Re: Announcement: Alert Verification for Snort

[Frank Knobbe <frank () knobbe us>]

On Thu, 2003-10-23 at 21:17, Ron Gula wrote:
> B) Reliance on old vulnerability data. Large networks change often and
>     if a new host is added and the IDS or VA does not know about it, the
>     correlation won't occur.

Not just that, but also reliance on "current" non-vulnerability. Hosts,
especially in a Microsoft environment, may become vulnerable "again" to
older, patched, vulnerabilities. The classic and easiest to understand
example is the restoration of failed server from tape with out proper
re-patching. The gun turns downward like this:

- Server setup.
- Image/backup created.
- Vulnerability discovered, server patched.
- IDS is "tuned" via vulnerability data.
- Failure event occurs, server is restored.

(Without re-patching, or perhaps the latest, cumulative patch opens an
old vulnerability.)

All of the sudden the box is vulnerable again, but the IDS has been
tuned to ignore those alerts.... oops!


I agree with other posts that highlight that an Intrusion Detection
System is also a failure detection system and should be configured to
catch failure states, even unanticipated ones.

Nothing wrong with removing Apache signatures from an IIS box. But let's
not cut down on IIS alerts because a vulnerability scanner believes it
is currently not vulnerable to certain exploits/sigs.

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part