IDS mailing list archives
RE: Cisco CTR
From: "Gary Halleen" <ghalleen () cisco com>
Date: Fri, 7 Nov 2003 10:34:20 -0800
Liran, The false positive rate will vary depending on how the IDS is tuned if you're not using CTR. With CTR we estimate your false positives will drop by between 70 and 95%, depending on the configuration and your environment. Cisco ThreatResponse (CTR) is a tool that does several things. First, it performs a just-in-time NMAP scan with OS guess to determine the operating system and version of the target machine. This information is cached for a short period of time to help prevent causing your own DoS. By performing the scan when needed, we are able to prevent using stagnant information and are friendly in a DHCP environment. The data gathered is used for some initial decision making (is this host potentially vulnerable to this attack?). The severity of the alert is modified according to the decision. If the host is not vulnerable, then the alert is either removed or reduced in severity, this is your choice. If the host IS potentially vulnerable, and the target is running Windows, then if enabled, the CTR console can perform an additional layer of analysis. In this case, the CTR console can retrieve forensic data from the target host to determine whether or not an attack was effective. Gary
-----Original Message----- From: Liran Chen [mailto:liranil () optonline net] Sent: Thursday, November 06, 2003 12:41 PM To: focus-ids () securityfocus com Subject: Cisco CTR Hi all I am looking into adding some IDS blades from Cisco in to my catalyst envronment. Cisco rep suggested to complement that solution with CTR to reduce the FP ( False Possitives) This statement rises several questions: 1. What is FP ratio when you compare Cisco IDS to other IDS vendors? 2. CTR is a kind of Nessus or NMAP that check the offended host? Does any one as good/bad experience with this CTR solution? Thanks -------------------------------------------------------------- ------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. -------------------------------------------------------------- -------------
--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. ---------------------------------------------------------------------------
Current thread:
- RE: Cisco CTR, (continued)
- RE: Cisco CTR Michael Marziani (Nov 07)
- RE: Cisco CTR Rob Shein (Nov 07)
- RE: Cisco CTR Michael Marziani (Nov 07)
- RE: Cisco CTR Rob Shein (Nov 07)
- Re: Cisco CTR Renaud Deraison (Nov 10)
- RE: Cisco CTR Gary Halleen (Nov 07)
- RE: Cisco CTR Michael Marziani (Nov 10)
- RE: Cisco CTR Chad R. Skipper (Nov 10)
- Re: Cisco CTR Joe Bowling (Nov 10)
- RE: Cisco CTR Alan Shimel (Nov 10)
- Re: Cisco CTR John Lampe (Nov 10)
- Re: Cisco CTR Joe Bowling (Nov 12)
- Re: Cisco CTR Ron Gula (Nov 13)
- Re: Cisco CTR John Lampe (Nov 13)
- Re: Cisco CTR Martin Roesch (Nov 17)
- Re: Cisco CTR Ron Gula (Nov 17)
- Re: Cisco CTR Martin Roesch (Nov 17)