[Discussion] Features
John Ives
jives at security.berkeley.edu
Fri Oct 17 05:23:36 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jeremy wrote:
> Comments are inline but first I would like to add an item:
>
> 6. Network intelligence through passive identification. What I mean
> by this is like Snorts RNA, NMAP, and p0s fingerprinting to
> dynamically update inventory data for correlation engine usage. I
> think we all know how great it would be to have this data which could
> dynamically or auto magically configure/reconfigure signatures and
> correlation engines to align with applications and operating systems
> to truly substantiate the risk of attacks and/or threats. Having the
> availability of correlated network intelligence could make tremendous
> headway in the world of anomaly detection i.e. a windows xp home
> computer correlated with network flow data and port data could easily
> be alerted on for any outgoing port 25 connections, as they are most
> likely the newest member of a spam bot network. Obviously this is
> just a trivial example but it still is not a trivial task to pull off
> even with the most advanced SIM. This would also allow for
> operational performance enhancements by providing context regarding
> the network they operate in. The dynamic configuration and
> reconfiguration of network devices to ignore threats that are not
> applicable would definitely enhance performance by reducing overhead
> caused by signatures and other security measures.
If your really interested in finding out what is running on a desktop
system passively I would suggest looking at the updates it attempts to
download. With MS patches alone you can tell things like specific OS,
version of Office and sometime even CPU. The Apple updater is rather
detailed as well if you care to parse it enough. This is even before
you look at the various applications like Acrobat, or AV products that
update across the web. For things like Mozilla, which does its update
over TLS, it goes to 'you are now up to date' page after every new
version has been installed.
It gets harder with the various UNIX's but even there, there are things
you can tell (what distro is it getting updates for, does it download
ports and if so what version, etc).
John
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJI+CFYAAoJEJkidK6qbyws/bQIAL/qe5nUerryYHVB/vr+evEB
ynPqtqYXm12kn+cRpVoN2pe+I9+8/xEMsjpkHC7qgmP/5P3n46X555bMRmxyRrze
2FRYdGtVCcjlsRWAgmz46LwqAgA/97aefAm1b0P7NgkGCPM69jQ6H0TArmnB/xUQ
HBejEFw/y9Yv+phojFnKePaFMUtati0wTu9ANRBvMISpm5C2N6jOUemxYm5cVlsd
0qWFc2Fhb7FHUmwjVuO5XaVL90YEdSaegl86i827qdiBMWxktc77ty3HeYPHA1Mg
/6mBaTivCRVlJ5wFPX8pEztCtecBhhGAfQoKZM3Oo28G7zhvoSlMtYaHawJjqGo=
=42IY
-----END PGP SIGNATURE-----
More information about the Discussion
mailing list