IDS mailing list archives
Re: Cisco CTR
From: Renaud Deraison <deraison () nessus org>
Date: Wed, 19 Nov 2003 14:39:09 -0500
On Wed, Nov 19, 2003 at 02:07:55PM -0500, Martin Roesch wrote:
The map you get is mostly inaccurate in terms of network _topology_. Have a look at the screenshot on your website - it basically shows that groups of hosts are <N> hops away, and that your router actually has two NICs. It looks very nice, though.Actually you're wrong, it demonstrates topology very well from the viewpoint of a passive system that needs to know basic things like hop counts in order to have an accurate way to gauge the impact of TTL variations in passively acquired packet sets (e.g. NIDS).
From the point of view of various insects (who see things in two
dimensions only), my appartement is an infinite plane. That does not make the resulting map very useable for human beings. That being said....
You're also wrong that we can't determine topology, RNA is capable of discovering topology explicitly by identifying routers, switches, proxies, NATs and so on.
... while I'm not sure that I understand what you meaning by "discovering the topology explicitely" (does that mean sending packets ?), it seems I misunderstood some features of RNA and was fooled by the demo I saw at CSI - I am really sorry about that. If there could be better documentation that could clear up some confusion, but I am sorry to have made assumptions too quickly.
. Network Asset Profiles . Asset Behavioral Profiles (with Lightning) . Security Vulnerabilities . Change Events (with Lightning)Well then it would appear that the difference is that we don't need a separate product to do 50% of the job
I'm not sure we are talking about the same price ranges either :)
Note that for security vulnerabilties, we actually consider that people do sometimes apply patches, so we don't just do an OS lookup in a vulnerability database to report all the flaws that ever happened for that particular OS release.Nor do we.
I'm not sure I really understand how RNA does its passive vulnerability assessment then. You wrote in another email : << I suspect the reason that the RNA image showed the vulnerability information for OpenSSL because it identified the O.S. and since there are security updates for OS-X pertaining to this issue, it really should list that vulnerability. >> Which is how I thought you were doing an OS lookup in a vulnerability database to determine which flaws exist on which OS. Care to explain how it really works ? There seem to be a lot of confusion about RNA and none of the SourceFire sales rep I saw at CSI could actually come up with a good answer for this issue... [...]
Getting a list of the vulnerabilities that exist in an environment only has a few uses such as improving the quality of the information coming out of the NIDS by qualifying events.
As long as the OS is not patched then. But then again, the marketing on your website talks about finding security vulnerabilities. Once again, there seems to be a lot of confusion about RNA due to the lack of real technical and buzzwords-free documentation about it, which makes it even more difficult to really grap what it can do and what are its limits. -- Renaud --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: Cisco CTR, (continued)
- Re: Cisco CTR Martin Roesch (Nov 17)
- Re: Cisco CTR Ron Gula (Nov 17)
- Re: Cisco CTR Martin Roesch (Nov 19)
- Re: Cisco CTR Ron Gula (Nov 19)
- Re: Cisco CTR Martin Roesch (Nov 20)
- Re: Cisco CTR Ron Gula (Nov 19)
- Re: Cisco CTR Renaud Deraison (Nov 19)
- Re: Cisco CTR Martin Roesch (Nov 19)
- Re: Cisco CTR Renaud Deraison (Nov 20)
- Re: Cisco CTR Martin Roesch (Nov 20)
- Re: Cisco CTR Renaud Deraison (Nov 20)
- Message not available
- Re: Cisco CTR Mark Teicher (Nov 20)
- Re: Cisco CTR Ron Gula (Nov 20)
- RE: Cisco CTR David J. Meltzer (Nov 25)
- Re: Cisco CTR Martin Roesch (Nov 27)