IDS mailing list archives

RE: Cisco CTR

From: "Teicher, Mark (Mark)" <teicher () avaya com>
Date: Wed, 26 Nov 2003 10:47:41 -0700

IMHO, Intellitactics is in a different class of products. I have used
the rule correlation engine for mapping events in syslog to Windows
Event viewer. Kiwi Syslog for Windows can help one in a pinch or who has
limited IT budget, but again a different product and not a NIDS, HIDS,
NIPS, NIDS, etc 

/m 

-----Original Message-----
From: Bohling James CONT JBC [mailto:james.bohling () JBC JFCOM MIL] 
Sent: Wednesday, November 26, 2003 7:08 AM
To: John Petropoulos; Rob Shein; Gary Flynn
Cc: Liran Chen; focus-ids () securityfocus com
Subject: RE: Cisco CTR


Intellitactics may help and may not.  The Intellitactics is only as good
as your sensors (IDS, FW, Syslog, Host based systems, etc).  It is a
manager or correlator of disparate network and host based sensors it
does nothing on the active side unless you install the Incident manager


Thank You,
James T. Bohling, CCNA, Security+, MCP-Win2k
Network Security Engineer - JBC CoE
Joint C4ISR Battle Center (AMSEC)
116 Lake View Parkway
Suffolk, VA 23435
(W) 757-638.4032
Web: www.jbc.jfcom.mil
This email was produced and manufactured in America, and is a
one-of-a-kind original.



-----Original Message-----
From: John Petropoulos [mailto:jpetropoulos () jetnet ca] 
Sent: Friday, November 07, 2003 11:21 AM
To: 'Rob Shein'; 'Gary Flynn'
Cc: 'Liran Chen'; focus-ids () securityfocus com
Subject: RE: Cisco CTR

Considering the scanner knows what to look for...  So at least an update
on the IDS sensor, scanner, CTR, or whatever is going to be needed.

The fact is that there are many IDS alarms to go through and you don't
want
to see anything that isn't going to be a waste of your time.   I would
recommend any product that helps reduce the amount of IDS alarm
management, but I will also issue this one warning, make sure you have a
way of knowing that there is an attack in progress even if the IDS
doesn't alert b/c of CTR.  Examples that may help achieve this: Net
Forensics and Intellitactics or a conjunction of network & host-based
ids with vulnerability analysis engine or the list just goes on...



-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net] 
Sent: Thursday, November 06, 2003 5:56 PM
To: 'Gary Flynn'
Cc: 'Liran Chen'; focus-ids () securityfocus com
Subject: RE: Cisco CTR


Yes, but nobody patches it THAT quickly.  CTR acts immediately, not a
half-hour later...it would have started scanning by the time the hacker
at the other end notices that he has a shell...

-----Original Message-----
From: Gary Flynn [mailto:flynngn () jmu edu]
Sent: Thursday, November 06, 2003 5:58 PM
To: Rob Shein
Cc: 'Liran Chen'; focus-ids () securityfocus com
Subject: Re: Cisco CTR




Rob Shein wrote:

I think this largely relates to the earlier discussion

about how there

is a difference between a "false positive" and an actual

attack that

fails to succeed.  Ask yourself this: are you going to want to know 
about all attacks or just those that have a chance of success?  If 
someone throws IIS attacks at your apache web server, do

you want to

know about it...or do you want to wait until they start using 
apache-compatible exploits?

There's a good summary of what CTR does here: 
http://www.cisco.com/en/US/products/sw/secursw/ps5054/


Another thing to think about - some folks have a habit of patching the

hole they came in through. Just because a vulnerability scan shows no 
vulnerability it does not mean an attack was unsuccessful.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
------------------------------------------------------------------------
---

------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
------------------------------------------------------------------------
---


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------

Current thread:

Re: Cisco CTR, (continued)
- - - Re: Cisco CTR Renaud Deraison (Nov 19)
    - Re: Cisco CTR Martin Roesch (Nov 19)
    - Re: Cisco CTR Renaud Deraison (Nov 20)
    - Re: Cisco CTR Martin Roesch (Nov 20)
    - Re: Cisco CTR Renaud Deraison (Nov 20)
    - Message not available
    - Re: Cisco CTR Mark Teicher (Nov 20)
    - Re: Cisco CTR Ron Gula (Nov 20)
    - RE: Cisco CTR David J. Meltzer (Nov 25)
    - Re: Cisco CTR Martin Roesch (Nov 27)
- RE: Cisco CTR Bohling James CONT JBC (Nov 26)
- RE: Cisco CTR Teicher, Mark (Mark) (Nov 26)