Snort mailing list archives
Re: SnortAV?
From: John Hally <JHally () epnet com>
Date: Fri, 29 Dec 2006 08:32:00 -0500
Agreed. I guess what I'm looking for are options to further increase the intelligence of our current IDS implementation without throwing $100k at the problem for a full blown completely commercial IDS/IPS/SIM/SIEM or whatever the hot acronym is these days. Thanks for the info. John. -----Original Message----- From: jrhendri () maine rr com [mailto:jrhendri () maine rr com] Sent: Thursday, December 28, 2006 7:30 PM To: purplebag Cc: John Hally; snort-users () lists sourceforge net Subject: Re: [Snort-users] SnortAV? I would agree that testing a host after the fact is inherently prone to error. Does anyone know of any effort to integrate IDS with scanner output to achieve a (potentially more accurate) result? Something like doing daily nessus scans and tailoring snort output to alert for systems that were (potentially) vulnerable as of the last scan could be beneficial. Or you could just tune your IDS based on human intelligence and *patch* your systems based on nessus output :-) Ramblings... Jim ----- Original Message ----- From: purplebag <purplebag () gmail com> Date: Thursday, December 28, 2006 7:07 pm Subject: Re: [Snort-users] SnortAV? To: John Hally <JHally () epnet com> Cc: snort-users () lists sourceforge net
From the web page"Active alert verification is a technique designed to reduce the false positive rate of IDSs by actively probing for a vulnerability associated with detected attacks. If the vulnerability corresponding to a detected attack is found to exist in the host or network against which the attack was directed, the alert is generated, invoking any logging and response functions as normal. If, however, the vulnerability is determined not to exist, the alert is considered a false positive and is suppressed." This is a lot like what Psionic ( now cisco ) does - http://newsroom.cisco.com/dlls/corp_102202.html. What is the first thing attackers do after compromising a host? They patch the flaw they entered through in order to maintain control and not lose the system in the same manner. Automated attack tools and kits make this process extremely expedient and are likely to result in the real events being suppressed by the infrastructure you trust to let you know about the problem. I've been witness to this failure on many occasion and can only recommend against any reliance on this and similar methodologies. The approach is fundamentally flawed from a security perspective. Nothing about the target host, as reported by itself, can be trusted post attack; if there were a real compromise. On 12/28/06, John Hally <JHally () epnet com> wrote:Hello All, I stumbled upon SnortAV recently, which looks to be integrationof Nessus toattempt to verify alerts and actual vulnerabilities to raisepriority. Itlooks as though the project is stalled. Is that the case? Hasanyone hadany experience with it? It seems like a really cool concept,almost a poorman's RNA. Thoughts? Thanks! -------------------------------------------------------------------------Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance toshare youropinions on IT & business topics through brief surveys - and earncash> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV>_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Purple Bag Society of the Crown -------------------------------------------------------------------- ----- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SnortAV? John Hally (Dec 28)
- Re: SnortAV? purplebag (Dec 28)
- Re: SnortAV? jrhendri (Dec 28)
- Re: SnortAV? Jason (Dec 28)
- Re: SnortAV? Paul Schmehl (Dec 28)
- Re: SnortAV? jrhendri (Dec 28)
- <Possible follow-ups>
- Re: SnortAV? John Hally (Dec 29)
- Re: SnortAV? purplebag (Dec 28)