Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ids > 03 > 010232.html (Request Expert securityfocus.com Support)

RE: how to verify whether an attack attempt is successful?

From: <detmar.liesen(at)lds.nrw.de>
Date: Thu Jan 16 2003 - 02:28:25 EST


->Is there any technology developed in this direction?

Sure there is.

With some attacks you can determine whether or not the attack was successful because the system under attack responds in an attack-specific way. Snort has some attack-responses rules, but none of these ever triggered on my network and I haven't yet had a closer look at those rules, so I don't know if they are really useful.

In general it's impossible to determine the success of attacks with only a network IDS (NIDS).

What you can do at network level is to compare detected attack-attempts with information from a vulnerability-database. The vulnerability information can be gathered by using VA tools like nessus.

Thus you can always determine whether or not the system under attack is vulnerable to that specific attack.
If so, you can be damned sure that the attack succeeds.

However, this is not a 100% reliable way. But such things are never very reliable. They are an aid at analysing events more quickly and accurately because you gain a better "signal-noise-ratio".

But Host based IDSs can do this quite accurately because they utilize more than just packet-stream information.

Do you need help?X

Host based IDSs look into log files, check file system - integrity (i.e. if any files have been modified) and they can also analyse system- and api-calls at kernel level.

HTH, Detmar Liesen Received on Fri Jan 17 11:33:52 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:05 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library