IDS mailing list archives
Re: SourceFire RNA
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 3 Dec 2003 16:03:35 -0500
On Dec 3, 2003, at 3:14 PM, Ron Gula wrote:
On Wed, 3 Dec 2003 1:21pm, Martin Roesch wrote: (Stuff deleted)The same can be said of active discovery techniques, it is just as possible to hide from an active scanner as it is to hide from a passive one, so we can never know that we have 100% perfect knowledge of what's on our networks with either technology. On the other hand, I'm an advocate of the "perfect is the enemy of good enough" school of engineering, we need solutions that can detect changes in the network environment in real-time and scanners can't do that, RNA can and so it provides a good solution to a hard
^^^^^^^^^^
problem.Of course scanners can detect change in networks. They may not be able to detect them as near time as a passive scanner like RNA, NeVO, Securify or Arbour's products, but doing a diff of multiple active scans shows lots of change. Products like Lightning, Foundstone, and eEye detect change in networks each time they run.
I said "in real-time", we were doing diffs on active scans when you and I helped to build the GNI IDS back at GTE-I in 1997 as I'm sure you'll recall, that's nothing new. Real-time detection of change is a far cry from periodic interrogative passes though, as you know timeliness can be a big factor in providing defense and response to a variety of nondeterministic situations that can arise on networks that are poorly served by active discovery methods.
-Marty -- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: SourceFire RNA, (continued)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- RE: SourceFire RNA Lior Tal (Dec 03)
- Re: SourceFire RNA Martin Roesch (Dec 03)
- Re: SourceFire RNA Ron Gula (Dec 03)
- Re: SourceFire RNA Martin Roesch (Dec 03)
- Re: SourceFire RNA Ron Gula (Dec 03)