IDS mailing list archives
Re: Cisco CTR
From: "John Lampe" <jwlampe () aceryder com>
Date: Fri, 7 Nov 2003 15:27:15 -0500
Hi Gary, sorry for top-post....I really only have questions: 1) when the IDS sees the traffic from A destined for B, how does CTR determine that the packet would actually reach B. That is, if the packet from A would never actually reach B, but is seen by the IDS, then the entire attack (I say "attack", as the most dangerous portion of a vulnerability scan can sometimes be the portscanning portion) against B may be carried out by CTR. Phrased another way, how do you deal with UDP attacks? 2) Theres a lot of 'grey area' here. Namely, how do you deal with an attack against a machine where you may know the OS but cannot possibly ascertain a patch level with a fingerprint scan? Is the default to scan or not during these instances? 3) so, for windows machines, your product would require some sort of domain rights on the Enterprise windows machines? 4) How do you protect yourselves from honeypots (labrea jumps to mind)? That is, if your CTR launches 50 nmap scans against tarpitted (specific example) IPs, you may be opening yourself up for a backward DoS. ./John ----- Original Message ----- From: "Gary Halleen" <ghalleen () cisco com> To: "'Liran Chen'" <liranil () optonline net>; <focus-ids () securityfocus com> Sent: Friday, November 07, 2003 1:34 PM Subject: RE: Cisco CTR
Liran, The false positive rate will vary depending on how the IDS is tuned if you're not using CTR. With CTR we estimate your false positives will drop by between 70 and 95%, depending on the configuration and your
environment.
Cisco ThreatResponse (CTR) is a tool that does several things. First, it performs a just-in-time NMAP scan with OS guess to determine the operating system and version of the target machine. This information is cached for
a
short period of time to help prevent causing your own DoS. By performing the scan when needed, we are able to prevent using stagnant information
and
are friendly in a DHCP environment. The data gathered is used for some initial decision making (is this host potentially vulnerable to this attack?). The severity of the alert is modified according to the
decision.
If the host is not vulnerable, then the alert is either removed or reduced in severity, this is your choice. If the host IS potentially vulnerable, and the target is running Windows, then if enabled, the CTR console can perform an additional layer of analysis. In this case, the CTR console
can
retrieve forensic data from the target host to determine whether or not an attack was effective. Gary-----Original Message----- From: Liran Chen [mailto:liranil () optonline net] Sent: Thursday, November 06, 2003 12:41 PM To: focus-ids () securityfocus com Subject: Cisco CTR Hi all I am looking into adding some IDS blades from Cisco in to my catalyst envronment. Cisco rep suggested to complement that solution with CTR to reduce the FP ( False Possitives) This statement rises several questions: 1. What is FP ratio when you compare Cisco IDS to other IDS vendors? 2. CTR is a kind of Nessus or NMAP that check the offended host? Does any one as good/bad experience with this CTR solution? Thanks -------------------------------------------------------------- ------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. -------------------------------------------------------------- ---------------------------------------------------------------------------------------
-
Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. --------------------------------------------------------------------------
-
--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. ---------------------------------------------------------------------------
Current thread:
- RE: Cisco CTR, (continued)
- RE: Cisco CTR Rob Shein (Nov 07)
- RE: Cisco CTR Michael Marziani (Nov 07)
- RE: Cisco CTR Rob Shein (Nov 07)
- Re: Cisco CTR Renaud Deraison (Nov 10)
- RE: Cisco CTR Gary Halleen (Nov 07)
- RE: Cisco CTR Michael Marziani (Nov 10)
- RE: Cisco CTR Chad R. Skipper (Nov 10)
- Re: Cisco CTR Joe Bowling (Nov 10)
- RE: Cisco CTR Alan Shimel (Nov 10)
- Re: Cisco CTR John Lampe (Nov 10)
- Re: Cisco CTR Joe Bowling (Nov 12)
- Re: Cisco CTR Ron Gula (Nov 13)
- Re: Cisco CTR John Lampe (Nov 13)
- Re: Cisco CTR Martin Roesch (Nov 17)
- Re: Cisco CTR Ron Gula (Nov 17)
- Re: Cisco CTR Martin Roesch (Nov 17)
- Re: Cisco CTR Ron Gula (Nov 17)