[funsec] so, is I[dp]S a STUPID technology?

Paul Schmehl pauls at utdallas.edu
Thu Oct 13 09:47:29 CDT 2005

--On Wednesday, October 12, 2005 21:57:54 -0600 Dude 
<dudevanwinkle at gmail.com> wrote:

> Hash: SHA1
> We provided the option of patch management to the students and not many
> refused the service.
We've discussed it (actually I've raised the issue repeatedly), but 
management doesn't want to go there.

> Students want to keep their machines safe as well, most just dont know
> how.

I'll agree with that!

> Agent based stuff has worked really well for me. Patchlink has done a
> bang up job in my previouls .edu domain. Havent been hit by any of the
> werms. The agents do a client pull every 15 min from the server over
> ssl. report if they fail x amount of times.
We haven't had any problems with worms in quite some time.  Sheer luck I 
guess.  ;-)

> As far as scanning them goes, http://infosec.yorku.ca/tools/ has a
> scanner that did 4 class B's in under 15 min, (ask J. Glass:) it doesnt
> check for everything, but you might get it to at least scan for the SANS
> top 20 in that time with some trial and error.
Thanks.  I'll check that out.  I haven't mentioned this in previous posts, 
but one of the problems that I've had with va scanners is boatloads of 
false positives.  For example, GFI Languard works quite well *if* you have 
local admin on the box.  (We don't.)  If not, it's prone to false 
positives.  When you have to chase down fps on hundreds of boxes, you very 
quickly find something else to do and the va scanner becomes a boat anchor.

Nessus has the same problem.  Can't tell you about ISS because it's never 
worked well enough to determine if it generates fps (except for the one 
that we reported that they swore up and down didn't exist until they were 
able to replicate it.)

Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member

More information about the funsec mailing list