RE: IDS is dead, etc

[Ron Gula <rgula () tenablesecurity com>]

> On 6/19/03 6:52 PM, "Giles Coochey" <giles () coochey net> wrote:
> >
> > I would love to see a fingerprinting tool that identified
> > the client
> > and server Operating System / Application and reduced the
> > priority of
> > alerts for false positives when it is known that the system is not
> > vulnerable. The alerts still flag, so we see the
> > drive-by-shootings,
> > but as their priority is reduced they are less significant.
> >
> > Anyone got any development ideas on this front?


The Lightning Console from Tenable Network Security does this. It
uses distributed Nessus scanners to perform very fast vulnerability
scans and takes feeds from Snort, Dragon and RealSecure. When an
IDS event occurs, we check to see if the targeted system is vulnerable
to the attack. If so the IDS event is logged with a "vulnerable" flag
and the owners of the targeted system are alerted. In the IDS analysis
window, a user can make their 100000s of IDS events 'disapear' only
leaving the ones that target a vulnerability by clicking on the
'vulnerable' field.

Ron Gula, CTO
Tenable Network Security


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------