RE: IDS is dead, etc

From: Craig H. Rowland (
Date: 06/23/03

  • Next message: "Snort / Linux on floppy"
    To: "'Giles Coochey'" <>
    Date: Mon, 23 Jun 2003 09:59:12 -0500

    Hi Giles,

    On 6/19/03 6:52 PM, "Giles Coochey" <> wrote:

    > Hash: SHA1
    > On Thursday 19 June 2003 4:57 pm, Martin Roesch wrote:
    >> So, is there any way to make the quality of data coming out of the
    >> IDS higher while at the same time diminishing the amount of
    >> information generated? We've been talking about this
    >> exact topic on
    >> this list since 1999 on and off and I think all the IDS
    >> vendors have
    >> ideas how to achieve this goal by integrating network maps and
    >> host/service identification into the IDS's world view. If those
    >> ideas should actually make their way to market, would that
    >> make the
    >> systems more useful? I believe so. (At this point I
    >> usually pitch
    >> Sourcefire, but I'll spare you all.)
    > I would love to see a fingerprinting tool that identified
    > the client
    > and server Operating System / Application and reduced the
    > priority of
    > alerts for false positives when it is known that the system is not
    > vulnerable. The alerts still flag, so we see the
    > drive-by-shootings,
    > but as their priority is reduced they are less significant.
    > Anyone got any development ideas on this front?

    We produced a product called ClearResponse at Psionic that was released
    in July 2002 that does this exact thing. We were acquired by Cisco in
    October 2002 and the product was renamed Cisco ThreatResponse.

    ThreatResponse works dynamically on a network with no prior network
    knowledge and doesn't rely on a pre-defined static database. Also it
    collects forensic evidence from the impacted host in real-time so if you
    see an escalated attack you can go to the GUI and view the actual
    logs/data from the targeted system and look for yourself at what
    happened (we'll grab logs in about 1-2 seconds after the alarm is seen).
    This means an attacker has almost zero time to go onto the box and
    tamper with logs before they are copied. We recently released version
    2.0 of the product and it supports both the Cisco IDS and ISS IDS
    sensors into a single GUI. Using this product can significantly reduce
    alarms from Cisco and ISS sensors. I'm not going to do too much
    plugging, you can read more about it here:

    ..and it's freely available...

    -- Craig

    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out.

  • Next message: "Snort / Linux on floppy"