RE: Views and Correlation in Intrusion Detection

From: Sakaba <charismaman2(at)yahoo.ca>
Date: Wed Jun 25 2003 - 11:27:47 EDT

==>I'd like to see a system that looks at packets
coming in to the network,
compares those to packets hitting specific servers, "knows" if the server
is vulnerable to the specific attack and *then* sends an alert. <==

ISS pretty much covers that. They got NIDS, HIDS, IPS, desktop firewall
agents and a vulnerability scanner that all report to the same GUI. The
Fusion module then correlates it all.

So what you get is an attack detected by the NIDS. Then detected as reaching the target by the HIDS on the target.
Beside that will be a notation wether or not the box is vulnerable to the
attack in the first place.

Those are the pros.

The cons are it isn't open source so you can't see the decodes which makes
investigating false positives really annoying. Also its commercial so its
not exactly free. Great stuff if you got lots of money to through around
though.

Peace,
sakaba

---

Post your free ad now! http://personals.yahoo.ca

---

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

---

Received on Thu Jun 26 14:14:34 2003