RE: how to verify whether an attack attempt is successful?

From: Ron Gula (
Date: 01/17/03

  • Next message: Maher Odeh: "RE: how to verify whether an attack attempt is successful?"
    Date: Fri, 17 Jan 2003 12:08:19 -0500
    From: Ron Gula <>

    >->Is there any technology developed in this direction?

    A lot of NIDS look for responses with their signatures. Some NIDS (like
    NFR) look at the entire session and evaluate the results of an attack
    along with detecting the attack in the first place.

    Other NIDS like Dragon, have stand-alone signatures which look for
    post-attack activity. One of my favorite Dragon examples was this
    sort of log where you can see a buffer overflow occur, and then see
    the actual shell commands the hacker is running. Other times when
    you don't know about the buffer overflow, you can still look for things
    like Microsoft Windows banners on high ports which occur for many
    of the W2K overflows.

    Still other approaches like Lancope's Stealthwatch take an entirely
    different approach. They can identify a 'potentially hostile' scanning
    IP by watching the IP probe ports and systems. If that particular IP
    starts to establish a 'long' connection, the assumption is that they
    scanned for a vulnerability, and then were able to exploit a vulnerability.
    Pretty interesting because it does not use packet content as a
    signature source.

    Lastly, someone mentioned IDS and VA correlation. That is what I
    am working on now at Tenable. Looking at Dragon, Snort and Realsecure,
    breaking down the attacks by CVE and then correlating these with
    vulnerability checks by CVE with Nessus, about 40% of the events
    generated by these NIDS stands a chance of being directly correlated
    to a vulnerability. Not all NIDS events correlate to a vulnerability. Think
    of events like port scans and brute force login attempts. These don't
    directly correlate. And when you do have a particular vulnerability, the
    NIDS may have a general check for that which can't be correlated and
    vice versa. I wrote a short paper on the topic at:

    It outlines some high level thought on issues with direct VA and IDS

    On the host side, tools like Tripwire can catch when key system files
    have been modified by unsophisticated hackers, but it is a really good
    way to indicate that your system has been compromised.

    Ron Gula, CTO
    Tenable Network Security

    Relevant Pages

    • RE: "False postive" database idea
      ... What is to prevent someone from crafting a new attack, ... If the database were then updated with such a signature, ... those utilizing the database to identify "false positives" would identify ... I suspect most people monitoring lots of NIDS sensors start to have their ...
    • Re: IDS is dead, etc
      ... I think we are on the same page as to the utility of IDS systems. ... I really like your description of NIDS as AV scanners for the network. ... **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo ...
    • Re: Views and Correlation in Intrusion Detection
      ... I think part of the problem here, is defining what the usage scope of usage ... I believe that a NIDS is part ... clean room with the existing trap. ... >>severity of the attack becomes increased to critical, ...
    • RE: Network IDS
      ... spawn TCP resets that can kill an attack. ... >> NIDS is about detecting intrusions over the network. ... Modeled after the famous Black Hat event in ... >Symanetc is the Diamond sponsor. ...
    • Handling the worm in large organisations
      ... Travelling users who are away from the network for extended peiods of time ... Blaster signature is on and priority alerting is set up. ... rare case when NIDS are useful - they detect Blaster quite well. ... Use remote vulnerability scanners to search proactively for the ...