Re: Snort and Nessus Signature

From: Olaf Gellert (og_at_pre-secure.de)
Date: 09/23/05

  • Next message: Thyrymn_at_gmail.com: "Ability for SIM to perform tcp stream reassembly" 
    Date: Fri, 23 Sep 2005 10:05:00 +0200
To: Ron Gula <rgula@tenablesecurity.com>

    Ron Gula wrote:
    > Continuous scanning will help you find some things, but won't find:
    >
    > - new client software
    > - hosts protected by personal firewalls
    > - off-port services (you want to do continuous scanning for all 65k ports?)

    Well, you are thinking of scanning as a network
    related process (a la NMAP), I guess. But there
    a many other possibilities of scanning: Scanning
    your local logfiles (eg host based sensors),
    scanning your local filesystem, scanning your local
    installation database for new software. This way you
    may get much more (and very accurate) information
    than by actively scanning the network (or by
    analyzing the traffic).

    Sure this is not as easily deployed as a single
    network sensor, but it can very well be worth
    the effort.

    Cheers, Olaf 

    -- 
Dipl.Inform. Olaf Gellert                  PRESECURE (R)
Senior Researcher,                       Consulting GmbH
Phone: (+49) 0700 / PRESECURE           og@pre-secure.de
                        A daily view on Internet Attacks
                        https://www.ecsirt.net/sensornet
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
  • Next message: Thyrymn_at_gmail.com: "Ability for SIM to perform tcp stream reassembly"

    Relevant Pages

    • Re: Why scan email?
      ... and I wondered, why bother? ... the regular scanning see it and stop it when I either open the email ... Scanning email is not much needed, ... Exploit code aimed at the client software and its environment ...
      (alt.comp.anti-virus)
    • Re: Nmap scanning speed
      ... > I have to scan a large network. ... is it possible to get good port scanning speed of over 700 ports per second from nmap? ...
      (Pen-Test)
    • Question about "guaranteed delivery"
      ... Currently we have a three-layered network, ... messages to the content scanning devices. ... What we need in short is some sort of black box/software solution/method to ... or do some sort of manual delivery. ...
      (Security-Basics)
    • Re: Whats going on here?
      ... >upstream path portscanning, using source port 80 to fool misconfigured ... Three scenarios, both based on the facts that ZoneAlarm is host-based, ... Scenarion #1: Someone port scanning your system: ... Someone external to your network would receive no ...
      (Incidents)
    • RE: Online Scanning Services Vrs. Stand Alone Applications
      ... online scanning might bee seen just as external ... vulnerability scanning outsourcing, ... >> setup a nessus client at various parts of your network ...
      (Pen-Test)
    • Quantcast