Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Announcement: Alert Verification for Snort

Re: Announcement: Alert Verification for Snort

From: Ron Gula <rgula_at_tenablesecurity.com>
Date: Thu, 23 Oct 2003 22:17:34 -0400

Good thread so far, but when you add in the fact that your vulnerability
scanner can have false positives and false negatives, things get very
complex pretty fast. I put a paper out on this earlier this year (see
the papers section at www.tenablesecurity.com) and I broke the correlation
out in nine areas. Both an IDS event and a Vulnerability Detect can have
three states - false positive, false negative and being accurate. This
actually gives you nine states to deal with.

The short of the paper was that if your IDS is registering attacks against
systems which have no chance of succeeding, correlating these with known
vulnerabilities can create what I call "high quality" alerts. We've been
shipping a product in this space which takes active and passive
vulnerability data and correlates it with Snort, Dragon, ISS, Intruvert
(Intrusheild) and Bro. Users of our products don't blindly throw away
their IDS data, but they use the vulnerability correlation to focus on
alerts of interest and for automatic notification of folks who are not
NIDS-admins or even security folks.

What really concerns me is when folks correlate IDS attacks with
vulnerabilities not present because they have been correlated with false
negatives. They get a false sense of security when they can make 100,000
IDS events disappear when they don't correlate with their model of
what is vulnerability.

The biggest errors I've seen in this area are:

A) Correlating attacks after the fact. I have not tested the 'Alert
    Verification' tool that started this thread, but I've seen this sort
    of technology implemented where the re-scan of an IDS alert causes
    new ids alerts which cause a new re-scan. I've also seen it where an
    attacker can spoof an attack and cause real systems to be re-scanned
    as a denial of service.

B) Reliance on old vulnerability data. Large networks change often and
    if a new host is added and the IDS or VA does not know about it, the
    correlation won't occur.

C) Poor correlation. If you're just doing a quick CVE check, good luck.
    There are a lot of Snort signatures and lots of vulnerability checks,
    but there is not necessarily one particular vulnerability check for
    every Snort or IDS event that occurs. In many cases there is no
    correlation, especially when the IDS detects some sort of generic
    anomaly.

D) Reliance on passive only vulnerability detection. Don't get me wrong,
    passive vulnerability detection is a **great** technology. However,
    when compared with an active scanner, you don't get nearly as much.

Sorry for the long email ...

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
and use priority code SF4.
---------------------------------------------------------------------------
Received on Oct 24 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos