RE: NeVO Scan Application was RE: Cisco CTR

["Teicher, Mark (Mark)" <teicher () avaya com>]

Mere child's play.. Some products require more detailed instructions
than others.  I still have yet figured out how to create a IDS signature
in some Enterprise Desktop firewalls.. :)

/mark

-----Original Message-----
From: Ron Gula [mailto:rgula () tenablesecurity com] 
Sent: Thursday, November 20, 2003 1:09 PM
To: Teicher, Mark (Mark); focus-ids () securityfocus com
Subject: RE: NeVO Scan Application was RE: Cisco CTR


Yes!

Those were the "real complex things" I was talking about in my previous
email. Of course detecting passive sniffing devices is mere child's play
for subscribers to this list ;)

If you have a NIDS or sniffer deployed on a tap or off of a span port
and it does nothing like DNS lookups, it's difficult to find.

My point that I thought we beat to death was that tools like NeVO and
RNA don't send packets.

Ron
Tenable Network Security

At 12:49 PM 11/20/2003 -0700, Teicher, Mark (Mark) wrote:
> Ron,
>
> Didn't @Stake produce AntiSniff to detect passive type monitoring 
> applications ??
>
> /mark
>
> -----Original Message-----
> From: Ron Gula [mailto:rgula () tenablesecurity com]
> Sent: Thursday, November 20, 2003 12:45 PM
> To: Teicher, Mark (Mark); focus-ids () securityfocus com
> Subject: Re: NeVO Scan Application was RE: Cisco CTR
>
>
> Woah ... no-one should be able to detect NeVO or RNA (or a NIDS) just 
> by sitting there. You need to do real complex things invoking timing 
> and other checks to find hosts that are passively listening.
>
> Desktop agents like Sygate will see scans from Nessus, Nmap, pings, 
> etc. but they will have a hard time detecting passive analysis of their

> network traffic.
>
> Ron
>
>
>
> At 12:27 PM 11/20/2003 -0700, Teicher, Mark (Mark) wrote:
> > Ron,
> >
> > Interesting, another lightweight and inexpensive monitoring/scanning 
> > software ??  Wondering if the Enterprise/Desktop firewall products 
> > can detect NeVO scans as they can nmap scans. It will be very 
> > interesting to see how Desktop firewalls in the corporate environment

> > stand up to NeVO scans..
> >
> > Something to try in the lab against all those Enterprise/Desktop 
> > Firewall products.. :)
> >
> > /mark
> >
> > -----Original Message-----
> > From: Ron Gula [mailto:rgula () tenablesecurity com]
> > Sent: Thursday, November 20, 2003 7:38 AM
> > To: focus-ids () securityfocus com
> > Subject: Re: Cisco CTR
> >
> >
> > At 04:54 AM 11/20/2003 -0700, Mark Teicher wrote:
> > > Just curious on how NeVO compares to Intrusec Expose ??
> >
> > I have not seen Expose recently, but my thought was that it was a 
> > continuous low-volume active scan that could launch other 
> > vulnerability
>
> > scanners when change was detected. NeVO does the same sort of thing, 
> > but passively through network packet/session monitoring. Besides 
> > looking for change in the network, it also looks for the 
> > vulnerability.
>
> > NeVO needs to wait for a packet to be sent before it sees a host, 
> > port,
>
> > client, server or vulnerability. If folks deploy NeVO with a 
> > Lightning Console, they can launch distributed Nessus scans if they 
> > see a system or a vulnerability data that they would like to follow 
> > up with an active scan.
> >
> > Ron Gula
> > Tenable Network Security
> > http://www.tenablesecurity.com
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > --
> > -
> > ---
>
> -----------------------------------------------------------------------
> -
> > ---


---------------------------------------------------------------------------
---------------------------------------------------------------------------