Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ids > 03 > 060881.html (Request Expert securityfocus.com Support)

RE: Views and Correlation in Intrusion Detection

From: Paul Schmehl <pauls(at)utdallas.edu>
Date: Thu Jun 26 2003 - 15:17:15 EDT

The biggest problem with VA scanners is determining what *really is* a vulnerability. In some cases the scanner just looks at a banner and says something like - oh, this is running WuFTPD. THat's obviously bad - when in reality the box is patched to current and not vulnerable.

The other biggest gripe I have is the warnings about stuff like NetBIOS. Yes, we allow that inside our network! And I really don't want to know that it's a weakness. We block it at the edge. Now, if a Windows box is missing a patch or a service pack, *that* I would like to know, but very few VAs that I've seen, tried or read about will do that.

They generate a ream of reports - there's no doubt about that, but again it's the problem of information overload. I really don't have time to read through 1700 pages of warnings. Just tell me the boxes that aren't patched and are therefore vulnerable.

At least highlight the serious stuff for me so I can concentrate on the biggest problems first.

If you're going to tie in current VA technology with current IDS technology and correlate the information, I suspect it's going to be more useful than what we presently have but a lot less useful than it *should* be.

ISTM that *somebody* in the vendor community ought to be getting the message that what we need is something that will tell us where the major risks are and what they are. If I *knew* where every unpatched box was, I could fix the problem - at least I'd know what the problem was and where it was located. If I *knew* that an IMAP buffer overflow attack was hitting a box running a vulnerable version of Wu-IMAPD, then I wouldn't mind getting a page and getting up in the middle of the night.

The best tools that I have in my arsenal right now are the SQLScan utility from Foundstone and Shareenum from sysinternals. At least with those I know exactly where a problem is and what to do about it. I run those every week, and it helps to keep our network problems to a minimum.

Do you need help?X

Too much of security work is still manual labor and massive amounts of reading.

--On Wednesday, June 25, 2003 11:40:49 AM -0400 Ron Gula <rgula@tenablesecurity.com> wrote:
>
> This is exactly what the Lightning Console does. In addition, the console

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com
Received on Fri Jun 27 13:28:02 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:15 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library