Agreed. I guess what I'm looking for are options to further increase the
intelligence of our current IDS implementation without throwing $100k at the
problem for a full blown completely commercial IDS/IPS/SIM/SIEM or whatever
the hot acronym is these days.
Thanks for the info.
John.
-----Original Message-----
From: jrhendri@maine.rr.com [mailto:jrhendri@maine.rr.com]
Sent: Thursday, December 28, 2006 7:30 PM
To: purplebag
Cc: John Hally; snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] SnortAV?
I would agree that testing a host after the fact is inherently prone to
error.
Does anyone know of any effort to integrate IDS with scanner output to
achieve a (potentially more accurate) result? Something like doing daily
nessus scans and tailoring snort output to alert for systems that were
(potentially) vulnerable as of the last scan could be beneficial.
Or you could just tune your IDS based on human intelligence and *patch*
your systems based on nessus output :-)
Ramblings...
Jim
----- Original Message -----
From: purplebag <purplebag@gmail.com>
Date: Thursday, December 28, 2006 7:07 pm
Subject: Re: [Snort-users] SnortAV?
To: John Hally <JHally@epnet.com>
Cc: snort-users@lists.sourceforge.net
> >From the web page
>
> "Active alert verification is a technique designed to reduce the false
> positive rate of IDSs by actively probing for a vulnerability
> associated with detected attacks. If the vulnerability corresponding
> to a detected attack is found to exist in the host or network against
> which the attack was directed, the alert is generated, invoking any
> logging and response functions as normal. If, however, the
> vulnerability is determined not to exist, the alert is considered a
> false positive and is suppressed."
>
> This is a lot like what Psionic ( now cisco ) does -
> http://newsroom.cisco.com/dlls/corp_102202.html.
>
> What is the first thing attackers do after compromising a host? They
> patch the flaw they entered through in order to maintain control and
> not lose the system in the same manner.
>
> Automated attack tools and kits make this process extremely expedient
> and are likely to result in the real events being suppressed by the
> infrastructure you trust to let you know about the problem. I've been
> witness to this failure on many occasion and can only recommend
> against any reliance on this and similar methodologies.
>
> The approach is fundamentally flawed from a security perspective.
> Nothing about the target host, as reported by itself, can be trusted
> post attack; if there were a real compromise.
>
>
> On 12/28/06, John Hally <JHally@epnet.com> wrote:
> >
> >
> >
> >
> > Hello All,
> >
> > I stumbled upon SnortAV recently, which looks to be integration
> of Nessus to
> > attempt to verify alerts and actual vulnerabilities to raise
> priority. It
> > looks as though the project is stalled. Is that the case? Has
> anyone had
> > any experience with it? It seems like a really cool concept,
> almost a poor
> > man's RNA.
> >
> > Thoughts?
> >
> > Thanks!
> > ------------------------------------------------------------------
> -------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to
> share your
> > opinions on IT & business topics through brief surveys - and earn
> cash>
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV>
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users@lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
>
>
> --
> Purple Bag
> Society of the Crown
>
> --------------------------------------------------------------------
> -----
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to
> share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
|