IDS mailing list archives
RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)
From: Karl Lynn <klynn () stackheap org>
Date: Mon, 16 Dec 2002 16:12:46 +0000 (GMT)
Actually, I wasn't talking about a worm and im not talking about an automated scan that goes out and sweeps an IP range. For instance, I hit www.somecompanyhere.com and through some digging like oh lets say I hit netcraft or hit port 80 to see what type of banner im getting then run the attack from a second network will ActiveScout block the attack or not? Another words, does the appliance need to see that bogus information or "mark" to block the attack or can I run exploits against a known host until I turn blue in the face? Its one thing for "non public" servers but what about web servers or any other server on the DMZ? -Karl On Mon, 16 Dec 2002, Dudley, Brian (ISS Chicago) wrote:
A scan is launched at a web server farm by a hacker or a worm, ActiveScout replies with bogus information about web servers that do not exist. Then the hacker or automated worm takes this information and tries to launch an attack at these bogus hosts, and immediately ActiveScout blocks the attackers IP. It knows that nobody should send a request to an IP that does not exist. So it doesn't matter if you are from the original scanning IP address or a separate address. The only thing that matters is you are trying to attack a host that does not exist. Now if you get lucky and launch an attack from a separate IP at a valid server IP then your traditional IDS should catch it, however automated attacks take scan info and launch at all IP's and therefore worms like slapper or Code Red should be automatically blocked. This product is a supplement to regular IDS/IPS which will detect and block single host attacks with no pre-attack probe. The beauty is that it blocks un-known automated attacks like Code Red, Nimda, Slapper, etc... Remember Defense in Depth... There is no silver bullet... Having said that, a problem I see is if the attacker knows you are using this technology and spoofs the source address of one of your business partners, DNS server, etc. in a packet destined to a bogus ActiveScout IP, which could potentially DOS your network. This may be mitigated if ActiveScout ensures that a full TCP session is established before blocking the offending IP. -Brian -----Original Message----- From: Karl Lynn [mailto:klynn () stackheap org] Sent: Monday, December 16, 2002 6:53 AM To: Oded Comay Cc: focus-ids () securityfocus com Subject: Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) My comments below- On Sun, 15 Dec 2002, Oded Comay wrote:Greetings, We have been following this thread with great interest. Sorry for jumping in late; appreciating the technical quality of this forum, we wanted to avoid anything that could be viewed as marketing pitch. I will do my best to avoid it (and sweeping generalizations) in this posting as well. That being said, some clarifications are in order. To start with, ActiveScout is not an IDS. Judging it by NIDS standards and criteria will do injustice to both technologies.[snip web site marketing material] ForeScout delivers automated intrusion prevention solutions that precisely identify and selectively block all types of attacks before they reach the network. [/snip web site marketing material] So, its an IPS?Karl Lynn asks whether there will be a problem if he "scans" from one network and attacks from another. As mentinoed above, this is actually a great feature of ActiveScout. Even if the "attacking" network address is used sparingly, just for launching the actual attack (after recon done using a different network block), ActiveScout will detect and block it from accessing to the attacked network.So you are telling me if I use a shell account in California (making it obvious here) and a shell account in lets say Japan you're telling me that if I port scan a machine from my California shell and only port scan once from my California shell and I also validly use a browser to check your homepage via HTTP seeing that its an IIS machine.. If I then hop on my shell account on the machine in Japan and run something like IIS ASP overflow or an overflow on printer ISAPI filter that ActiveScout will somehow link these two events and block the account in Japan? Unless you are blocking me based on some sort of anomaly detection that has nothing to do with the probe (recon) then I think you might want to enlighten us on how exactly ActiveScout prevents attacks coming from two seperate networks where a "marker" would never work.And we haven't said anything about the cool factor...I'd rather have something that works than something thats cool ;)Thanks, and seasons greetings to all!You also...-- Oded Comay, CTO ForeScout Technologies ------------------------------------------------------- -------------------------------------------------------
Current thread:
- ForeScout ActiveScout (was: Re: Intrusion Prevention) Oded Comay (Dec 15)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Omar Herrera (Dec 15)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Frank Knobbe (Dec 15)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Karl Lynn (Dec 16)
- <Possible follow-ups>
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Adam Powers (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Matthew L. McGuirl (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Dudley, Brian (ISS Chicago) (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Karl Lynn (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Frank Knobbe (Dec 17)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Omar Herrera (Dec 17)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Matthew L. McGuirl (Dec 17)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Dug Song (Dec 17)