Snort mailing list archives
Re: SnortAV?
From: jrhendri () maine rr com
Date: Thu, 28 Dec 2006 19:30:07 -0500
I would agree that testing a host after the fact is inherently prone to error. Does anyone know of any effort to integrate IDS with scanner output to achieve a (potentially more accurate) result? Something like doing daily nessus scans and tailoring snort output to alert for systems that were (potentially) vulnerable as of the last scan could be beneficial. Or you could just tune your IDS based on human intelligence and *patch* your systems based on nessus output :-) Ramblings... Jim ----- Original Message ----- From: purplebag <purplebag () gmail com> Date: Thursday, December 28, 2006 7:07 pm Subject: Re: [Snort-users] SnortAV? To: John Hally <JHally () epnet com> Cc: snort-users () lists sourceforge net
From the web page"Active alert verification is a technique designed to reduce the false positive rate of IDSs by actively probing for a vulnerability associated with detected attacks. If the vulnerability corresponding to a detected attack is found to exist in the host or network against which the attack was directed, the alert is generated, invoking any logging and response functions as normal. If, however, the vulnerability is determined not to exist, the alert is considered a false positive and is suppressed." This is a lot like what Psionic ( now cisco ) does - http://newsroom.cisco.com/dlls/corp_102202.html. What is the first thing attackers do after compromising a host? They patch the flaw they entered through in order to maintain control and not lose the system in the same manner. Automated attack tools and kits make this process extremely expedient and are likely to result in the real events being suppressed by the infrastructure you trust to let you know about the problem. I've been witness to this failure on many occasion and can only recommend against any reliance on this and similar methodologies. The approach is fundamentally flawed from a security perspective. Nothing about the target host, as reported by itself, can be trusted post attack; if there were a real compromise. On 12/28/06, John Hally <JHally () epnet com> wrote:Hello All, I stumbled upon SnortAV recently, which looks to be integrationof Nessus toattempt to verify alerts and actual vulnerabilities to raisepriority. Itlooks as though the project is stalled. Is that the case? Hasanyone hadany experience with it? It seems like a really cool concept,almost a poorman's RNA. Thoughts? Thanks! -------------------------------------------------------------------------Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance toshare youropinions on IT & business topics through brief surveys - and earncash> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV>_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Purple Bag Society of the Crown -------------------------------------------------------------------- ----- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SnortAV? John Hally (Dec 28)
- Re: SnortAV? purplebag (Dec 28)
- Re: SnortAV? jrhendri (Dec 28)
- Re: SnortAV? Jason (Dec 28)
- Re: SnortAV? Paul Schmehl (Dec 28)
- Re: SnortAV? jrhendri (Dec 28)
- <Possible follow-ups>
- Re: SnortAV? John Hally (Dec 29)
- Re: SnortAV? purplebag (Dec 28)