IDS mailing list archives
Re: SourceFire RNA
From: Renaud Deraison <deraison () nessus org>
Date: Tue, 2 Dec 2003 11:35:55 -0500
On Tue, Dec 02, 2003 at 10:46:48AM -0500, Rob Shein wrote:
The answer to this is simple. All machines make some kind of noise on the network, from an IDS-centric view. If the machine doesn't have any interaction, ever, with anything, then it's not really important from the IDS point of view, because it can't be breached WITHOUT interaction. Even if the first traffic involving that machine is an attack or scan, at that point the machine becomes at least as visible to the IDS as it is to the attacker.
Waiting for an attack is not necessarily a good strategy either - just think about all the worms that have been plaguing our last summer vacations these last few years. Reactive security practices simply don't work. If the host does not interact with the rest of the network, that does not make it more begign than any other one on the network - quite the contrary actually, as it suggests that it never downloaded any patch. -- Renaud --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- SourceFire RNA Lior Tal (Dec 02)
- RE: SourceFire RNA Rob Shein (Dec 02)
- Re: SourceFire RNA Renaud Deraison (Dec 02)
- RE: SourceFire RNA Rob Shein (Dec 02)
- Re: SourceFire RNA Renaud Deraison (Dec 02)
- RE: SourceFire RNA Rob Shein (Dec 02)
- RE: SourceFire RNA Lior Tal (Dec 03)
- Re: SourceFire RNA Martin Roesch (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 02)
- RE: SourceFire RNA Rob Shein (Dec 02)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- Re: SourceFire RNA Jason (Dec 03)