IDS mailing list archives

Re: Cisco CTR

From: "John Lampe" <jwlampe () aceryder com>
Date: Fri, 7 Nov 2003 15:27:15 -0500

Hi Gary,
sorry for top-post....I really only have questions:
1) when the IDS sees the traffic from A destined for B, how does CTR
determine that the packet would actually reach B.  That is, if the packet
from A would never actually reach B, but is seen by the IDS, then the entire
attack (I say "attack", as the most dangerous portion of a vulnerability
scan can sometimes be the portscanning portion) against B may be carried out
by CTR.  Phrased another way, how do you deal with UDP attacks?

2)   Theres a lot of 'grey area' here.  Namely, how do you deal with an
attack against a machine where you may know the OS but cannot possibly
ascertain a patch level with a fingerprint scan?  Is the default to scan or
not during these instances?

3) so, for windows machines, your product would require some sort of domain
rights on the Enterprise windows machines?

4) How do you protect yourselves from honeypots (labrea jumps to mind)?
That is, if your CTR launches 50 nmap scans against tarpitted (specific
example) IPs, you may be opening yourself up for a backward DoS.

./John

----- Original Message ----- 
From: "Gary Halleen" <ghalleen () cisco com>
To: "'Liran Chen'" <liranil () optonline net>; <focus-ids () securityfocus com>
Sent: Friday, November 07, 2003 1:34 PM
Subject: RE: Cisco CTR

Liran,

The false positive rate will vary depending on how the IDS is tuned if
you're not using CTR.  With CTR we estimate your false positives will drop
by between 70 and 95%, depending on the configuration and your

environment.


Cisco ThreatResponse (CTR) is a tool that does several things.  First, it
performs a just-in-time NMAP scan with OS guess to determine the operating
system and version of the target machine.  This information is cached for

short period of time to help prevent causing your own DoS.  By performing
the scan when needed, we are able to prevent using stagnant information

and

are friendly in a DHCP environment.  The data gathered is used for some
initial decision making (is this host potentially vulnerable to this
attack?).  The severity of the alert is modified according to the

decision.

If the host is not vulnerable, then the alert is either removed or reduced
in severity, this is your choice.  If the host IS potentially vulnerable,
and the target is running Windows, then if enabled, the CTR console can
perform an additional layer of analysis.  In this case, the CTR console

can

retrieve forensic data from the target host to determine whether or not an
attack was effective.

Gary

-----Original Message-----
From: Liran Chen [mailto:liranil () optonline net]
Sent: Thursday, November 06, 2003 12:41 PM
To: focus-ids () securityfocus com
Subject: Cisco CTR

Hi all

I am looking into adding some IDS blades from Cisco in to my
catalyst envronment.
Cisco rep suggested to complement that solution with CTR to
reduce the FP ( False Possitives)

This statement rises several questions:
1. What is FP ratio when you compare Cisco IDS to other IDS vendors?
2. CTR is a kind of Nessus or NMAP that check the offended host?
Does any one as good/bad experience with this CTR solution?

Thanks

--------------------------------------------------------------
-------------
Network with over 10,000 of the brightest minds in
information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class
sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
and use priority code SF4.
--------------------------------------------------------------
-------------



--------------------------------------------------------------------------

Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
and use priority code SF4.
--------------------------------------------------------------------------




---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------

Current thread:

RE: Cisco CTR, (continued)
- - - RE: Cisco CTR Rob Shein (Nov 07)
    - RE: Cisco CTR Michael Marziani (Nov 07)
    - RE: Cisco CTR Rob Shein (Nov 07)
    - Re: Cisco CTR Renaud Deraison (Nov 10)
    - RE: Cisco CTR Gary Halleen (Nov 07)
    - RE: Cisco CTR Michael Marziani (Nov 10)
    - RE: Cisco CTR Chad R. Skipper (Nov 10)
    - Re: Cisco CTR Joe Bowling (Nov 10)
    - RE: Cisco CTR Alan Shimel (Nov 10)
- RE: Cisco CTR Gary Halleen (Nov 07)
  - Re: Cisco CTR John Lampe (Nov 10)
- Re: Cisco CTR Petr Ruzicka (Nov 10)
- RE: Cisco CTR John Petropoulos (Nov 07)
- Re: Cisco CTR liranil (Nov 12)
  - Re: Cisco CTR Joe Bowling (Nov 12)
    - Re: Cisco CTR Ron Gula (Nov 13)
    - Re: Cisco CTR John Lampe (Nov 13)
    - Re: Cisco CTR Martin Roesch (Nov 17)
    - Re: Cisco CTR Ron Gula (Nov 17)
    - Re: Cisco CTR Martin Roesch (Nov 17)
    - Re: Cisco CTR Ron Gula (Nov 17)

(Thread continues...)