IDS mailing list archives

Re: how to verify whether an attack attempt is successful?

From: Scott Wimer <scottw () cylant com>
Date: Fri, 17 Jan 2003 08:46:01 -0800

The other way to verify if an attack attempt is successful, is to dobehavioral analysis of the software running on the box. If the attackcauses the targetted programs behavior to change, it's a reasonableassumption that it was successful in doing something at least.Ideally, detecting this change in behavior quick enough can let youstop the attack before it completes.


That's the approach we take anyway.
scottwimer

detmar.liesen () lds nrw de wrote:

->Is there any technology developed in this direction?

Sure there is.

With some attacks you can determine whether or not the attack was successful
because the system under attack responds in an attack-specific way.
Snort has some attack-responses rules, but none of these ever triggered on my
network and I haven't yet had a closer look at those rules, so I don't know if
they are really useful.

In general it's impossible to determine the success of attacks with only a
network IDS (NIDS).

What you can do at network level is to compare detected attack-attempts with
information from a vulnerability-database.
The vulnerability information can be gathered by using VA tools like nessus.

Thus you can always determine whether or not the system under attack is
vulnerable to that specific attack.

If so, you can be damned sure that the attack succeeds.

However, this is not a 100% reliable way. But such things are never very
reliable. They are an aid at analysing events more quickly and accurately
because you gain a better "signal-noise-ratio".

But Host based IDSs can do this quite accurately because they utilize more than
just packet-stream information.

Host based IDSs look into log files, check file system - integrity (i.e. if any
files have been modified) and they can also analyse system- and api-calls at
kernel level.

HTH,

Detmar Liesen


--
Scott M. Wimer, CTO                      Cylant
www.cylant.com                           121 Sweet Ave.
v. (208) 883-4892                        Suite 123
c. (208) 850-4454                        Moscow, ID 83843
There is no Security without Control.

Current thread:

how to verify whether an attack attempt is successful? Yan Zhai (Jan 15)
- Re: how to verify whether an attack attempt is successful? Huagang XIE (Jan 16)
- Re: how to verify whether an attack attempt is successful? Jose Nazario (Jan 16)
- Re: how to verify whether an attack attempt is successful? Kurt Seifried (Jan 16)
- <Possible follow-ups>
- RE: how to verify whether an attack attempt is successful? detmar . liesen (Jan 17)
  - RE: how to verify whether an attack attempt is successful? Ron Gula (Jan 20)
  - Re: how to verify whether an attack attempt is successful? Scott Wimer (Jan 21)
- Re: how to verify whether an attack attempt is successful? Yan Zhai (Jan 19)