RE: Views and Correlation in Intrusion Detection

["Anton A. Chuvakin" <anton () chuvakin org>]

> Did you know that that service is vulnerable?  Did you know that we'll
> take you off the network if it stays vulnerable?
Another interesting and largely unsolved issue here is: vulnerable
ACCORDING TO WHAT? Just imagine you run 3 scanners and one says 'Oh, sure,
the evil vuln CVE-XXXX-YYYY is there alright' and then the second says
'No, I checked and you are cool' and the third confirms that, indeed, no
vulnerability exists there. Except the #2 was not updated for a month and
#3 did not even scan the port in question. Then what? Now, are you
vulnerable or not?

I am willing to make the following statement: the more scanners you use to
scan a host, the less you'd know whether you are in fact vulnerable. While
it might seem that doing so provides _correlation_, what if they disagree
in _most_ cases? Suddenly, another C-word applies - Confusion :-)

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCI*
     http://www.chuvakin.org
   http://www.info-secure.org


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------