Re: Cisco CTR

["Joe Bowling" <joebowling () comcast net>]

the RNA runs on its own box
all it does is listen...so even if it dropped a packet in a stream it
wouldnt matter....its not matching signatures...its fingerpringting OS's and
Apps.

the demo i saw of it rocked the house....cause it fingerprints not only your
internal network but also everyone you talk to on your "external"
network.....lets just say you will discover some interesting things out
there (IIS version 3.0)


----- Original Message ----- 
From: <liranil () optonline net>
To: "Joe Bowling" <joebowling () comcast net>
Cc: <focus-ids () securityfocus com>
Sent: Monday, November 10, 2003 10:00 PM
Subject: Re: Cisco CTR


> Hey Joe
>
> yes... I have heard about passive monitoring.
> My concern is that it will reduce the performance of the sensor due to the
new forensics job that the RNA archtecture will imply.
> What are your thouhgs?
> ----- Original Message -----
> From: Joe Bowling <joebowling () comcast net>
> Date: Saturday, November 8, 2003 1:06 am
> Subject: Re: Cisco CTR
>
> > You will love the new RNA technology that sourcefire is coming out
> > with in
> > December
> >
> >
> >
> > think a solution
> > > would be for the IDS to keep a record of the patch levels of
> > every system
> > in
> > > the network and allow those patch levels to be updated only
> > through an
> > > administrative interface (requiring additional authentication
> > and of
> > course
> > > increasing the administrative workload).  Then the system
> > wouldn't be
> > fooled
> > > by this technique.
> >
> >
> >
> >
> >
> >
> > ----- Original Message ----- 
> > From: "Michael Marziani" <marziani () oasis com>
> > To: "Rob Shein" <shoten () starpower net>; "'Gary Flynn'"
> > <flynngn () jmu edu>Cc: "'Liran Chen'" <liranil () optonline net>;
> > <focus-ids () securityfocus com>
> > Sent: Friday, November 07, 2003 10:47 AM
> > Subject: RE: Cisco CTR
> >
> >
> > > > -----Original Message-----
> > > > From: Rob Shein [shoten () starpower net]
> > > >
> > > > Yes, but nobody patches it THAT quickly.  CTR acts
> > immediately, not a
> > > > half-hour later...it would have started scanning by the time
> > the hacker
> > at
> > > > the other end notices that he has a shell...
> > >
> > > Please don't make unsubstantiated blanket statements like that.
> > Hackersare
> > > skilled sysadmins and programmers who create packaged hacking
> > tools that
> > not
> > > only search for and exploit flaws to get them onto a system, but
> > also> install programs, disable security features, and yes, patch
> > servers> *immediately* once they get inside.
> > > A system like Cisco CTR might very well detect the attack before the
> > > hacker's program has time to patch, but that all depends on how
> > good the
> > > hacker's program is, the state of the network, etc.  I'd like to
> > see the
> > > results of a live test of such an event.
> > >
> > > If this type of attack can succeed as I think it could, I think
> > a solution
> > > would be for the IDS to keep a record of the patch levels of
> > every system
> > in
> > > the network and allow those patch levels to be updated only
> > through an
> > > administrative interface (requiring additional authentication
> > and of
> > course
> > > increasing the administrative workload).  Then the system
> > wouldn't be
> > fooled
> > > by this technique.
> > >
> > > -Michael
> > >
> > > Michael Marziani
> > > IT Consultant
> > > Entercede Consulting, Inc.
> > >
> > > > > -----Original Message-----
> > > > > From: Gary Flynn [flynngn () jmu edu]
> > > > > Sent: Thursday, November 06, 2003 5:58 PM
> > > > > To: Rob Shein
> > > > > Cc: 'Liran Chen'; focus-ids () securityfocus com
> > > > > Subject: Re: Cisco CTR
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Rob Shein wrote:
> > > > >
> > > > > > I think this largely relates to the earlier discussion
> > > > > about how there
> > > > > > is a difference between a "false positive" and an actual
> > > > > attack that
> > > > > > fails to succeed.  Ask yourself this: are you going to
> > want to know
> > > > > > about all attacks or just those that have a chance of
> > success?  If
> > > > > > someone throws IIS attacks at your apache web server, do
> > > > > you want to
> > > > > > know about it...or do you want to wait until they start using
> > > > > > apache-compatible exploits?
> > > > > >
> > > > > > There's a good summary of what CTR does here:
> > > > > > http://www.cisco.com/en/US/products/sw/secursw/ps5054/
> > > > >
> > > > > Another thing to think about - some folks have a habit of
> > > > > patching the hole they came in through. Just because a
> > > > > vulnerability scan shows no vulnerability it does not mean an
> > > > > attack was unsuccessful.
> > > > >
> > > > > --
> > > > > Gary Flynn
> > > > > Security Engineer - Technical Services
> > > > > James Madison University
> > > > >
> > > > > Please R.U.N.S.A.F.E.
> > > > > http://www.jmu.edu/computing/runsafe
> > > >
> > > >
> > > > ---------------------------------------------------------------
> > ---
> > > > ---------
> > > > Network with over 10,000 of the brightest minds in information
> > security> > at the largest, most highly-anticipated industry event
> > of the year.
> > > > Don't miss RSA Conference 2004! Choose from over 200 class
> > sessions and
> > > > see demos from more than 250 industry vendors. If your job touches
> > > > security, you need to be here. Learn more or register at
> > > > http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
> > > > and use priority code SF4.
> > > > ---------------------------------------------------------------
> > ---
> > > > ---------
> > >
> > >
> > > -----------------------------------------------------------------
> > ---------
> > -
> > > Network with over 10,000 of the brightest minds in information
> > security> at the largest, most highly-anticipated industry event
> > of the year.
> > > Don't miss RSA Conference 2004! Choose from over 200 class
> > sessions and
> > > see demos from more than 250 industry vendors. If your job touches
> > > security, you need to be here. Learn more or register at
> > > http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
> > > and use priority code SF4.
> > > -----------------------------------------------------------------
> > ---------
> > -
> > >
> >
> >
> > -------------------------------------------------------------------
> > --------
> > Network with over 10,000 of the brightest minds in information
> > securityat the largest, most highly-anticipated industry event of
> > the year.
> > Don't miss RSA Conference 2004! Choose from over 200 class
> > sessions and
> > see demos from more than 250 industry vendors. If your job touches
> > security, you need to be here. Learn more or register at
> > http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
> > and use priority code SF4.
> > -------------------------------------------------------------------
> > --------


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------