IDS mailing list archives

RE: Cisco CTR

From: "Gary Halleen" <ghalleen () cisco com>
Date: Fri, 7 Nov 2003 10:34:20 -0800

Liran,

The false positive rate will vary depending on how the IDS is tuned if
you're not using CTR.  With CTR we estimate your false positives will drop
by between 70 and 95%, depending on the configuration and your environment.

Cisco ThreatResponse (CTR) is a tool that does several things.  First, it
performs a just-in-time NMAP scan with OS guess to determine the operating
system and version of the target machine.  This information is cached for a
short period of time to help prevent causing your own DoS.  By performing
the scan when needed, we are able to prevent using stagnant information and
are friendly in a DHCP environment.  The data gathered is used for some
initial decision making (is this host potentially vulnerable to this
attack?).  The severity of the alert is modified according to the decision.
If the host is not vulnerable, then the alert is either removed or reduced
in severity, this is your choice.  If the host IS potentially vulnerable,
and the target is running Windows, then if enabled, the CTR console can
perform an additional layer of analysis.  In this case, the CTR console can
retrieve forensic data from the target host to determine whether or not an
attack was effective.

Gary

-----Original Message-----
From: Liran Chen [mailto:liranil () optonline net]
Sent: Thursday, November 06, 2003 12:41 PM
To: focus-ids () securityfocus com
Subject: Cisco CTR

Hi all

I am looking into adding some IDS blades from Cisco in to my
catalyst envronment.
Cisco rep suggested to complement that solution with CTR to
reduce the FP ( False Possitives)

This statement rises several questions:
1. What is FP ratio when you compare Cisco IDS to other IDS vendors?
2. CTR is a kind of Nessus or NMAP that check the offended host?
Does any one as good/bad experience with this CTR solution?

Thanks

--------------------------------------------------------------
-------------
Network with over 10,000 of the brightest minds in
information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class
sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
and use priority code SF4.
--------------------------------------------------------------
-------------



---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------

Current thread:

RE: Cisco CTR, (continued)
- - - RE: Cisco CTR Michael Marziani (Nov 07)
    - RE: Cisco CTR Rob Shein (Nov 07)
    - RE: Cisco CTR Michael Marziani (Nov 07)
    - RE: Cisco CTR Rob Shein (Nov 07)
    - Re: Cisco CTR Renaud Deraison (Nov 10)
    - RE: Cisco CTR Gary Halleen (Nov 07)
    - RE: Cisco CTR Michael Marziani (Nov 10)
    - RE: Cisco CTR Chad R. Skipper (Nov 10)
    - Re: Cisco CTR Joe Bowling (Nov 10)
    - RE: Cisco CTR Alan Shimel (Nov 10)
- RE: Cisco CTR Gary Halleen (Nov 07)
  - Re: Cisco CTR John Lampe (Nov 10)
- Re: Cisco CTR Petr Ruzicka (Nov 10)
- RE: Cisco CTR John Petropoulos (Nov 07)
- Re: Cisco CTR liranil (Nov 12)
  - Re: Cisco CTR Joe Bowling (Nov 12)
    - Re: Cisco CTR Ron Gula (Nov 13)
    - Re: Cisco CTR John Lampe (Nov 13)
    - Re: Cisco CTR Martin Roesch (Nov 17)
    - Re: Cisco CTR Ron Gula (Nov 17)
    - Re: Cisco CTR Martin Roesch (Nov 17)

(Thread continues...)