IDS mailing list archives
Re: IDS alerts / second - Correlation - Virtualization
From: Ron Gula <rgula () tenablesecurity com>
Date: Tue, 26 Jul 2005 14:53:50 -0400
At 07:38 PM 7/25/2005, william taft wrote:
I completely agree with Frank here...scanning technologies are interesting to get a snapshot, but by definition they miss all kinds of things: - devices/workstations/servers which are 'off' or offline when the scan is performed. - software/servers installed after the scan - hw positioned behind FWs which might be blocking the scans - new hw (laptops, etc.) or hw behind a wifi - partner network links and the hw on that network - false/poor OS information generated by odd hw configurations/OS tweaks Also, agree with Frank re: value of detecting compromises. I'm not a fan of alerts, but i think it's important to know that an asset had been subjected to an attack (even if that attack is targeting the wrong OS/vulnerability/etc.) maybe it makes more sense to use an asset database to de-prioritize unsuccessful alerts, but it doesn't make sense (to me anyway) to not report on an attempted attack...
This is pretty much our strategy with the NeVO sensor and Lightning Console. NeVO passively sees traffic and can give you very realtime information about systems and vulnerabilities without any scanning. Lightning can than take IDS events from Snort, ISS, .etc and correlate these to find events which target vulnerable applications. In some cases, NeVO also detects compromised systems based on specific rules designed to evaluate the responses from servers it has discovered. Ron Gula, CTO Tenable Network Security ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- RE: IDS alerts / second - Correlation - Virtualization Swift, David (Jul 25)
- RE: IDS alerts / second - Correlation - Virtualization Frank Knobbe (Jul 25)
- Re: IDS alerts / second - Correlation - Virtualization william taft (Jul 26)
- Re: IDS alerts / second - Correlation - Virtualization Ron Gula (Jul 27)
- Re: IDS alerts / second - Correlation - Virtualization william taft (Jul 26)
- <Possible follow-ups>
- RE: IDS alerts / second - Correlation - Virtualization Palmer, Paul (ISSAtlanta) (Jul 26)
- RE: IDS alerts / second - Correlation - Virtualization Nathan Davidson (Jul 26)
- RE: IDS alerts / second - Correlation - Virtualization Swift, David (Jul 27)
- Re: IDS alerts / second - Correlation - Virtualization william taft (Jul 29)
- Message not available
- RE: IDS alerts / second - Correlation - Virtualization Sanjay Rawat (Jul 29)
- RE: IDS alerts / second - Correlation - Virtualization Frank Knobbe (Jul 25)
- RE: IDS alerts / second - Correlation - Virtualization Biswas, Proneet (Jul 27)