Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ids > 03 > 060874.html (Request Expert securityfocus.com Support)

RE: Views and Correlation in Intrusion Detection

From: Chmielarski TOM-ATC090 <Tom.Chmielarski(at)motorola.com>
Date: Wed Jun 25 2003 - 12:02:57 EDT


<mild rant>
While were discussing flaws in VA scanners - it would also be nice if they did a better job reporting what they checked for and found NOT vulnerable, or at least what was checked for and did not seem vulnerable. So I could look up and say "Vuln for MS-xxxx - not susceptible to exploit via scan on 6/1/2003" rather then saying "well, it doesn't say am vulnerable, and I ran a check last week so it probably included this check and passed..".

</rant>

And while im dreaming id like a private island. :) -Tom

-----Original Message-----
From: Ron Gula [mailto:rgula@tenablesecurity.com] Sent: Wednesday, June 25, 2003 10:41 AM
To: Chmielarski TOM-ATC090; Focus-Ids (E-mail) Subject: RE: Views and Correlation in Intrusion Detection

>
>How about a "user's" POV?
>
>To be really effective, I'd like to see a system that looks at packets

This is exactly what the Lightning Console does. In addition, the console also 'knows' who owns the targeted systems and can send an alert to the effected end users when an IDS event targets a vulnerable server.

The big issue I have with VA/IDS correlation is the accuracy of the underlying VA database. If you are just scanning once a quarter or even once a month, this VA database can get out of date fast. Our approach is to use distributed scanning (multiple, tiered Nessus scanners) so you can scan a class B in hours. We also are BETA testing a passive vulnerability scanner which determines vulnerabilities and topology changes from watching network sessions.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com


Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com
Received on Thu Jun 26 14:36:33 2003
Do you need help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:15 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library