Re: IDS alerts / second - Correlation - Virtualization

[Ron Gula <rgula () tenablesecurity com>]

At 07:38 PM 7/25/2005, william taft wrote:
> I completely agree with Frank here...scanning technologies are
> interesting to get a snapshot, but by definition they miss all kinds
> of things:
>
> - devices/workstations/servers which are 'off' or offline when the
> scan is performed.
> - software/servers installed after the scan
> - hw positioned behind FWs which might be blocking the scans
> - new hw (laptops, etc.) or hw behind a wifi
> - partner network links and the hw on that network
> - false/poor OS information generated by odd hw configurations/OS tweaks
>
> Also, agree with Frank re: value of detecting compromises.  I'm not a
> fan of alerts, but i think it's important to know that an asset had
> been subjected to an attack (even if that attack is targeting the
> wrong OS/vulnerability/etc.)  maybe it makes more sense to use an
> asset database to de-prioritize unsuccessful alerts, but it doesn't
> make sense (to me anyway) to not report on an attempted attack...

This is pretty much our strategy with the NeVO sensor and Lightning
Console. NeVO passively sees traffic and can give you very realtime
information about systems and vulnerabilities without any scanning.
Lightning can than take IDS events from Snort, ISS, .etc and correlate
these to find events which target vulnerable applications. In some
cases, NeVO also detects compromised systems based on specific rules
designed to evaluate the responses from servers it has discovered.

Ron Gula, CTO
Tenable Network Security





------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------