IDS mailing list archives
Re: Announcement: Alert Verification for Snort
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 24 Oct 2003 11:20:02 -0500
On Thu, 2003-10-23 at 21:17, Ron Gula wrote:
B) Reliance on old vulnerability data. Large networks change often and if a new host is added and the IDS or VA does not know about it, the correlation won't occur.
Not just that, but also reliance on "current" non-vulnerability. Hosts, especially in a Microsoft environment, may become vulnerable "again" to older, patched, vulnerabilities. The classic and easiest to understand example is the restoration of failed server from tape with out proper re-patching. The gun turns downward like this: - Server setup. - Image/backup created. - Vulnerability discovered, server patched. - IDS is "tuned" via vulnerability data. - Failure event occurs, server is restored. (Without re-patching, or perhaps the latest, cumulative patch opens an old vulnerability.) All of the sudden the box is vulnerable again, but the IDS has been tuned to ignore those alerts.... oops! I agree with other posts that highlight that an Intrusion Detection System is also a failure detection system and should be configured to catch failure states, even unanticipated ones. Nothing wrong with removing Apache signatures from an IIS box. But let's not cut down on IIS alerts because a vulnerability scanner believes it is currently not vulnerable to certain exploits/sigs. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Announcement: Alert Verification for Snort, (continued)
- Re: Announcement: Alert Verification for Snort Sam f. Stover (Oct 23)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 24)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Randy Taylor (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 24)
- Re: Announcement: Alert Verification for Snort Michael Sierchio (Oct 24)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 27)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Sierchio (Oct 23)
- Re: Announcement: Alert Verification for Snort Ron Gula (Oct 23)
- Re: Announcement: Alert Verification for Snort Frank Knobbe (Oct 24)
- Re: Announcement: Alert Verification for Snort Barry Fitzgerald (Oct 24)
- RE: Announcement: Alert Verification for Snort Craig H. Rowland (Oct 24)
- Re: Announcement: Alert Verification for Snort Robin Sommer (Oct 24)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Krieger (Oct 24)
- Re: Announcement: Alert Verification for Snort Bill Royds (Oct 24)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 23)