2 Replies Latest reply on Jan 30, 2015 6:48 AM by robert_dearbytes

    Theory: Correlate between an IDS/Exploit event and a host known to be vulnerable.


      Question: At a high level can someone explain an approach for throwing an alarm in the following situation?


      Scenario: At a specified cycle each of our hosts are scanned for certain vulnerabilities using a vulnerability scanner (i.e. TwipWire IP360). The ESM periodically imports that Vulnerability Assessment data. (I'm not sure what the ESM does with that data exactly ).


      Assume, HostNameX is determined to contain the following vulnerabilities CVE1, CVE2, and CVE3.

      Now, our IDS (i.e. McAfee NSM)  detects an exploit that takes advantage of CVE1 against HostNameX.


      Is there a way to throw an alarm based on the fact that the asset is vulnerable to a detected exploit?


      Our SIEM Architecture:

      • 1 ESM
      • 1 ELM
      • 1 ACE
      • 2 RECEIVERS

      Vulnerability data:

      • TripWire IP360


      Network IDS:

      • McAfee NSM