Re: SourceFire RNA

From: Martin Roesch (roesch_at_sourcefire.com)
Date: 12/03/03

  • Next message: Ron Gula: "Re: SourceFire RNA"
    Date: Wed, 3 Dec 2003 16:03:35 -0500
    To: Ron Gula <rgula@tenablesecurity.com>
    
    

    On Dec 3, 2003, at 3:14 PM, Ron Gula wrote:
    >
    > On Wed, 3 Dec 2003 1:21pm, Martin Roesch wrote:
    >
    > (Stuff deleted)
    >
    >> The same can be said of active discovery techniques, it is just as
    >> possible to hide from an active scanner as it is to hide from a
    >> passive one, so we can never know that we have 100% perfect knowledge
    >> of what's on our networks with either technology. On the other hand,
    >> I'm an advocate of the "perfect is the enemy of good enough" school
    >> of engineering, we need solutions that can detect changes in the
    >> network environment in real-time and scanners can't do that, RNA can
    >> and so it provides a good solution to a hard
                                   ^^^^^^^^^^
    >> problem.
    >
    > Of course scanners can detect change in networks. They may not be able
    > to detect them as near time as a passive scanner like RNA, NeVO,
    > Securify or Arbour's products, but doing a diff of multiple active
    > scans shows lots of change. Products like Lightning, Foundstone, and
    > eEye detect change in networks each time they run.

    I said "in real-time", we were doing diffs on active scans when you and
    I helped to build the GNI IDS back at GTE-I in 1997 as I'm sure you'll
    recall, that's nothing new. Real-time detection of change is a far cry
    from periodic interrogative passes though, as you know timeliness can
    be a big factor in providing defense and response to a variety of
    nondeterministic situations that can arise on networks that are poorly
    served by active discovery methods.

         -Marty

    -- 
    Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
    Sourcefire: Intelligent Security Monitoring
    roesch@sourcefire.com - http://www.sourcefire.com
    Snort: Open Source Network IDS - http://www.snort.org
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Ron Gula: "Re: SourceFire RNA"

    Relevant Pages

    • Re: SourceFire RNA
      ... > possible to hide from an active scanner as it is to hide from a passive ... Of course scanners can detect change in networks. ... to detect them as near time as a passive scanner like RNA, NeVO, ...
      (Focus-IDS)
    • Re: Looking for a better scanner for CodeRed
      ... Looking for a better scanner for CodeRed ... test for the Index services vulnerability. ... I have several class B networks I have to scan on a regular ... > This list is provided by the SecurityFocus ARIS analyzer service. ...
      (Incidents)
    • Re: Linux Fails at a Simple Task Once Again (k3b and Suse )
      ... > Millions of other home users ARE interested in networks. ... We are a family of 4, we currently have 7 computers. ... The scanner is provided by the network to *all* computers, ... matter if linux or windows. ...
      (alt.os.linux.suse)