IDS mailing list archives
RE: Views and Correlation in Intrusion Detection
From: Paul Schmehl <pauls () utdallas edu>
Date: Thu, 26 Jun 2003 14:17:15 -0500
The biggest problem with VA scanners is determining what *really is* a vulnerability. In some cases the scanner just looks at a banner and says something like - oh, this is running WuFTPD. THat's obviously bad - when in reality the box is patched to current and not vulnerable.
The other biggest gripe I have is the warnings about stuff like NetBIOS. Yes, we allow that inside our network! And I really don't want to know that it's a weakness. We block it at the edge. Now, if a Windows box is missing a patch or a service pack, *that* I would like to know, but very few VAs that I've seen, tried or read about will do that.
They generate a ream of reports - there's no doubt about that, but again it's the problem of information overload. I really don't have time to read through 1700 pages of warnings. Just tell me the boxes that aren't patched and are therefore vulnerable.
At least highlight the serious stuff for me so I can concentrate on the biggest problems first.
If you're going to tie in current VA technology with current IDS technology and correlate the information, I suspect it's going to be more useful than what we presently have but a lot less useful than it *should* be.
ISTM that *somebody* in the vendor community ought to be getting the message that what we need is something that will tell us where the major risks are and what they are. If I *knew* where every unpatched box was, I could fix the problem - at least I'd know what the problem was and where it was located. If I *knew* that an IMAP buffer overflow attack was hitting a box running a vulnerable version of Wu-IMAPD, then I wouldn't mind getting a page and getting up in the middle of the night.
The best tools that I have in my arsenal right now are the SQLScan utility from Foundstone and Shareenum from sysinternals. At least with those I know exactly where a problem is and what to do about it. I run those every week, and it helps to keep our network problems to a minimum.
Too much of security work is still manual labor and massive amounts of reading.
--On Wednesday, June 25, 2003 11:40:49 AM -0400 Ron Gula <rgula () tenablesecurity com> wrote:
This is exactly what the Lightning Console does. In addition, the console also 'knows' who owns the targeted systems and can send an alert to the effected end users when an IDS event targets a vulnerable server. The big issue I have with VA/IDS correlation is the accuracy of the underlying VA database. If you are just scanning once a quarter or even once a month, this VA database can get out of date fast. Our approach is to use distributed scanning (multiple, tiered Nessus scanners) so you can scan a class B in hours. We also are BETA testing a passive vulnerability scanner which determines vulnerabilities and topology changes from watching network sessions.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu -------------------------------------------------------------------------------Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------
Current thread:
- RE: Views and Correlation in Intrusion Detection, (continued)
- RE: Views and Correlation in Intrusion Detection Schmehl, Paul L (Jun 25)
- RE: Views and Correlation in Intrusion Detection Scott M. Algatt (Jun 25)
- RE: Views and Correlation in Intrusion Detection Chmielarski TOM-ATC090 (Jun 25)
- Re: Views and Correlation in Intrusion Detection Mike Coliton (Jun 26)
- RE: Views and Correlation in Intrusion Detection Sakaba (Jun 26)
- RE: Views and Correlation in Intrusion Detection Kohlenberg, Toby (Jun 26)
- RE: Views and Correlation in Intrusion Detection Chmielarski TOM-ATC090 (Jun 26)
- RE: Views and Correlation in Intrusion Detection Sekurity Wizard (Jun 26)
- RE: Views and Correlation in Intrusion Detection David Markle (Jun 27)
- RE: Views and Correlation in Intrusion Detection Ron Gula (Jun 26)
- RE: Views and Correlation in Intrusion Detection Paul Schmehl (Jun 27)
- RE: Views and Correlation in Intrusion Detection Richard Ginski (Jun 27)
- RE: Views and Correlation in Intrusion Detection Schmehl, Paul L (Jun 25)