IDS mailing list archives
Re: Cisco CTR
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 19 Nov 2003 14:22:43 -0500
On Nov 17, 2003, at 9:49 PM, Ron Gula wrote:
Somehow I get the feeling we're going to be talking about false positives with passive scanners a few years (months) from now on the security focus passive-vuln list.
Undoubtedly, but they're far less serious than false positives or false negatives in active scanners if you implement your passive system properly (i.e. don't base your conclusions off of a single data point).
RNA may have worked as it was programmed in this case, but I know from the Nessus side of things that when a vuln scanner is wrong, it's much more serious than an IDS false positive.
Right, we figured that out at the last startup I worked at, false positives/negatives from an active scanner that's supposed to "improve" your data from the IDS actually makes things worse, hence the need for passive network discovery or passive vulnerability scanning.
I would not be happy if I were the system admin of the OS-X box and I had someone from security telling me I was still vulnerable.
But I would be happy if I was the IDS admin and I wasn't getting CodeRed alerts for that OS X box. I wouldn't be happy if I was the security admin for the network and I missed that a potentially vulnerable server was right under my nose and it hadn't been found for whatever reason by my weekly/monthly/annual vulnerability scan.
I've seen similar configuration issues on Windows servers as well where the app is patched, but the OS remains unchanged.
Yep, sometimes you have to go to the application layer to find these things, sometimes you need to use an active vulnerability scanner, sometimes you need a host-based agent, sometimes you need to run the exploit directly and see what happens. If security was easy we would be competing with each other in some other industry.
For example, NeVO can see actual changes in the traffic patterns of IIS server and we can equate this to the overall patch level of IIS server. The OS passive fingerprint signatures never change, but the vulnerability and patch level reported for IIS does. In this case, when you hook something like Lightning, NeVO and Snort together, we end up correlating attacks against really vulnerable systems.
Of course, looking at the OS fingerprint doesn't give you enough information, that's why we analyze the application layer protocols as well.
-Marty
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Current thread:
- Re: Cisco CTR, (continued)
- Re: Cisco CTR liranil (Nov 12)
- Re: Cisco CTR Joe Bowling (Nov 12)
- Re: Cisco CTR Ron Gula (Nov 13)
- Re: Cisco CTR John Lampe (Nov 13)
- Re: Cisco CTR Martin Roesch (Nov 17)
- Re: Cisco CTR Ron Gula (Nov 17)
- Re: Cisco CTR Martin Roesch (Nov 17)
- Re: Cisco CTR Ron Gula (Nov 17)
- Re: Cisco CTR Martin Roesch (Nov 19)
- Re: Cisco CTR Ron Gula (Nov 19)
- Re: Cisco CTR Martin Roesch (Nov 20)
- Re: Cisco CTR Joe Bowling (Nov 12)
- Re: Cisco CTR liranil (Nov 12)
- Re: Cisco CTR Ron Gula (Nov 19)
- Re: Cisco CTR Renaud Deraison (Nov 19)
- Re: Cisco CTR Martin Roesch (Nov 19)
- Re: Cisco CTR Renaud Deraison (Nov 20)
- Re: Cisco CTR Martin Roesch (Nov 20)
- Re: Cisco CTR Renaud Deraison (Nov 20)
- Message not available
- Re: Cisco CTR Mark Teicher (Nov 20)
- Re: Cisco CTR Ron Gula (Nov 20)
- RE: Cisco CTR David J. Meltzer (Nov 25)
- Re: Cisco CTR Martin Roesch (Nov 27)