IDS mailing list archives

Re: NEW Topic: Network Mapping Intrusion Detection style

From: "Andy Cuff [Talisker]" <lists () securitywizardry com>
Date: Wed, 7 Jan 2004 22:46:00 -0000

Hi Mark,
Many of the security correlation consoles do this for a variety of events.
Sadly due to NDA's I can't name products but the ones I looked at  produce
3d maps with a variety of axis, the most impressive used a battleships type
3d display where source addresses routed through attack to destination.  the
spherical "dandelion" approach is also good and definitely allows you to see
trends/attacks that aren't obvious on a standard screen.  The simplest was
purely a 2d port over time graph that allowed you to see some of the low and
slow recons  that would have otherwise been missed.  One big problem I had
with the spherical concept was that it redistributed the elements on refresh
making it difficult to track certain attack clusters when the screen got
really busy.

In our trials we didn't introduce passive or active fingerprinting or
vulnerability scanning to the display but to be frank can't see what it
would do to a reactive screen other than change the destination image to
reflect whether the attack would have been successful or not.

I can see a definite benefit in overlaying proactive information such as
fingerprinting or vulnerability scanning over the reactive alert diagram or
vice versa in incident response.  But where do we get that 32 Metre Plasma
;o)

take care matey
-andy
Talisker Security Tools Directory
http://www.securitywizardry.com
----- Original Message ----- 
From: "Teicher, Mark (Mark)" <teicher () avaya com>
To: <focus-ids () securityfocus com>
Sent: Wednesday, January 07, 2004 2:39 AM
Subject: NEW Topic: Network Mapping Intrusion Detection style

Has anyone seen products that can produce a network map based on
vulnerabilities, host information and types of intrusions?

NAI/SNI Ballista had a rudimentay 3-d mapping tool, but not enough to
produce a nice slick diagram for an organization.

Qualys has a nice free mapping tool, but not enough to produce a
detailed diagram

Anyone other vendor ??

/m


--------------------------------------------------------------------------

--------------------------------------------------------------------------



---------------------------------------------------------------------------
---------------------------------------------------------------------------

Current thread:

NEW Topic: Network Mapping Intrusion Detection style Teicher, Mark (Mark) (Jan 07)
- Re: NEW Topic: Network Mapping Intrusion Detection style Andy Cuff [Talisker] (Jan 08)
- <Possible follow-ups>
- Re: NEW Topic: Network Mapping Intrusion Detection style Ron Gula (Jan 07)