Fun with ISS Fusion Module

[offtopic <offtopic () mail ru>]

Fun with ISS Fusion Module
This module can correlate data from different ISS products and based it can give additional info about detected attacks 
(was it successfully or not, etc). For example, if IDS (network sensor)detects exploit in traffic, but scans (internet 
scanner) reports that vulnerability on victim host is patched attack is marked as "Failed".

But Fusion doesn't check was vulnerability checked in scan or not. For example, if IDS catch attack, but scanner 
reports that host isn't vulnerable (because admin forget to include this check into scanner's policy) Fusion will 
report that attack possible failed regardless of real situation.

How to reproduce:

1. Launch Internet Scanner and scan victim with some low-level policy, such as Inventory Level 1 or Level 2. This 
policy only finds hosts and applications and doesn't check any vulnerability (like nmap).
2. Apply appropriate policy to IDS sensor (for example Attack Detector).
3. Attack victim with selected exploit (I used LSASS MS04-011).
4. Check report about attack. You will see "Failure possible. scanned, vuln not confirmed"

I don't find any description of "Failure" status but color is green :-)

(c)oded by offtopic () mail ru
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/