IDS mailing list archives
Re: SourceFire RNA
From: Renaud Deraison <deraison () nessus org>
Date: Tue, 2 Dec 2003 17:56:58 -0500
[ The second half of this post is more related to VA scanners in general, and may be considered as being off-topic. Moderator : kill this message if you do not think it belongs here] On Tue, Dec 02, 2003 at 05:27:57PM -0500, Jason wrote:
- Checking the registry requires administrative privilege, this is in essence advertising the administrative credentials to everyone that is a recipient of the probe.
The credentials are sent under the form of a hash (NTLMv2 or kerberos). This is not a vulnerability per se.
- Attempting to elicit a specific response only identified that a patch had been installed, if alternative methods of resolution were taken like disabling DCOM then the check was ineffective and inaccurate.
If you disable DCOM, then the attack vector is not here any more -> you are not vulnerable. So the active probe actually did its job well.
- It resulted in a false sense of security for many because the patch was ineffective and resulted in a 100% false negative for any integrated system that relied solely on this information for vulnerability management.
The initial patch _was_ effective - it fixed _a_ form of the overflow. If the patch was properly applied, msblaster would not propagate. Unfortunately, there were other flaws in MSRPC and others vectors were not fixed by this patch, and were not known either when it was written.
The passive approach was able to identify, with a high degree of certainty, the likely vulnerable systems before patching even began
Absolutely not ! Passively you CAN NOT determine if the patch has been applied. If all the VA tools out there are sending a tortured series of MSRPC packets there is a good reason for that. Passively you can at best determine that you have a bunch of Windows hosts out there. Some might have been patched, some might not. And in the end, you don't even know if you've seen ALL of them.
, it was able to identify the change in behavior even though the host was supposed to have been patched...
Correct. This is the job of an IDS, though. Also, if a host changes behavior because it has been infected by the MSRPC worm, you're quite screwed, security-wise.
In this way you can foresee possible and actual vulnerabilities without ever touching the host directly. With this information you can target your response to the high risk systems and handle the situation more effectively.
You did not foresee anything. You saw that a
Next we have evasion, it is trivial to evade any active probe, especially routine ones. When we start thinking about threat management this scenario is an even greater concern. An attacker can easily evade and active probe from scanning machines and continue to provide services.
It's easy to evade active probes ONCE you've broken in the target. Then it's obviously too late for pro-active security, this is why there are IDSes out there.
I hope I have illustrated why passive is the best way to go when considering the true threats and the alternatives.
Your "illustration" is based on a total misundertanding of the facts. -- Renaud --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: SourceFire RNA, (continued)
- RE: SourceFire RNA Rob Shein (Dec 02)
- Re: SourceFire RNA Renaud Deraison (Dec 02)
- RE: SourceFire RNA Rob Shein (Dec 02)
- Re: SourceFire RNA Renaud Deraison (Dec 02)
- RE: SourceFire RNA Rob Shein (Dec 02)
- RE: SourceFire RNA Lior Tal (Dec 03)
- Re: SourceFire RNA Martin Roesch (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 02)
- RE: SourceFire RNA Rob Shein (Dec 02)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- RE: SourceFire RNA Lior Tal (Dec 03)
- Re: SourceFire RNA Martin Roesch (Dec 03)
- Re: SourceFire RNA Ron Gula (Dec 03)
- Re: SourceFire RNA Martin Roesch (Dec 03)
- Re: SourceFire RNA Ron Gula (Dec 03)