IDS mailing list archives
Re: Cisco CTR
From: "Joe Bowling" <joebowling () comcast net>
Date: Tue, 11 Nov 2003 00:26:01 -0500
the RNA runs on its own box all it does is listen...so even if it dropped a packet in a stream it wouldnt matter....its not matching signatures...its fingerpringting OS's and Apps. the demo i saw of it rocked the house....cause it fingerprints not only your internal network but also everyone you talk to on your "external" network.....lets just say you will discover some interesting things out there (IIS version 3.0) ----- Original Message ----- From: <liranil () optonline net> To: "Joe Bowling" <joebowling () comcast net> Cc: <focus-ids () securityfocus com> Sent: Monday, November 10, 2003 10:00 PM Subject: Re: Cisco CTR
Hey Joe yes... I have heard about passive monitoring. My concern is that it will reduce the performance of the sensor due to the
new forensics job that the RNA archtecture will imply.
What are your thouhgs? ----- Original Message ----- From: Joe Bowling <joebowling () comcast net> Date: Saturday, November 8, 2003 1:06 am Subject: Re: Cisco CTRYou will love the new RNA technology that sourcefire is coming out with in December think a solutionwould be for the IDS to keep a record of the patch levels ofevery system inthe network and allow those patch levels to be updated onlythrough anadministrative interface (requiring additional authenticationand of courseincreasing the administrative workload). Then the systemwouldn't be fooledby this technique.----- Original Message ----- From: "Michael Marziani" <marziani () oasis com> To: "Rob Shein" <shoten () starpower net>; "'Gary Flynn'" <flynngn () jmu edu>Cc: "'Liran Chen'" <liranil () optonline net>; <focus-ids () securityfocus com> Sent: Friday, November 07, 2003 10:47 AM Subject: RE: Cisco CTR-----Original Message----- From: Rob Shein [shoten () starpower net] Yes, but nobody patches it THAT quickly. CTR actsimmediately, not ahalf-hour later...it would have started scanning by the timethe hacker atthe other end notices that he has a shell...Please don't make unsubstantiated blanket statements like that.Hackersareskilled sysadmins and programmers who create packaged hackingtools that notonly search for and exploit flaws to get them onto a system, butalso> install programs, disable security features, and yes, patch servers> *immediately* once they get inside.A system like Cisco CTR might very well detect the attack before the hacker's program has time to patch, but that all depends on howgood thehacker's program is, the state of the network, etc. I'd like tosee theresults of a live test of such an event. If this type of attack can succeed as I think it could, I thinka solutionwould be for the IDS to keep a record of the patch levels ofevery system inthe network and allow those patch levels to be updated onlythrough anadministrative interface (requiring additional authenticationand of courseincreasing the administrative workload). Then the systemwouldn't be fooledby this technique. -Michael Michael Marziani IT Consultant Entercede Consulting, Inc.-----Original Message----- From: Gary Flynn [flynngn () jmu edu] Sent: Thursday, November 06, 2003 5:58 PM To: Rob Shein Cc: 'Liran Chen'; focus-ids () securityfocus com Subject: Re: Cisco CTR Rob Shein wrote:I think this largely relates to the earlier discussionabout how thereis a difference between a "false positive" and an actualattack thatfails to succeed. Ask yourself this: are you going towant to knowabout all attacks or just those that have a chance ofsuccess? Ifsomeone throws IIS attacks at your apache web server, doyou want toknow about it...or do you want to wait until they start using apache-compatible exploits? There's a good summary of what CTR does here: http://www.cisco.com/en/US/products/sw/secursw/ps5054/Another thing to think about - some folks have a habit of patching the hole they came in through. Just because a vulnerability scan shows no vulnerability it does not mean an attack was unsuccessful. -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in informationsecurity> > at the largest, most highly-anticipated industry event of the year.Don't miss RSA Conference 2004! Choose from over 200 classsessions andsee demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. ----------------------------------------------------------------------------------------------------------------------------------------------------- -Network with over 10,000 of the brightest minds in informationsecurity> at the largest, most highly-anticipated industry event of the year.Don't miss RSA Conference 2004! Choose from over 200 classsessions andsee demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. -------------------------------------------------------------------------- -------------------------------------------------------------------- -------- Network with over 10,000 of the brightest minds in information securityat the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. ------------------------------------------------------------------- --------
--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. ---------------------------------------------------------------------------
Current thread:
- RE: Cisco CTR, (continued)
- RE: Cisco CTR Gary Halleen (Nov 07)
- RE: Cisco CTR Michael Marziani (Nov 10)
- RE: Cisco CTR Chad R. Skipper (Nov 10)
- Re: Cisco CTR Joe Bowling (Nov 10)
- RE: Cisco CTR Alan Shimel (Nov 10)
- RE: Cisco CTR Gary Halleen (Nov 07)
- Re: Cisco CTR John Lampe (Nov 10)
- Re: Cisco CTR Petr Ruzicka (Nov 10)
- RE: Cisco CTR John Petropoulos (Nov 07)
- Re: Cisco CTR liranil (Nov 12)
- Re: Cisco CTR Joe Bowling (Nov 12)
- Re: Cisco CTR Ron Gula (Nov 13)
- Re: Cisco CTR John Lampe (Nov 13)
- Re: Cisco CTR Martin Roesch (Nov 17)
- Re: Cisco CTR Ron Gula (Nov 17)
- Re: Cisco CTR Martin Roesch (Nov 17)
- Re: Cisco CTR Ron Gula (Nov 17)
- Re: Cisco CTR Martin Roesch (Nov 19)
- Re: Cisco CTR Ron Gula (Nov 19)
- Re: Cisco CTR Martin Roesch (Nov 20)
- Re: Cisco CTR Joe Bowling (Nov 12)
- Re: Cisco CTR Ron Gula (Nov 19)