IDS mailing list archives

RE: Views and Correlation in Intrusion Detection

From: Ron Gula <rgula () tenablesecurity com>
Date: Wed, 25 Jun 2003 11:40:49 -0400


How about a "user's" POV?

To be really effective, I'd like to see a system that looks at packets
coming in to the network, compares those to packets hitting specific
servers, "knows" if the server is vulnerable to the specific attack and
*then* sends an alert.

To do this kind of work you would need:
1) a db (A) with the info on each server - OS, applications,
vulnerabilities, etc.
2) a detection engine that matches the IP and attack sig to the entry in
the db (A) with its own db (B) of sigs
3) an escalation procedure that recognizes that attack A was successful and
attack B has begun and therefore alerts "more aggressively".

I don't want to know if an attacker is trying an overflow attack on my IMAP
server if my IMAP server isn't vulnerable to that attack.  I could care
less.  I also don't want to know if some box somewhere with Code Red is
hitting my network *unless* I have a box that's susceptible to Code Red.



This is exactly what the Lightning Console does. In addition, the console
also 'knows' who owns the targeted systems and can send an alert to the
effected end users when an IDS event targets a vulnerable server.

The big issue I have with VA/IDS correlation is the accuracy of the
underlying VA database. If you are just scanning once a quarter or even
once a month, this VA database can get out of date fast. Our approach
is to use distributed scanning (multiple, tiered Nessus scanners) so you
can scan a class B in hours. We also are BETA testing a passive vulnerability
scanner which determines vulnerabilities and topology changes from watching
network sessions.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com



-------------------------------------------------------------------------------

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, theworld's premier technical IT security event! 10 tracks, 15 training sessions,1,800 delegates from 30 nations including all of the top experts, from CSO's to"underground" security specialists. See for yourself what the buzz is about!Early-bird registration ends July 3. This event will sell out. www.blackhat.com

-------------------------------------------------------------------------------

Current thread:

RE: Views and Correlation in Intrusion Detection, (continued)
- RE: Views and Correlation in Intrusion Detection adam.w.hogan (Jun 25)
- RE: Views and Correlation in Intrusion Detection Schmehl, Paul L (Jun 25)
  - RE: Views and Correlation in Intrusion Detection Scott M. Algatt (Jun 25)
- RE: Views and Correlation in Intrusion Detection Chmielarski TOM-ATC090 (Jun 25)
  - Re: Views and Correlation in Intrusion Detection Mike Coliton (Jun 26)
- RE: Views and Correlation in Intrusion Detection Sakaba (Jun 26)
- RE: Views and Correlation in Intrusion Detection Kohlenberg, Toby (Jun 26)
- RE: Views and Correlation in Intrusion Detection Chmielarski TOM-ATC090 (Jun 26)
- RE: Views and Correlation in Intrusion Detection Sekurity Wizard (Jun 26)
  - RE: Views and Correlation in Intrusion Detection David Markle (Jun 27)
- RE: Views and Correlation in Intrusion Detection Ron Gula (Jun 26)
  - RE: Views and Correlation in Intrusion Detection Paul Schmehl (Jun 27)
- RE: Views and Correlation in Intrusion Detection Richard Ginski (Jun 27)