IDS mailing list archives
RE: Cisco CTR
From: "Rob Shein" <shoten () starpower net>
Date: Fri, 7 Nov 2003 13:07:58 -0500
Just because it can be envisioned doesn't mean that the application is worthless. There are things that can be envisioned that have the same relevance to firewalls, IDS, antivirus, IPS, and honeypots/nets. But just because something isn't a magic bullet doesn't mean it has no value or purpose. Each individual case requires thought about tradeoffs. In this case, the risk of someone managing to auto-patch an exploit in band with the exploit itself may well be outweighed by the minimizing of alerts on futile attacks; it comes down to the policies and priorities of the end user.
-----Original Message----- From: Michael Marziani [mailto:marziani () oasis com] Sent: Friday, November 07, 2003 11:29 AM To: Rob Shein; 'Gary Flynn' Cc: 'Liran Chen'; focus-ids () securityfocus com Subject: RE: Cisco CTR-----Original Message----- From: Rob Shein [mailto:shoten () starpower net] There's nothing unsubstantiated about it at all. Look atthe code forsome of the exploits, actually READ the code.Do you honestly think that all the intrusion apps hackers write and use are easily available? Malicious hackers almost never share their trade secrets.in most situations. The true definition of "immediately," meaning"withoutdelay," does not apply here. There is a delay, and while it can be very short, it is far longer than that of CTR's response,which trulyis immediate.So you can't envision any circumstance in which the Cisco CTR could be bogged down just long enough to allow a patch to occur, or even easier, for the hacking program to take over the port it just came in through and fake the response that the patched program would give (i.e. exploit an apache flaw, get root, shut down apache and run tiny custom daemon app in it's place which advertises a version of apache without the flaw). I just pulled this off the top of my head, do you think hackers can't come up with something even better? I'm not slamming any product or offering like the Cisco CTR. These are very good products and protect in ways that few if any previous systems can. I'm just saying that no system is bulletproof and we should never underestimate the opposition. -Michael-----Original Message----- From: Michael Marziani [mailto:marziani () oasis com] Sent: Friday, November 07, 2003 10:47 AM To: Rob Shein; 'Gary Flynn' Cc: 'Liran Chen'; focus-ids () securityfocus com Subject: RE: Cisco CTR-----Original Message----- From: Rob Shein [mailto:shoten () starpower net] Yes, but nobody patches it THAT quickly. CTR actsimmediately, not ahalf-hour later...it would have started scanning by thetime thehacker at the other end notices that he has a shell...Please don't make unsubstantiated blanket statements like that. Hackers are skilled sysadmins and programmers who create packaged hacking tools that not only search for and exploit flawsto get themonto a system, but also install programs, disablesecurity features,and yes, patch servers *immediately* once they get inside. A system like Cisco CTR might very well detect the attackbefore thehacker's program has time to patch, but that all dependson how goodthe hacker's program is, the state of the network, etc.I'd like tosee the results of a live test of such an event. If this type of attack can succeed as I think it could, I think a solution would be for the IDS to keep a record of thepatch levelsof every system in the network and allow those patch levels to be updated only through an administrative interface (requiring additional authentication and of course increasing the administrative workload). Then the system wouldn't be fooled by this technique. -Michael Michael Marziani IT Consultant Entercede Consulting, Inc.-----Original Message----- From: Gary Flynn [mailto:flynngn () jmu edu] Sent: Thursday, November 06, 2003 5:58 PM To: Rob Shein Cc: 'Liran Chen'; focus-ids () securityfocus com Subject: Re: Cisco CTR Rob Shein wrote:I think this largely relates to the earlier discussionabout how thereis a difference between a "false positive" and an actualattack thatfails to succeed. Ask yourself this: are you goingto want toknow about all attacks or just those that have a chance of success? If someone throws IIS attacks at your apacheweb server,doyou want toknow about it...or do you want to wait until theystart usingapache-compatible exploits? There's a good summary of what CTR does here: http://www.cisco.com/en/US/products/sw/secursw/ps5054/Another thing to think about - some folks have a habit ofpatchingthe hole they came in through. Just because avulnerability scanshows no vulnerability it does not mean an attack wasunsuccessful.-- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industryevent of theyear. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industryvendors. If yourjob touches security, you need to be here. Learn more orregister athttp://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4.---------------------------------------------------------------------------
--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. ---------------------------------------------------------------------------
Current thread:
- Cisco CTR Liran Chen (Nov 06)
- RE: Cisco CTR Rob Shein (Nov 06)
- Re: Cisco CTR Gary Flynn (Nov 07)
- RE: Cisco CTR Rob Shein (Nov 07)
- RE: Cisco CTR Michael Marziani (Nov 07)
- RE: Cisco CTR Rob Shein (Nov 07)
- RE: Cisco CTR Michael Marziani (Nov 07)
- RE: Cisco CTR Rob Shein (Nov 07)
- Re: Cisco CTR Renaud Deraison (Nov 10)
- Re: Cisco CTR Gary Flynn (Nov 07)
- RE: Cisco CTR Gary Halleen (Nov 07)
- RE: Cisco CTR Michael Marziani (Nov 10)
- RE: Cisco CTR Chad R. Skipper (Nov 10)
- RE: Cisco CTR Rob Shein (Nov 06)
- Re: Cisco CTR Joe Bowling (Nov 10)
- RE: Cisco CTR Alan Shimel (Nov 10)
- Re: Cisco CTR John Lampe (Nov 10)
- <Possible follow-ups>
- RE: Cisco CTR John Petropoulos (Nov 07)