Re: Vulnerability Scanning

[Daniel Hay <danny () DREXEL EDU>]

Bob,

We use NeVO in conjunction with the Lightning Console. It's a great
tool, its allowed us to find numerous compromised systems that we would
have had no chance of finding without the it.

Basically NevO caught the periodic command shells popping up at odd
times during the day/night, catching these ports open with a regular
scan would have been impossible.

We're logging snort alerts to the lightning console as well as the NeVO
and Nessus data, this gives us some decent correlation to work with.

Since we're beta testing NeVO 2.0 I've started working on taking the
correlation one step further by porting various snort signatures into
NeVO signatures. This lets me refine the snort rules within NeVO, this
allows me to have a somewhat lax snort rule to keep a broad eye on what
is going on but at the same time if the NeVO rules fire then the host
who tripped the alert is without a doubt compromised/busted :)

feel free to drop me a line off-list if you'd like to take about the
product some more, I'd also be happy to pass your info over to the guys
at tenable if you would like to get into pricing info etc.

--
Daniel Hay
Network Security Engineer
Drexel University


On Aug 30, 2004, at 11:05 AM, Bob Gerdes wrote:

>    Does anyone on this list use NeVO?
>    This website (http://www.tenablesecurity.com/nevo.html) provides a
> brief description for how this passive vulnerability scanner operates
> 24x7.
>    If so, can you briefly highlight how it is working for you?  And if
> you
> are using it in conjunction with regular Nessus scans or IDS data?
>      Thank you,
>        Bob
>
> **********
> Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.