IDS mailing list archives
Re: Cisco CTR
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 26 Nov 2003 22:34:07 -0500
On Nov 21, 2003, at 11:46 AM, David J. Meltzer wrote:
Active vs. Passive detection will be a long-running debate, but in myestimation there are advantages and disadvantages to both approaches. Someof the highlights on both sides are:- There are some changes/vulnerabilities you can't see passively or you may have to wait around a long time to see. The list of vulnerabilities you can accurately detect passively is much shorter than the list of vulnerabilitiesyou can accurately detect actively.
This is an interesting point and worth debating I think. Accuracy is a tricky thing in passive and active systems, on the one hand active systems get to send what ever stimuli they want to elicit a response, but when they're wrong about their interpretation of the results they're 100% wrong and depending on the circumstances of the error they may give you information that's 100% wrong with 100% confidence (i.e. false positives/negatives).
Passive systems have more time to play with and therefore can introduce the concept of variable confidence levels and integrating data points over time ranges, but they are data driven and have to wait for the hosts/services/protocols/etc to reveal themselves. In the context of how accurate the two methods are, I think it'll be interesting to see just how accurate passive systems can be versus the false positive/negative rate of active methods.
Positive identification of vulnerabilities themselves (vs. the classification of families of potential vulnerabilities) is best done by active methods when possible, but that doesn't preclude the usefulness of passive systems in pointing out places that need attention on the network and classes of activity that should make admins sit up and take notice.
The same is true of changes, which,although a vulnerability may not be present, could be a policy violation orcreate a vulnerability in the context of a network.
I would debate this point as well. I think that passive discovery systems/change detectors are far better at detecting change in real-time on the network than active scanners if the changes are manifesting themselves in the traffic. If the changes are manifesting themselves in a previously discovered service on the network that is relatively quiescent then an active probe may reveal that information more quickly, but only if the probe is being performed with a pretty high frequency. Discovering new services with active systems on a host running on new or odd ports requires a full portscan of the host periodically which definitely gives the advantage to the passive discovery system if that new service goes active on the network (which is presumably why it was activated in the first place).
-Marty
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Current thread:
- Re: Cisco CTR, (continued)
- Re: Cisco CTR Martin Roesch (Nov 20)
- Re: Cisco CTR Ron Gula (Nov 19)
- Re: Cisco CTR Renaud Deraison (Nov 19)
- Re: Cisco CTR Martin Roesch (Nov 19)
- Re: Cisco CTR Renaud Deraison (Nov 20)
- Re: Cisco CTR Martin Roesch (Nov 20)
- Re: Cisco CTR Renaud Deraison (Nov 20)
- Message not available
- Re: Cisco CTR Mark Teicher (Nov 20)
- Re: Cisco CTR Ron Gula (Nov 20)
- RE: Cisco CTR David J. Meltzer (Nov 25)
- Re: Cisco CTR Martin Roesch (Nov 27)