Re: SourceFire RNA

From: Martin Roesch (
Date: 12/03/03

  • Next message: Ron Gula: "Re: SourceFire RNA"
    Date: Wed, 3 Dec 2003 16:03:35 -0500
    To: Ron Gula <>

    On Dec 3, 2003, at 3:14 PM, Ron Gula wrote:
    > On Wed, 3 Dec 2003 1:21pm, Martin Roesch wrote:
    > (Stuff deleted)
    >> The same can be said of active discovery techniques, it is just as
    >> possible to hide from an active scanner as it is to hide from a
    >> passive one, so we can never know that we have 100% perfect knowledge
    >> of what's on our networks with either technology. On the other hand,
    >> I'm an advocate of the "perfect is the enemy of good enough" school
    >> of engineering, we need solutions that can detect changes in the
    >> network environment in real-time and scanners can't do that, RNA can
    >> and so it provides a good solution to a hard
    >> problem.
    > Of course scanners can detect change in networks. They may not be able
    > to detect them as near time as a passive scanner like RNA, NeVO,
    > Securify or Arbour's products, but doing a diff of multiple active
    > scans shows lots of change. Products like Lightning, Foundstone, and
    > eEye detect change in networks each time they run.

    I said "in real-time", we were doing diffs on active scans when you and
    I helped to build the GNI IDS back at GTE-I in 1997 as I'm sure you'll
    recall, that's nothing new. Real-time detection of change is a far cry
    from periodic interrogative passes though, as you know timeliness can
    be a big factor in providing defense and response to a variety of
    nondeterministic situations that can arise on networks that are poorly
    served by active discovery methods.


    Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
    Sourcefire: Intelligent Security Monitoring -
    Snort: Open Source Network IDS -

  • Next message: Ron Gula: "Re: SourceFire RNA"