IDS mailing list archives

RE: Cisco CTR

From: "Chad R. Skipper" <cskipper () cisco com>
Date: Fri, 7 Nov 2003 13:26:42 -0600

CTR deals with this by only keeping the results of its Level 2
investigations for a 5 minute period.  If you are attacked and CTR scans
then end host for a particular patch that mitigates that attack and verifies
that the patch is not resident on the machine then it will report
accordingly.  The CTR administrator has options at this point.  They can
patch the machine and then manually run the agent that detects the patch.
By manually running an agent against a machine CTR will ignore the cached
results.

The CTR administrator can also wait for the attack to hit the target once
more and if it is 5 minutes after the previous Level 2 investigation then
CTR will run the Level 2 agents against the target.

When dealing with DHCP, CTR can be configured within the Config->Protected
Systems->Protected Hosts to "Remember" the results of an OS Scan from 0
seconds to hours. 

I hope this helps.

Chad




In that case, though, you're using stagnant information.  How would this be
kept accurate in an environment when users patch their computers, or when IP
addresses change due to DHCP?

Gary

-----Original Message-----
If this type of attack can succeed as I think it could, I think a 
solution would be for the IDS to keep a record of the patch levels of
every system in
the network and allow those patch levels to be updated only through an
administrative interface (requiring additional authentication
and of course
increasing the administrative workload).  Then the system
wouldn't be fooled
by this technique.

-Michael



---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security at
the largest, most highly-anticipated industry event of the year. Don't miss
RSA Conference 2004! Choose from over 200 class sessions and see demos from
more than 250 industry vendors. If your job touches security, you need to be
here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
and use priority code SF4.
---------------------------------------------------------------------------

Current thread:

RE: Cisco CTR, (continued)
- RE: Cisco CTR Rob Shein (Nov 06)
  - Re: Cisco CTR Gary Flynn (Nov 07)
    - RE: Cisco CTR Rob Shein (Nov 07)
    - RE: Cisco CTR Michael Marziani (Nov 07)
    - RE: Cisco CTR Rob Shein (Nov 07)
    - RE: Cisco CTR Michael Marziani (Nov 07)
    - RE: Cisco CTR Rob Shein (Nov 07)
    - Re: Cisco CTR Renaud Deraison (Nov 10)
    - RE: Cisco CTR Gary Halleen (Nov 07)
    - RE: Cisco CTR Michael Marziani (Nov 10)
    - RE: Cisco CTR Chad R. Skipper (Nov 10)
    - Re: Cisco CTR Joe Bowling (Nov 10)
    - RE: Cisco CTR Alan Shimel (Nov 10)
- RE: Cisco CTR Gary Halleen (Nov 07)
  - Re: Cisco CTR John Lampe (Nov 10)
- Re: Cisco CTR Petr Ruzicka (Nov 10)
- RE: Cisco CTR John Petropoulos (Nov 07)
- Re: Cisco CTR liranil (Nov 12)
  - Re: Cisco CTR Joe Bowling (Nov 12)
    - Re: Cisco CTR Ron Gula (Nov 13)
    - Re: Cisco CTR John Lampe (Nov 13)

(Thread continues...)