IDS mailing list archives
Re: Cisco CTR
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 17 Nov 2003 17:30:15 -0500
On Nov 17, 2003, at 3:32 PM, Ron Gula wrote:
Thanks, Congratulations on the release of RNA.
Thanks.
My confusion was with if RNA finds specific vulnerabilities or if it says that you may have a whole class of vulnerabilities. For example, in the screen shot you have of RNA on Sourcefire's home page, (BTW, I thought you liked Apple), it shows a Mac OS-X running Apache version 1.3.27 and below a list of vulnerabilities. One of the vulnerabilities is "OpenSSLv2 malformed client key remote buffer overflow vulnerability". If you visit the Bugtraq record on this: http://www.securityfocus.com/bid/5363 , it does not list Apache 1.3.27 as being vulnerable to this flow. If you were doing VA/IDS correlation, this would cause a serious, contextual, well qualified sort of event, when in fact there would be no vulnerability there.
Little SNAFU there, our web people used the wrong screenshot (I love Apple, I'm typing this from my PB15 as a matter of fact). We just put up the new website this morning, if that's the only problem that gets found I'll be happy.
I suspect the reason that the RNA image showed the vulnerability information for OpenSSL because it identified the O.S. and since there are security updates for OS-X pertaining to this issue, it really should list that vulnerability.
Here are the links to Apple: http://docs.info.apple.com/article.html?artnum=120139 http://docs.info.apple.com/article.html?artnum=120141The affected systems do not list Apache 1.3.27 as you stated, however the fact is that Apple issued updates to OS X so I think RNA did the right thing in alerting the user. The updates from Apple also contain updates to Apache as well as mod_ssl and OpenSSL.
We're working continuously to make sure the quality of the data in the system is as high as we can make it, this is an evolutionary process however and it'll get better as the product matures.
-Marty
Ron Gula At 03:03 PM 11/17/2003 -0500, Martin Roesch wrote:Hi Ron,Actually, RNA went out the door this morning after a year of development and another 2 years of research and planning as an early availability release and it will be GA in a couple weeks. From what I can see, RNA and Nevo have different missions, Nevo is being billed as a passive vulnerability "scanner" whereas RNA is being billed as a passive network discovery system. We have multi-mode passive OS fingerprinting, topology discovery, active service identification, flow monitoring, real-time change analysis and passive vulnerability inference mechanisms built-in to RNA. The version of Nevo that I saw a couple months ago was doing OS fingerprinting in support of passive vulnerability analysis, I'm unfamiliar/unaware of how it has evolved since then.I don't know what you mean by "looking for unique vulnerabilities", we're doing vulnerability inference by looking at platform and application data and inferring classes of vulnerabilities that can be available. This capability is primarily there to support dynamic prioritization of IDS events and to gauge potential impact of attacks that we see on the network. We're planning on leveraging the information in the future for a variety of purposes, but RNA's focus is much broader than providing vulnerability analysis solely.We've also wrapped RNA with a variety of supporting management and analysis technology. We've got a full web-based management and analysis GUI built-in to the appliances that incorporates a common look and feel with our new version 3.0 ISM (IDS) product line, we can manage multiple RNA sensors from the Sourcefire Management Console and provide data aggregation and topology analysis from a central point, we've got a 3D visualization GUI for data analysis, administration tools for system maintenance, etc etc.-Marty On Nov 17, 2003, at 10:52 AM, Ron Gula wrote:I know RNA has not officially shipped yet, but from the web site, it looks very similar to NeVO. It does similar OS fingerprinting, traffic profiling, security vulnerabilities and so on. The question I've not been able to get a good answer for is if RNA looks for unique vulnerabilities, or if it using the operating systems or application fingerprint to determine which vulnerabilities are active. Ron Gula Tenable Network Security At 09:41 PM 11/13/2003 -0500, Martin Roesch wrote:Vendor Alert: I work for Sourcefire.RNA is not a passive vulnerability scanner, vulnerability analysis is only a subset of what it can accomplish. I've taken to calling RNA apassive network discovery system (PNDS) since that's a more accurate description of what it does.BTW, the demo that Joe saw was from a beta of RNA that we were runningin-house, production versions should only be set to discover yourinternal network so you don't accidentally start mapping other people'snetworks with it. We had our internal sensors tuned that way for testing of preproduction units only, we don't condone mapping other people's networks with RNA. -Marty-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org----------------------------------------------------------------------- ----Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register athttp://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. ----------------------------------------------------------------------- ----
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register athttp://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4.
---------------------------------------------------------------------------
Current thread:
- Re: Cisco CTR, (continued)
- Re: Cisco CTR Petr Ruzicka (Nov 10)
- RE: Cisco CTR John Petropoulos (Nov 07)
- Re: Cisco CTR liranil (Nov 12)
- Re: Cisco CTR Joe Bowling (Nov 12)
- Re: Cisco CTR Ron Gula (Nov 13)
- Re: Cisco CTR John Lampe (Nov 13)
- Re: Cisco CTR Martin Roesch (Nov 17)
- Re: Cisco CTR Ron Gula (Nov 17)
- Re: Cisco CTR Martin Roesch (Nov 17)
- Re: Cisco CTR Ron Gula (Nov 17)
- Re: Cisco CTR Martin Roesch (Nov 19)
- Re: Cisco CTR Ron Gula (Nov 19)
- Re: Cisco CTR Martin Roesch (Nov 20)
- Re: Cisco CTR Joe Bowling (Nov 12)
- Re: Cisco CTR Ron Gula (Nov 19)
- Re: Cisco CTR Renaud Deraison (Nov 19)
- Re: Cisco CTR Martin Roesch (Nov 19)
- Re: Cisco CTR Renaud Deraison (Nov 20)
- Re: Cisco CTR Martin Roesch (Nov 20)
- Re: Cisco CTR Renaud Deraison (Nov 20)
- Message not available
- Re: Cisco CTR Mark Teicher (Nov 20)
- Re: Cisco CTR Ron Gula (Nov 20)