RE: host-based ids evaluation
From: Kohlenberg, Toby (toby.kohlenberg@intel.com)Date: 08/15/02
- Previous message: Detmar Liesen: "Re: host-based ids evaluation"
- Maybe in reply to: gianluca valecchi: "host-based ids evaluation"
- Next in thread: Kohlenberg, Toby: "RE: host-based ids evaluation"
- Next in thread: Talisker: "Re: host-based ids evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kohlenberg, Toby" <toby.kohlenberg@intel.com> To: "'raffael.marty@ch.pwcglobal.com'" <raffael.marty@ch.pwcglobal.com>, "'focus-ids@securityfocus.com'" <focus-ids@securityfocus.com> Date: Thu, 15 Aug 2002 10:31:07 -0700
If the attacks are going over the network a NIDS should see them but
depending on the kind of HIDS you implement, it may not notice them
unless they are likely to succeed (of course you have to decide if this
is a plus or minus for your environment)
I'll look forward to seeing your thesis. :)
Toby
> -----Original Message-----
> From: raffael.marty@ch.pwcglobal.com
> [mailto:raffael.marty@ch.pwcglobal.com]
> Sent: Thursday, August 15, 2002 12:22 AM
> To: toby.kohlenberg@intel.com; focus-ids@securityfocus.com
> Cc: thor@raffy.ch
> Subject: Re: host-based ids evaluation
>
>
> > I'd recommend against trying to use a vulnerability scanner to try
> > and test HIDS. A decent HIDS product will not necessarily light up
> > at a Nessus scan since a successful attack has not completed. You
> > would have to write custom Nessus scripts if you want it to complete
> > an attack. HIDS are best tested by performing actual attacks against
> > the system you have the HIDS on.
>
> I agree to some extent. But let me add the following:
>
> 1. If you customize the Nessus Scripts a bit (I wrote
> UNIX-Scripts which
> are doing that automatically), you can issue attacks that the
> IDS should
> trigger on.
> 2. Make sure you absolutely understand what the Scanner is
> doing. Nessus is
> of great help, as you get the attack-scripts with it. Look at
> them and see
> what they do. As soon as you can make sure that the attack is
> going over
> the network, the IDS should alert.
> 3. The problem of running "real" attacks is to have a good
> repository of
> them. I didn't have one for my work and was left with Nessus,
> which turned
> out to be quite helpful. (Do you have a collection of attacks that you
> would share?)
>
> In my Thesis (raffy.ch/projects/ids), which addresses IDS
> testing for the
> sake of correlating multiple sensors, I cover some of the
> problems with
> issuing attacks against machines and also how to change the
> Nessus scripts.
>
> Raffy
>
> [A paper about the Thesis is on the way, be patient ...]
>
> --
> Raffael Marty PWC Consulting
> IT Security Consultant Affolternstrasse 56, CH-8050 Zürich
> raffael.marty@ch.pwcglobal.com +41 1 630 35 97
> _________________________________________________________________
> The information transmitted is intended only for the person
> or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other
> use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited.
> If you received
> this in error, please contact the sender and delete the
> material from any
> computer.
>
- Previous message: Detmar Liesen: "Re: host-based ids evaluation"
- Maybe in reply to: gianluca valecchi: "host-based ids evaluation"
- Next in thread: Kohlenberg, Toby: "RE: host-based ids evaluation"
- Next in thread: Talisker: "Re: host-based ids evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
