IDS mailing list archives

Re: SourceFire RNA

From: Renaud Deraison <deraison () nessus org>
Date: Tue, 2 Dec 2003 11:35:55 -0500

On Tue, Dec 02, 2003 at 10:46:48AM -0500, Rob Shein wrote:

The answer to this is simple.  All machines make some kind of noise on the
network, from an IDS-centric view.  If the machine doesn't have any
interaction, ever, with anything, then it's not really important from the
IDS point of view, because it can't be breached WITHOUT interaction.  Even
if the first traffic involving that machine is an attack or scan, at that
point the machine becomes at least as visible to the IDS as it is to the
attacker.


Waiting for an attack is not necessarily a good strategy either - just think
about all the worms that have been plaguing our last summer vacations
these last few years.

Reactive security practices simply don't work. If the host does not
interact with the rest of the network, that does not make it more begign
than any other one on the network - quite the contrary actually, as it
suggests that it never downloaded any patch.


                                -- Renaud

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Current thread:

SourceFire RNA Lior Tal (Dec 02)
- RE: SourceFire RNA Rob Shein (Dec 02)
  - Re: SourceFire RNA Renaud Deraison (Dec 02)
    - RE: SourceFire RNA Rob Shein (Dec 02)
    - Re: SourceFire RNA Renaud Deraison (Dec 02)
    - RE: SourceFire RNA Rob Shein (Dec 02)
    - RE: SourceFire RNA Lior Tal (Dec 03)
    - Re: SourceFire RNA Martin Roesch (Dec 03)
    - Re: SourceFire RNA Jason (Dec 03)
    - Re: SourceFire RNA Renaud Deraison (Dec 03)
    - Re: SourceFire RNA Jason (Dec 03)
    - Re: SourceFire RNA Renaud Deraison (Dec 03)
    - Re: SourceFire RNA Jason (Dec 03)

(Thread continues...)