Re: Dynamic configuration management

From: Ron Gula (
Date: 08/01/05

  • Next message: Jim B: "Re: Editing ISS RealSecure Network Sensor policy from commandline"
    Date: Mon, 01 Aug 2005 14:22:47 -0400
    To: Focus IDS <>

    At 05:27 PM 7/28/2005, Christian Kreibich wrote:
    >Hi all,
    >I'm curious to hear to what level both commercial and open-source
    >systems known to the members of this list support dynamic configuration
    >management. That is, what's the state of the art in allowing one to
    >tweak the operational parameters, retrieve + inspect current state, etc,
    >in an on-line fashion, and to what degree can this be automated across
    >larger installations.
    >For what it's worth, I'd define "on-line" as anything better than
    >stopping the system, tweaking the config files, and restarting.
    >Marketing blurbs are welcome too, though you might prefer to send me
    >these off-line. Thanks.

    Do you mean the configuration of a system, or of an IDS/IPS?

    For the intrusion stuff, our Lightning Console has the ability to
    look at the results from Nessus's local and remote checks, as well
    as NeVO's passively determined vulnerabilities and produce a Snort
    rule set which only has the 'vulnerable' signatures enabled. You
    end up running with a much smaller signature set than most Snort
    user's are comfortable with, but it's extremely effective.

     From an operating system configuration level, there are many
    commercial solutions that can grab anything from registry settings
    to actual hard drive images. Some of these use agents and some use
    credentials. Some of these can prevent configuration changes which
    would take a box out of a known-good configuration policy, and
    others can report on this after the fact. Most vulnerability
    scanners, including Nessus and NeWT, can log onto UNIX and Windows
    boxes and check them for missing patches, configuration settings,

    Ron Gula, CTO
    Tenable Network Security

    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to
    to learn more.

  • Next message: Jim B: "Re: Editing ISS RealSecure Network Sensor policy from commandline"