 'Oh, sure, the evil vuln CVE-XXXX-YYYY is there alright' and then the second says 'No, I checked and you are cool' and the third confirms that, indeed, no vulnerability exists there. Except the #2 was not updated for a month and #3 did not even scan the port in question. Then what? Now, are you vulnerable or not? I am willing to make the following statement: the more scanners you use to scan a host, the less you'd know whether you are in fact vulnerable. While it might seem that doing so provides _correlation_, what if they disagree in _most_ cases? Suddenly, another C-word applies - Confusion :-) Best, -- Anton A. Chuvakin, Ph.D., GCI* http://www.chuvakin.org http://www.info-secure.org ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- RE: Views and Correlation in Intrusion Detection Jeff Nathan (Jul 02)
- <Possible follow-ups>
- RE: Views and Correlation in Intrusion Detection Jeff Nathan (Jul 02)
- RE: Views and Correlation in Intrusion Detection Anton A. Chuvakin (Jul 02)
- Re: Views and Correlation in Intrusion Detection Blake Matheny (Jul 02)
- RE: Views and Correlation in Intrusion Detection Anton A. Chuvakin (Jul 02)
- RE: Views and Correlation in Intrusion Detection Michael Murray (Jul 02)