IDS mailing list archives
RE: Views and Correlation in Intrusion Detection
From: Michael Murray <mmurray () ncircle com>
Date: 30 Jun 2003 12:51:12 -0700
Disclaimer: these opinions are entirely my own, and in no way reflect those of my employer. On Thu, 2003-06-26 at 12:17, Paul Schmehl wrote:
The biggest problem with VA scanners is determining what *really is* a vulnerability. In some cases the scanner just looks at a banner and says
Not to be blatantly obvious, but banner checks just don't cut it anymore. VA tools need to evolve past simply looking at a banner and saying "you may be vulnerable". (I haven't even mentioned the difficulties inherent in the VA tools that are currently spending all their time poking around in the Windows registry and reporting vulnerabilities in services that aren't even running... imagine IDS correlation with *that* data... ;) Suffice it to say, some tools are farther along in this evolution than others. The requirement for VA to evolve becomes especially evident when we're talking about moving VA to a point where it acts as a filter for IDS events. Sophistication in vulnerability detection methods needs to be achieved before the data can really be trusted as actionable for any correlative system. Because if the VA data can't be trusted to be 100% (or even 90%) accurate on both the false positives and false negatives, any correlation is going to be problematic, to say the least. My $0.02... M -- ----------------------------------------------------- | Michael Murray, CISSP <mmurray () nCircle com> | Manager - VnE Research Team | nCircle Network Security
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: Views and Correlation in Intrusion Detection Jeff Nathan (Jul 02)
- <Possible follow-ups>
- RE: Views and Correlation in Intrusion Detection Jeff Nathan (Jul 02)
- RE: Views and Correlation in Intrusion Detection Anton A. Chuvakin (Jul 02)
- Re: Views and Correlation in Intrusion Detection Blake Matheny (Jul 02)
- RE: Views and Correlation in Intrusion Detection Anton A. Chuvakin (Jul 02)
- RE: Views and Correlation in Intrusion Detection Michael Murray (Jul 02)