Snort mailing list archives
Re: SnortAV?
From: purplebag <purplebag () gmail com>
Date: Thu, 28 Dec 2006 18:19:20 -0500
From the web page
"Active alert verification is a technique designed to reduce the false positive rate of IDSs by actively probing for a vulnerability associated with detected attacks. If the vulnerability corresponding to a detected attack is found to exist in the host or network against which the attack was directed, the alert is generated, invoking any logging and response functions as normal. If, however, the vulnerability is determined not to exist, the alert is considered a false positive and is suppressed." This is a lot like what Psionic ( now cisco ) does - http://newsroom.cisco.com/dlls/corp_102202.html. What is the first thing attackers do after compromising a host? They patch the flaw they entered through in order to maintain control and not lose the system in the same manner. Automated attack tools and kits make this process extremely expedient and are likely to result in the real events being suppressed by the infrastructure you trust to let you know about the problem. I've been witness to this failure on many occasion and can only recommend against any reliance on this and similar methodologies. The approach is fundamentally flawed from a security perspective. Nothing about the target host, as reported by itself, can be trusted post attack; if there were a real compromise. On 12/28/06, John Hally <JHally () epnet com> wrote:
Hello All, I stumbled upon SnortAV recently, which looks to be integration of Nessus to attempt to verify alerts and actual vulnerabilities to raise priority. It looks as though the project is stalled. Is that the case? Has anyone had any experience with it? It seems like a really cool concept, almost a poor man's RNA. Thoughts? Thanks! ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Purple Bag Society of the Crown ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SnortAV? John Hally (Dec 28)
- Re: SnortAV? purplebag (Dec 28)
- Re: SnortAV? jrhendri (Dec 28)
- Re: SnortAV? Jason (Dec 28)
- Re: SnortAV? Paul Schmehl (Dec 28)
- Re: SnortAV? jrhendri (Dec 28)
- <Possible follow-ups>
- Re: SnortAV? John Hally (Dec 29)
- Re: SnortAV? purplebag (Dec 28)