IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cisco CTR

From: Ron Gula <rgula () tenablesecurity com>
Date: Mon, 17 Nov 2003 21:49:32 -0500
Somehow I get the feeling we're going to be talking about false
positives with passive scanners a few years (months) from now on
the security focus passive-vuln list.

RNA may have worked as it was programmed in this case, but I
know from the Nessus side of things that when a vuln scanner is
wrong, it's much more serious than an IDS false positive. I
would not be happy if I were the system admin of the OS-X box
and I had someone from security telling me I was still vulnerable.

I've seen similar configuration issues on Windows servers as
well where the app is patched, but the OS remains unchanged.

For example, NeVO can see actual changes in the traffic patterns
of IIS server and we can equate this to the overall patch level
of IIS server. The OS passive fingerprint signatures never
change, but the vulnerability and patch level reported for IIS
does. In this case, when you hook something like Lightning,
NeVO and Snort together, we end up correlating attacks against
really vulnerable systems.

BTW, there is no passive-vuln list, but from the email I've
received, maybe there should be?

Ron Gula
Tenable Network Security
http://www.tenablesecurity.com



At 05:30 PM 11/17/2003 -0500, Martin Roesch wrote:

On Nov 17, 2003, at 3:32 PM, Ron Gula wrote:


Thanks,

Congratulations on the release of RNA.


Thanks.


My confusion was with if RNA finds specific vulnerabilities or if
it says that you may have a whole class of vulnerabilities. For
example, in the screen shot you have of RNA on Sourcefire's home
page, (BTW, I thought you liked Apple), it shows a Mac OS-X running
Apache version 1.3.27 and below a list of vulnerabilities. One of
the vulnerabilities is "OpenSSLv2 malformed client key remote buffer
overflow vulnerability". If you visit the Bugtraq record on this:
http://www.securityfocus.com/bid/5363 , it does not list Apache
1.3.27 as being vulnerable to this flow. If you were doing VA/IDS
correlation, this would cause a serious, contextual, well qualified
sort of event, when in fact there would be no vulnerability there.


Little SNAFU there, our web people used the wrong screenshot (I love
Apple, I'm typing this from my PB15 as a matter of fact).  We just put
up the new website this morning, if that's the only problem that gets
found I'll be happy.

I suspect the reason that the RNA image showed the vulnerability
information for OpenSSL because it identified the O.S. and since there
are security updates for OS-X pertaining to this issue, it really
should list that vulnerability.

Here are the links to Apple:

   http://docs.info.apple.com/article.html?artnum=120139

   http://docs.info.apple.com/article.html?artnum=120141

The affected systems do not list Apache 1.3.27 as you stated, however
the fact is that Apple issued updates to  OS X so I think RNA did the
right thing in alerting the user. The updates from Apple also contain
updates to Apache as well as mod_ssl and OpenSSL.

We're working continuously to make sure the quality of the data in the
system is as high as we can make it, this is an evolutionary process
however and it'll get better as the product matures.

     -Marty




Ron Gula


At 03:03 PM 11/17/2003 -0500, Martin Roesch wrote:

Hi Ron,

Actually, RNA went out the door this morning after a year of
development and another 2 years of research and planning as an early
availability release and it will be GA in a couple weeks.  From what
I can see, RNA and Nevo have different missions, Nevo is being billed
as a passive vulnerability "scanner" whereas RNA is being billed as a
passive network discovery system.  We have multi-mode passive OS
fingerprinting, topology discovery, active service identification,
flow monitoring, real-time change analysis and passive vulnerability
inference mechanisms built-in to RNA.  The version of Nevo that I saw
a couple months ago was doing OS fingerprinting in support of passive
vulnerability analysis, I'm unfamiliar/unaware of how it has evolved
since then.

I don't know what you mean by "looking for unique vulnerabilities",
we're doing vulnerability inference by looking at platform and
application data and inferring classes of vulnerabilities that can be
available.  This capability is primarily there to support dynamic
prioritization of IDS events and to gauge potential impact of attacks
that we see on the network.  We're planning on leveraging the
information in the future for a variety of purposes, but RNA's focus
is much broader than providing vulnerability analysis solely.

We've also wrapped RNA with a variety of supporting management and
analysis technology.  We've got a full web-based management and
analysis GUI built-in to the appliances that incorporates a common
look and feel with our new version 3.0 ISM (IDS) product line, we can
manage multiple RNA sensors from the Sourcefire Management Console
and provide data aggregation and topology analysis from a central
point, we've got a 3D visualization GUI for data analysis,
administration tools for system maintenance, etc etc.

     -Marty

On Nov 17, 2003, at 10:52 AM, Ron Gula wrote:



I know RNA has not officially shipped yet, but from the web site,
it looks very similar to NeVO. It does similar OS fingerprinting,
traffic profiling, security vulnerabilities and so on.

The question I've not been able to get a good answer for is if
RNA looks for unique vulnerabilities, or if it using the operating
systems or application fingerprint to determine which vulnerabilities
are active.

Ron Gula
Tenable Network Security


At 09:41 PM 11/13/2003 -0500, Martin Roesch wrote:

Vendor Alert: I work for Sourcefire.

RNA is not a passive vulnerability scanner, vulnerability analysis
is
only a subset of what it can accomplish.  I've taken to calling RNA
a
passive network discovery system (PNDS) since that's a more accurate
description of what it does.

BTW, the demo that Joe saw was from a beta of RNA that we were
running
in-house, production versions should only be set to discover your
internal network so you don't accidentally start mapping other
people's
networks with it.  We had our internal sensors tuned that way for
testing of preproduction units only, we don't condone mapping other
people's networks with RNA.

     -Marty

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



----------------------------------------------------------------------- ----
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use
priority code SF4.
----------------------------------------------------------------------- ----


--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. 
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: