IDS mailing list archives
Re: ForeScout ActiveScout (was: Re: Intrusion Prevention)
From: Karl Lynn <klynn () stackheap org>
Date: Mon, 16 Dec 2002 11:53:00 +0000 (GMT)
My comments below- On Sun, 15 Dec 2002, Oded Comay wrote:
Greetings, We have been following this thread with great interest. Sorry for jumping in late; appreciating the technical quality of this forum, we wanted to avoid anything that could be viewed as marketing pitch. I will do my best to avoid it (and sweeping generalizations) in this posting as well. That being said, some clarifications are in order. To start with, ActiveScout is not an IDS. Judging it by NIDS standards and criteria will do injustice to both technologies.
[snip web site marketing material] ForeScout delivers automated intrusion prevention solutions that precisely identify and selectively block all types of attacks before they reach the network. [/snip web site marketing material] So, its an IPS?
Karl Lynn asks whether there will be a problem if he "scans" from one network and attacks from another. As mentinoed above, this is actually a great feature of ActiveScout. Even if the "attacking" network address is used sparingly, just for launching the actual attack (after recon done using a different network block), ActiveScout will detect and block it from accessing to the attacked network.
So you are telling me if I use a shell account in California (making it obvious here) and a shell account in lets say Japan you're telling me that if I port scan a machine from my California shell and only port scan once from my California shell and I also validly use a browser to check your homepage via HTTP seeing that its an IIS machine.. If I then hop on my shell account on the machine in Japan and run something like IIS ASP overflow or an overflow on printer ISAPI filter that ActiveScout will somehow link these two events and block the account in Japan? Unless you are blocking me based on some sort of anomaly detection that has nothing to do with the probe (recon) then I think you might want to enlighten us on how exactly ActiveScout prevents attacks coming from two seperate networks where a "marker" would never work.
And we haven't said anything about the cool factor...
I'd rather have something that works than something thats cool ;)
Thanks, and seasons greetings to all!
You also...
-- Oded Comay, CTO ForeScout Technologies ------------------------------------------------------- -------------------------------------------------------
Current thread:
- ForeScout ActiveScout (was: Re: Intrusion Prevention) Oded Comay (Dec 15)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Omar Herrera (Dec 15)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Frank Knobbe (Dec 15)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Karl Lynn (Dec 16)
- <Possible follow-ups>
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Adam Powers (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Matthew L. McGuirl (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Dudley, Brian (ISS Chicago) (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Karl Lynn (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Frank Knobbe (Dec 17)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Omar Herrera (Dec 17)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Matthew L. McGuirl (Dec 17)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Dug Song (Dec 17)