IDS mailing list archives

Re: Cisco CTR

From: liranil () optonline net
Date: Mon, 10 Nov 2003 22:00:11 -0500


Hey Joe 

yes... I have heard about passive monitoring. 
My concern is that it will reduce the performance of the sensor due to the new forensics job that the RNA archtecture 
will imply.

What are your thouhgs?
----- Original Message -----
From: Joe Bowling <joebowling () comcast net>
Date: Saturday, November 8, 2003 1:06 am
Subject: Re: Cisco CTR


You will love the new RNA technology that sourcefire is coming out 
with in
December



think a solution

would be for the IDS to keep a record of the patch levels of

every system
in

the network and allow those patch levels to be updated only

through an

administrative interface (requiring additional authentication

and of
course

increasing the administrative workload).  Then the system

wouldn't be
fooled

by this technique.







----- Original Message ----- 
From: "Michael Marziani" <marziani () oasis com>
To: "Rob Shein" <shoten () starpower net>; "'Gary Flynn'" 
<flynngn () jmu edu>Cc: "'Liran Chen'" <liranil () optonline net>; 
<focus-ids () securityfocus com>
Sent: Friday, November 07, 2003 10:47 AM
Subject: RE: Cisco CTR

-----Original Message-----
From: Rob Shein [shoten () starpower net]

Yes, but nobody patches it THAT quickly.  CTR acts

immediately, not a

half-hour later...it would have started scanning by the time

the hacker
at

the other end notices that he has a shell...


Please don't make unsubstantiated blanket statements like that.

Hackersare

skilled sysadmins and programmers who create packaged hacking

tools that
not

only search for and exploit flaws to get them onto a system, but

also> install programs, disable security features, and yes, patch 
servers> *immediately* once they get inside.


A system like Cisco CTR might very well detect the attack before the
hacker's program has time to patch, but that all depends on how

good the

hacker's program is, the state of the network, etc.  I'd like to

see the

results of a live test of such an event.

If this type of attack can succeed as I think it could, I think

a solution

would be for the IDS to keep a record of the patch levels of

every system
in

the network and allow those patch levels to be updated only

through an

administrative interface (requiring additional authentication

and of
course

increasing the administrative workload).  Then the system

wouldn't be
fooled

by this technique.

-Michael

Michael Marziani
IT Consultant
Entercede Consulting, Inc.

-----Original Message-----
From: Gary Flynn [flynngn () jmu edu]
Sent: Thursday, November 06, 2003 5:58 PM
To: Rob Shein
Cc: 'Liran Chen'; focus-ids () securityfocus com
Subject: Re: Cisco CTR




Rob Shein wrote:

I think this largely relates to the earlier discussion

about how there

is a difference between a "false positive" and an actual

attack that

fails to succeed.  Ask yourself this: are you going to

want to know

about all attacks or just those that have a chance of

success?  If

someone throws IIS attacks at your apache web server, do

you want to

know about it...or do you want to wait until they start using
apache-compatible exploits?

There's a good summary of what CTR does here:
http://www.cisco.com/en/US/products/sw/secursw/ps5054/


Another thing to think about - some folks have a habit of
patching the hole they came in through. Just because a
vulnerability scan shows no vulnerability it does not mean an
attack was unsuccessful.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



---------------------------------------------------------------

---

---------
Network with over 10,000 of the brightest minds in information

security> > at the largest, most highly-anticipated industry event 
of the year.

Don't miss RSA Conference 2004! Choose from over 200 class

sessions and

see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
and use priority code SF4.
---------------------------------------------------------------

---

---------



-----------------------------------------------------------------

---------
-

Network with over 10,000 of the brightest minds in information

security> at the largest, most highly-anticipated industry event 
of the year.

Don't miss RSA Conference 2004! Choose from over 200 class

sessions and

see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
and use priority code SF4.
-----------------------------------------------------------------

---------
-



-------------------------------------------------------------------
--------
Network with over 10,000 of the brightest minds in information 
securityat the largest, most highly-anticipated industry event of 
the year.
Don't miss RSA Conference 2004! Choose from over 200 class 
sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
-------------------------------------------------------------------
--------



---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------

Current thread:

Re: Cisco CTR, (continued)
- - - Re: Cisco CTR Renaud Deraison (Nov 10)
    - RE: Cisco CTR Gary Halleen (Nov 07)
    - RE: Cisco CTR Michael Marziani (Nov 10)
    - RE: Cisco CTR Chad R. Skipper (Nov 10)
    - Re: Cisco CTR Joe Bowling (Nov 10)
    - RE: Cisco CTR Alan Shimel (Nov 10)
- RE: Cisco CTR Gary Halleen (Nov 07)
  - Re: Cisco CTR John Lampe (Nov 10)
- Re: Cisco CTR Petr Ruzicka (Nov 10)
- RE: Cisco CTR John Petropoulos (Nov 07)
- Re: Cisco CTR liranil (Nov 12)
  - Re: Cisco CTR Joe Bowling (Nov 12)
    - Re: Cisco CTR Ron Gula (Nov 13)
    - Re: Cisco CTR John Lampe (Nov 13)
    - Re: Cisco CTR Martin Roesch (Nov 17)
    - Re: Cisco CTR Ron Gula (Nov 17)
    - Re: Cisco CTR Martin Roesch (Nov 17)
    - Re: Cisco CTR Ron Gula (Nov 17)
    - Re: Cisco CTR Martin Roesch (Nov 19)
    - Re: Cisco CTR Ron Gula (Nov 19)
    - Re: Cisco CTR Martin Roesch (Nov 20)

(Thread continues...)