Re: ForeScout ActiveScout
From: Gadi Evron (ge_at_linuxbox.org)
Date: 01/08/05
- Previous message: Brent Stackhouse: "Re: ForeScout ActiveScout"
- In reply to: Brent Stackhouse: "Re: ForeScout ActiveScout"
- Next in thread: dywzh dywzh: "Re: ForeScout ActiveScout"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 08 Jan 2005 14:08:21 +0200 To: Brent Stackhouse <brentstackhouse@yahoo.com>
Brent Stackhouse wrote:
> Gadi,
>
> Thanks very much for your detailed response. I
> understand their definition of 100% accuracy but it
> still begs the question as to how they make the
> initial determination of what to track or not. Surely
You have access to the machine.. just take a look. They provide with a
good events log, as well as the ability to go down to the traffic itself
> they don't send their crafted data on every single
> connection to see if it comes back. Their web site
> states that ActiveScout is looking for recon activity
> so some threshold or "trigger" must exist for them to
> differentiate recon from legitimate traffic.
Exactly.
> Their site also states that they're not signature
> based. Again, if they have some sort of logic based
> on thresholds (x amount of TCP packets per minute from
> the same source IP, etc.), it sounds like a signature
> to me. At least I know that Cisco, ISS, etc. all have
> threshold-based signatures in their IDS products.
Almost everything can be called a signature, to a level, but they
usually don't use what you or me would call an IDS signature.
> All that aside, I saw the results of a SuperScan port
> scan that included a bunch of junk caused by
> ActiveScout. I would think that feeding an attacker a
> bunch of info that leads them to believe that you're
> really vulnerable is not a great idea (like open
> SunRPC ports, NetBIOS, etc.). I want less attention,
Than this is not about ActiveScout, it is about you not wanting to run
an honey pot/net.
> not more. I suspect that anything out-of-the-ordinary
> would perhaps cause more attention. This is sort of a
> honeypot idea gone berserk. Instead of one host
> appearing vulnerable, all of your hosts appear
> vulnerable.
Not all hosts. You can set it to show how many hosts per how many
attempts you want to be triggered, as well as what kind of hosts should
they be. It doesn't have to work this way, it can also only monitor your
network.. but that kind of beats the point.
The point being catch the bad guy and block him. Don't expect it to
catch all bad guys.
> Anyway, it doesn't sound like it buys much, if
> anything, over "traditional" IDS/IPS.
I strongly disagree, but it is not for everyone and much like any other
products, it isn't perfect.
Gadi.
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Previous message: Brent Stackhouse: "Re: ForeScout ActiveScout"
- In reply to: Brent Stackhouse: "Re: ForeScout ActiveScout"
- Next in thread: dywzh dywzh: "Re: ForeScout ActiveScout"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
