IDS mailing list archives
RE: how to verify whether an attack attempt is successful?
From: detmar.liesen () lds nrw de
Date: Thu, 16 Jan 2003 08:28:25 +0100
->Is there any technology developed in this direction? Sure there is. With some attacks you can determine whether or not the attack was successful because the system under attack responds in an attack-specific way. Snort has some attack-responses rules, but none of these ever triggered on my network and I haven't yet had a closer look at those rules, so I don't know if they are really useful. In general it's impossible to determine the success of attacks with only a network IDS (NIDS). What you can do at network level is to compare detected attack-attempts with information from a vulnerability-database. The vulnerability information can be gathered by using VA tools like nessus. Thus you can always determine whether or not the system under attack is vulnerable to that specific attack. If so, you can be damned sure that the attack succeeds. However, this is not a 100% reliable way. But such things are never very reliable. They are an aid at analysing events more quickly and accurately because you gain a better "signal-noise-ratio". But Host based IDSs can do this quite accurately because they utilize more than just packet-stream information. Host based IDSs look into log files, check file system - integrity (i.e. if any files have been modified) and they can also analyse system- and api-calls at kernel level. HTH, Detmar Liesen
Current thread:
- how to verify whether an attack attempt is successful? Yan Zhai (Jan 15)
- Re: how to verify whether an attack attempt is successful? Huagang XIE (Jan 16)
- Re: how to verify whether an attack attempt is successful? Jose Nazario (Jan 16)
- Re: how to verify whether an attack attempt is successful? Kurt Seifried (Jan 16)
- <Possible follow-ups>
- RE: how to verify whether an attack attempt is successful? detmar . liesen (Jan 17)
- RE: how to verify whether an attack attempt is successful? Ron Gula (Jan 20)
- Re: how to verify whether an attack attempt is successful? Scott Wimer (Jan 21)
- Re: how to verify whether an attack attempt is successful? Yan Zhai (Jan 19)