IDS mailing list archives
RE: IDS is dead, etc
From: "Craig H. Rowland" <crowland () cisco com>
Date: Mon, 23 Jun 2003 09:59:12 -0500
Hi Giles, On 6/19/03 6:52 PM, "Giles Coochey" <giles () coochey net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 19 June 2003 4:57 pm, Martin Roesch wrote:So, is there any way to make the quality of data coming out of the IDS higher while at the same time diminishing the amount of information generated? We've been talking about this exact topic on this list since 1999 on and off and I think all the IDS vendors have ideas how to achieve this goal by integrating network maps and host/service identification into the IDS's world view. If those ideas should actually make their way to market, would that make the systems more useful? I believe so. (At this point I usually pitch Sourcefire, but I'll spare you all.)I would love to see a fingerprinting tool that identified the client and server Operating System / Application and reduced the priority of alerts for false positives when it is known that the system is not vulnerable. The alerts still flag, so we see the drive-by-shootings, but as their priority is reduced they are less significant. Anyone got any development ideas on this front?
We produced a product called ClearResponse at Psionic that was released in July 2002 that does this exact thing. We were acquired by Cisco in October 2002 and the product was renamed Cisco ThreatResponse. ThreatResponse works dynamically on a network with no prior network knowledge and doesn't rely on a pre-defined static database. Also it collects forensic evidence from the impacted host in real-time so if you see an escalated attack you can go to the GUI and view the actual logs/data from the targeted system and look for yourself at what happened (we'll grab logs in about 1-2 seconds after the alarm is seen). This means an attacker has almost zero time to go onto the box and tamper with logs before they are copied. We recently released version 2.0 of the product and it supports both the Cisco IDS and ISS IDS sensors into a single GUI. Using this product can significantly reduce alarms from Cisco and ISS sensors. I'm not going to do too much plugging, you can read more about it here: http://www.cisco.com/en/US/products/sw/secursw/ps5054/index.html ..and it's freely available... -- Craig ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- IDS is dead, etc Martin Roesch (Jun 19)
- RE: IDS is dead, etc Roger A. Grimes (Jun 22)
- Re: IDS is dead, etc Lance Spitzner (Jun 22)
- Re: IDS is dead, etc Martin Roesch (Jun 22)
- Re: IDS is dead, etc Dragos Ruiu (Jun 23)
- Re: IDS is dead, etc Martin Roesch (Jun 22)
- Re: IDS is dead, etc roy lo (Jun 22)
- <Possible follow-ups>
- Re: IDS is dead, etc broyds (Jun 22)
- Re: IDS is dead, etc belka (Jun 22)
- Re: IDS is dead, etc Martin Roesch (Jun 22)
- RE: IDS is dead, etc Craig H. Rowland (Jun 23)
- RE: IDS is dead, etc Paul Schmehl (Jun 25)
- RE: IDS is dead, etc Craig H. Rowland (Jun 25)
- RE: IDS is dead, etc Ron Gula (Jun 25)
- RE: IDS is dead, etc Craig H. Rowland (Jun 23)
- Re: IDS is dead, etc Andrew Plato (Jun 25)