IDS mailing list archives
Re: how to verify whether an attack attempt is successful?
From: Scott Wimer <scottw () cylant com>
Date: Fri, 17 Jan 2003 08:46:01 -0800
The other way to verify if an attack attempt is successful, is to do behavioral analysis of the software running on the box. If the attack causes the targetted programs behavior to change, it's a reasonable assumption that it was successful in doing something at least. Ideally, detecting this change in behavior quick enough can let you stop the attack before it completes.
That's the approach we take anyway. scottwimer detmar.liesen () lds nrw de wrote:
->Is there any technology developed in this direction?Sure there is.With some attacks you can determine whether or not the attack was successful because the system under attack responds in an attack-specific way. Snort has some attack-responses rules, but none of these ever triggered on my network and I haven't yet had a closer look at those rules, so I don't know if they are really useful. In general it's impossible to determine the success of attacks with only a network IDS (NIDS). What you can do at network level is to compare detected attack-attempts with information from a vulnerability-database. The vulnerability information can be gathered by using VA tools like nessus. Thus you can always determine whether or not the system under attack is vulnerable to that specific attack.If so, you can be damned sure that the attack succeeds.However, this is not a 100% reliable way. But such things are never very reliable. They are an aid at analysing events more quickly and accurately because you gain a better "signal-noise-ratio". But Host based IDSs can do this quite accurately because they utilize more than just packet-stream information. Host based IDSs look into log files, check file system - integrity (i.e. if any files have been modified) and they can also analyse system- and api-calls at kernel level. HTH, Detmar Liesen
-- Scott M. Wimer, CTO Cylant www.cylant.com 121 Sweet Ave. v. (208) 883-4892 Suite 123 c. (208) 850-4454 Moscow, ID 83843 There is no Security without Control.
Current thread:
- how to verify whether an attack attempt is successful? Yan Zhai (Jan 15)
- Re: how to verify whether an attack attempt is successful? Huagang XIE (Jan 16)
- Re: how to verify whether an attack attempt is successful? Jose Nazario (Jan 16)
- Re: how to verify whether an attack attempt is successful? Kurt Seifried (Jan 16)
- <Possible follow-ups>
- RE: how to verify whether an attack attempt is successful? detmar . liesen (Jan 17)
- RE: how to verify whether an attack attempt is successful? Ron Gula (Jan 20)
- Re: how to verify whether an attack attempt is successful? Scott Wimer (Jan 21)
- Re: how to verify whether an attack attempt is successful? Yan Zhai (Jan 19)