Re: Cisco CTR

[Renaud Deraison <deraison () nessus org>]

On Fri, Nov 07, 2003 at 11:13:55AM -0500, Rob Shein wrote:
> There's nothing unsubstantiated about it at all.  Look at the code for some
> of the exploits, actually READ the code.  Few of them have patches, and more
> to the point, all of the good ones are meant to be small.  


Many exploits will disable the targeted service - rpc.yppasswdd,
rpc.statd and even the MS SQL sapphire worm come to mind - and the
IDS will find itself facing a closed port when doing its post-attack
probe. What happens in that case ? Will the IDS log that attack as being
a false positive ?


                                -- Renaud

-- 
Renaud Deraison
http://www.nessus.org

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------