[Discussion] Automated Info Gathering
Matt Jonkman
jonkman at jonkmans.com
Sun Mar 1 15:28:54 UTC 2009
We're definitely into post-engine event processing here. But it may make
sense for the engine to have an agent or thread that could answer
questions for the core event manager?
For instance an event is generated by the engine, does to the DB, the
event manager decides it does not know what it needs to know about the
source internal ip. The event manager then puts in the db a request for
a netbios scan and OS ID for that agent (assuming that agent will be the
closest to the target...). The agent checks the db periodically via the
engine's db connection and executes the request and inserts the data to
the db.
It's not a true engine function, but it makes the sensor smarter and
more versatile and reduces the number of other tools required for
deployment...
Matt
Matt Jonkman wrote:
> Kevin Ross wrote:
>
> Perhaps the ability to either autofind or being able to enter in the
> network topology it can determine the source of the attack within the
> network kind of like csmars does (demos here
> http://www.demolabs.co.uk/ciscoportal.htm). Also gathering information
> such as hostname/netbios name, mac-address etc using tools like nbtscan
> on the detection of a local attack (to avoid scanning outside the
> network which is a bit scetchy). So if an attack is detected from an
> inside host (by specifying rfc 1918 addresses) then execute information
> gathering tools to provide more information to the analyst about the
> source or target of the attack. That was it becomes easier to determine
> if it is an fp. i.e if there is a buffer overflow for a windows system
> but the target determined by a tool such as xprobe, nmap or whatever is
> some other OS and that information is available immediately upon opening
> the even then the analyst has a better understanding of the attack risk
> and likely result. Also such a system could be intergrated into some
> sort of risk system, such as a netbios attack against a linux system
> would lower the risk rating of the attack.n/listinfo/discussion
>
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Discussion
mailing list