IDS: Re: Tuning false positives - SIM is not the answer

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

IDS mailing list archives

Re: Tuning false positives - SIM is not the answer

From: Brent Stackhouse <brent () solissecurity com>
Date: Sat, 07 Jan 2006 00:31:35 -0600

It did cross my mind that there might be a backdoor/default account thatis remotely accessible but TAC said that "expert" access cannot be usedwithout having an existing, valid account on the system. To reiterate,per TAC, you cannot simply login to a MARS appliance via SSH or SSL withthe "expert" account. I have not attempted to verify the veracity ofthat statement but during the specific support issue I worked with TACon, I was instructed to login with the pnadmin account (and a passwordknown only to me) before TAC could use the expert mode.

If you have a MARS, go to the CLI and type "expert" - I believe it'llprompt for a password.

Part of the point is that a similar issue will happen again which willrequire TAC access to the MARS OS and I'm wondering what Cisco's plan isto deal with that in the future. The MARS manager I spoke with duringthis support issue provided this rationale: there is a lot ofeasily-accessible intellectual property, due to their use of shellscripts, Java, etc., that they'd prefer stay obscured. I mentioned thatsomeone could probably rip out the hard drive and access it anyway buthe said it would still be protected. Um, okay, maybe so and I'm notreally a forensics guy. I just know that this is not a typical Ciscoapproach and it caused a major support headache for me and a major client.


Brent Stackhouse, GSEC/GCIH
VP of Security
Solis Security, Inc.
Austin, Texas
512-417-9772
www.solissecurity.com

Jason wrote:

3.  The MARS OS is a Linux distro but users can't get to the actual
OS.  This wouldn't normally be a problem but there was a bad MARS
build that was published recently, yanked within a day or so, and
then required a TAC engineer to remotely login to the MARS box to fix
it.  This is contrary to every other Cisco device, including
Linux-based 42xx IDS/IPS, that I've worked with.



Can I read into that statement that there is a some form of capability
that does allow access to the OS but only to Cisco TAC? Did you need to
enable an account and password for that access or simply access to the
system?

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

By Date By Thread

Current thread:

Re: Tuning false positives - SIM is not the answer, (continued)
- Re: Tuning false positives - SIM is not the answer Stefano Zanero (Jan 05)
- RE: RE: Tuning false positives - SIM is not the answer Andrew Plato (Jan 02)
- Re: RE: RE: Tuning false positives - SIM is not the answer rassel_k (Jan 05)
- Re: RE: RE: Tuning false positives - SIM is not the answer brent (Jan 05)
  - Re: Tuning false positives - SIM is not the answer Jason (Jan 11)
    - Re: Tuning false positives - SIM is not the answer Brent Stackhouse (Jan 12)
    - Re: Tuning false positives - SIM is not the answer Jason (Jan 11)
    - Re: Tuning false positives - SIM is not the answer Brent Stackhouse (Jan 10)
- Re: RE: RE: Tuning false positives - SIM is not the answer brent (Jan 05)
- RE: Tuning false positives - SIM is not the answer Hellman, Matthew (Jan 11)
  - Re: Tuning false positives - SIM is not the answer Brent Stackhouse (Jan 11)