RE: IDS is dead, etc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 6 Aug 2003, Tom Arseneault wrote:

> My $.02 worth...

I don't think inflation has driven up the price of my opinions so far yet 8^)

> Any particular Nimda attack if your patched does'nt mean anything, however

I'm not sure how relevant this really is. If you are patched against the vulnerability then you are patched, it doesn't matter if a new variant is released that exploits the same vulnerability. A new worm exploiting a new vulnerability is a different story but hopefully you'd have a seperate or a more generic sig to detect this. I don't know how often it would be that a new worm exploiting a new vulnerability would match the signature in your IDS sensor for an old vuln such as is exploited by CR/Nimda.

In fact, just limiting ourselves to CR/Nimda, it shouldn't be too difficult to limit the match to just internal->internal traffic which is the most effective way to detect an old, unpatched and infected host on your network. The attack vector and propegation methods of CR/Nimda are widly known, and completely uninteresting if you are not vulnerable.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I think what we have here though are different perspectives borne of different needs and different sensor layouts. I would imagine that even if there were sensors on every subnet of UT Dallas that wouldn't be enough coverage to really determine the attack trends for the Internet at large. That's probably different from your setup, as an MSSP you have access to sensors all over the place, so would have more data to go on when determining wider trends.

> -----Original Message-----

• -- Mark Tinberg <MTinberg@securepipe.com> Network Security Engineer, SecurePipe Inc. New Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE/MZ9+Fu7F5OUjbGcRAqbOAKCiDhAnpW1Xmg3IP5+jUViTxYgwjgCcCbNk MNCc2TYWxNOGmCnCzKXzoaw=
=bz2B
-----END PGP SIGNATURE-----

• Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
• Automatically Control P2P, IM and Spam Traffic
• Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm

  ---