We run an IPS here at work but only in an sniffer mode. I can see all the exploits flying through to different hosts. Vast majority of these exploits are just run against these hosts without any qualification whether a particular vulnerability affects it. Even if a host is vulnerable it might be that exploit is unsuccessful for whatever reason. This creates a lot of work to go through all the logs and to then to check the host whether there was an incident. I think it would be great if we have post exploit traffic signatures that would qualify whether a particular host was compromised, thus creating an incident. This should not be too difficult, there are only certain things an attacker can do. As soon as IDS sees some traffic stream going outbound to the src after an exploit was executed, it should probaly qualify it as an incident. Need more research in this area perhaps someone else has already thought of it and there is a solution out there.
Update: I am seeing ever more vendors coming up with solutions where the vulnerability system feeds to the IDS.
Sentinel and Snort - and now Qualys and Tipping point.
Perhaps this is the future but it still does not answer my original question - Qualification of incident based on post exploit signatures. Perhaps you do need a SIM or SEIM for that - it is all about correlation.
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment