IDS mailing list archives
Re: Announcement: Alert Verification for Snort
From: Ron Gula <rgula () tenablesecurity com>
Date: Thu, 23 Oct 2003 22:17:34 -0400
Good thread so far, but when you add in the fact that your vulnerability scanner can have false positives and false negatives, things get very complex pretty fast. I put a paper out on this earlier this year (see the papers section at www.tenablesecurity.com) and I broke the correlation out in nine areas. Both an IDS event and a Vulnerability Detect can have three states - false positive, false negative and being accurate. This actually gives you nine states to deal with. The short of the paper was that if your IDS is registering attacks against systems which have no chance of succeeding, correlating these with known vulnerabilities can create what I call "high quality" alerts. We've been shipping a product in this space which takes active and passive vulnerability data and correlates it with Snort, Dragon, ISS, Intruvert (Intrusheild) and Bro. Users of our products don't blindly throw away their IDS data, but they use the vulnerability correlation to focus on alerts of interest and for automatic notification of folks who are not NIDS-admins or even security folks. What really concerns me is when folks correlate IDS attacks with vulnerabilities not present because they have been correlated with false negatives. They get a false sense of security when they can make 100,000 IDS events disappear when they don't correlate with their model of what is vulnerability. The biggest errors I've seen in this area are: A) Correlating attacks after the fact. I have not tested the 'Alert Verification' tool that started this thread, but I've seen this sort of technology implemented where the re-scan of an IDS alert causes new ids alerts which cause a new re-scan. I've also seen it where an attacker can spoof an attack and cause real systems to be re-scanned as a denial of service. B) Reliance on old vulnerability data. Large networks change often and if a new host is added and the IDS or VA does not know about it, the correlation won't occur. C) Poor correlation. If you're just doing a quick CVE check, good luck. There are a lot of Snort signatures and lots of vulnerability checks, but there is not necessarily one particular vulnerability check for every Snort or IDS event that occurs. In many cases there is no correlation, especially when the IDS detects some sort of generic anomaly. D) Reliance on passive only vulnerability detection. Don't get me wrong, passive vulnerability detection is a **great** technology. However, when compared with an active scanner, you don't get nearly as much. Sorry for the long email ... Ron Gula, CTO Tenable Network Security http://www.tenablesecurity.com --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register athttp://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4.
---------------------------------------------------------------------------
Current thread:
- Re: Announcement: Alert Verification for Snort, (continued)
- Re: Announcement: Alert Verification for Snort Christopher Kruegel (Oct 23)
- Re: Announcement: Alert Verification for Snort Sam f. Stover (Oct 23)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 24)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Randy Taylor (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 24)
- Re: Announcement: Alert Verification for Snort Michael Sierchio (Oct 24)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 27)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Sierchio (Oct 23)
- Re: Announcement: Alert Verification for Snort Ron Gula (Oct 23)
- Re: Announcement: Alert Verification for Snort Frank Knobbe (Oct 24)
- Re: Announcement: Alert Verification for Snort Barry Fitzgerald (Oct 24)
- RE: Announcement: Alert Verification for Snort Craig H. Rowland (Oct 24)
- Re: Announcement: Alert Verification for Snort Robin Sommer (Oct 24)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Krieger (Oct 24)
- Re: Announcement: Alert Verification for Snort Bill Royds (Oct 24)