RE: Cisco CTR

[John Petropoulos <jpetropoulos () jetnet ca>]

Considering the scanner knows what to look for...  So at least an update on
the IDS sensor, scanner, CTR, or whatever is going to be needed.

The fact is that there are many IDS alarms to go through and you don't want
to see anything that isn't going to be a waste of your time.   I would
recommend any product that helps reduce the amount of IDS alarm management,
but I will also issue this one warning, make sure you have a way of knowing
that there is an attack in progress even if the IDS doesn't alert b/c of
CTR.  Examples that may help achieve this: Net Forensics and Intellitactics
or a conjunction of network & host-based ids with vulnerability analysis
engine or the list just goes on...



-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net] 
Sent: Thursday, November 06, 2003 5:56 PM
To: 'Gary Flynn'
Cc: 'Liran Chen'; focus-ids () securityfocus com
Subject: RE: Cisco CTR


Yes, but nobody patches it THAT quickly.  CTR acts immediately, not a
half-hour later...it would have started scanning by the time the hacker at
the other end notices that he has a shell...

> -----Original Message-----
> From: Gary Flynn [mailto:flynngn () jmu edu]
> Sent: Thursday, November 06, 2003 5:58 PM
> To: Rob Shein
> Cc: 'Liran Chen'; focus-ids () securityfocus com
> Subject: Re: Cisco CTR
>
>
>
>
> Rob Shein wrote:
>
> > I think this largely relates to the earlier discussion
> about how there
> > is a difference between a "false positive" and an actual
> attack that
> > fails to succeed.  Ask yourself this: are you going to want to know
> > about all attacks or just those that have a chance of success?  If 
> > someone throws IIS attacks at your apache web server, do 
> you want to
> > know about it...or do you want to wait until they start using
> > apache-compatible exploits?
> >
> > There's a good summary of what CTR does here:
> > http://www.cisco.com/en/US/products/sw/secursw/ps5054/
>
> Another thing to think about - some folks have a habit of
> patching the hole they came in through. Just because a 
> vulnerability scan shows no vulnerability it does not mean an 
> attack was unsuccessful.
>
> --
> Gary Flynn
> Security Engineer - Technical Services
> James Madison University
>
> Please R.U.N.S.A.F.E.
> http://www.jmu.edu/computing/runsafe


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security at
the largest, most highly-anticipated industry event of the year. Don't miss
RSA Conference 2004! Choose from over 200 class sessions and see demos from
more than 250 industry vendors. If your job touches security, you need to be
here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------