| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Apr 21 14:35:40 2005 From: offtopic at mail.ru (offtopic) Subject: Fun with ISS Fusion Module Fun with ISS Fusion Module This module can correlate data from different ISS products and based it can give additional info about detected attacks (was it successfully or not, etc). For example, if IDS (network sensor)detects exploit in traffic, but scans (internet scanner) reports that vulnerability on victim host is patched attack is marked as "Failed". But Fusion doesn't check was vulnerability checked in scan or not. For example, if IDS catch attack, but scanner reports that host isn't vulnerable (because admin forget to include this check into scanner's policy) Fusion will report that attack possible failed regardless of real situation. How to reproduce: 1. Launch Internet Scanner and scan victim with some low-level policy, such as Inventory Level 1 or Level 2. This policy only finds hosts and applications and doesn't check any vulnerability (like nmap). 2. Apply appropriate policy to IDS sensor (for example Attack Detector). 3. Attack victim with selected exploit (I used LSASS MS04-011). 4. Check report about attack. You will see "Failure possible. scanned, vuln not confirmed" I don't find any description of "Failure" status but color is green :-) (c)oded by offtopic@...l.ru
Powered by blists - more mailing lists