Re: Announcement: Alert Verification for Snort

[Ron Gula <rgula () tenablesecurity com>]

Good thread so far, but when you add in the fact that your vulnerability
scanner can have false positives and false negatives, things get very
complex pretty fast. I put a paper out on this earlier this year (see
the papers section at www.tenablesecurity.com) and I broke the correlation
out in nine areas. Both an IDS event and a Vulnerability Detect can have
three states - false positive, false negative and being accurate. This
actually gives you nine states to deal with.

The short of the paper was that if your IDS is registering attacks against
systems which have no chance of succeeding, correlating these with known
vulnerabilities can create what I call "high quality" alerts. We've been
shipping a product in this space which takes active and passive
vulnerability data and correlates it with Snort, Dragon, ISS, Intruvert
(Intrusheild) and Bro. Users of our products don't blindly throw away
their IDS data, but they use the vulnerability correlation to focus on
alerts of interest and for automatic notification of folks who are not
NIDS-admins or even security folks.

What really concerns me is when folks correlate IDS attacks with
vulnerabilities not present because they have been correlated with false
negatives. They get a false sense of security when they can make 100,000
IDS events disappear when they don't correlate with their model of
what is vulnerability.

The biggest errors I've seen in this area are:

A) Correlating attacks after the fact. I have not tested the 'Alert
   Verification' tool that started this thread, but I've seen this sort
   of technology implemented where the re-scan of an IDS alert causes
   new ids alerts which cause a new re-scan. I've also seen it where an
   attacker can spoof an attack and cause real systems to be re-scanned
   as a denial of service.

B) Reliance on old vulnerability data. Large networks change often and
   if a new host is added and the IDS or VA does not know about it, the
   correlation won't occur.

C) Poor correlation. If you're just doing a quick CVE check, good luck.
   There are a lot of Snort signatures and lots of vulnerability checks,
   but there is not necessarily one particular vulnerability check for
   every Snort or IDS event that occurs. In many cases there is no
   correlation, especially when the IDS detects some sort of generic
   anomaly.

D) Reliance on passive only vulnerability detection. Don't get me wrong,
   passive vulnerability detection is a **great** technology. However,
   when compared with an active scanner, you don't get nearly as much.

Sorry for the long email ...

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com















---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------