In a classical situation security administrator needs to deploy: IDS to match signatures against network traffic and send alerts to operator’s console, VA scanner to find vulnerable hosts in network, and correlation mechanism which should somehow collate information about discovered vulnerabilities with triggered IDS’ events and make a decision whether the event is important or not and automatically adjust event’s severity.
Keeping in mind that IDS monitors all traffic between two hosts I don’t understand why commercial IDSsdon’t perform passive OS fingerprinting. In my opinion IDS fingerprinting could be even more accurate than that of an active scanner, due to IDS' ability to analyze actual name="OLE_LINK2"> interactions between systems.
Let me name="OLE_LINK4"> summarize some parameters that IDS can check to figure out what OS is used (more information is available below):
- TTL ,
- DF bit ,
- TCP Window Size ,
- TOS ,
- TCP ISN ,
- clock skews (if RFC1323 is supported),
- Protocols used ( OSI level 5 or higher),
- …
and, finally, history of successful attacks. If IDS can see whether attack was successful or not it can guess not only OS but also version of compromised service.
I saw this idea realized in snortpf but it is still absent in commercial products. The main advantage of such NIDS behaviouris that it can decide by itself whether matched signature is important or not, for example, when it sees DCOM Remote Activate BO attack against Linux.
If implemented appropriately, it should be possible for administrator to correct IDS’ assumptions, which will allow correction of system’s misinterpretations.
It is not a secret that a huge number of false positives is the biggest IDS’ disadvantage. To my mind, IDS passive fingerprinting would significantly reduce “noise” in IDS logs.
More information:
