IDS mailing list archives
Re: SourceFire RNA
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 3 Dec 2003 11:35:07 -0500
On Dec 2, 2003, at 12:17 PM, Lior Tal wrote:
Marty, Many thanks for the reply. When a computer is installed it usually includes many services that areinactive and therefore passive detection may identify the device (IP andOS) but it would be difficult or impossible to detect inactive services that reflect open ports. These inactive services as far as I understand still present vulnerabilities within the network.
They may, they may not. I don't know of any current vulnerabilities in echo or daytime, but MS RPC is another story.
Also, if you try to mitigate the false alarms problem of NIDS sensors, is it possible to tell whether an attack is going to be successful if you do not know of these services.
Yes because if there are services available that are being attacked, we will detect their presence in real-time and deliver that information to our backend where the correlator is located, allowing us to correlate the information regardless of the order of arrival.
Another issue I have is the VA aspect of RNA presented on SourceFire's web site - if passive detection can not detect all devices and running services, how is it possible to provide reliable network map and vulnerability information?
The same can be said of active discovery techniques, it is just as possible to hide from an active scanner as it is to hide from a passive one, so we can never know that we have 100% perfect knowledge of what's on our networks with either technology. On the other hand, I'm an advocate of the "perfect is the enemy of good enough" school of engineering, we need solutions that can detect changes in the network environment in real-time and scanners can't do that, RNA can and so it provides a good solution to a hard problem. Using that information to reduce the number of things that are hard to know about your network has value, and that's what we're building.
-Marty
Kind regards, Lior Tal -----Original Message----- From: Martin Roesch [mailto:roesch () sourcefire com] Sent: Tuesday, December 02, 2003 6:27 PM To: Lior Tal Cc: focus-ids () securityfocus com Subject: Re: SourceFire RNA We can track and profile every active network element that's generating traffic on the network and we can discover new elements in real-time. The answer to the "how do you detect inactive hosts" question is "we don't", you have to decide how important it is to know about machines that are completely inactive on a network. This kind of falls into the "if a tree falls in the woods..." category from a certain standpoint, but if you want to discover all the inactive hosts on your network and track them on an ongoing basis then you can simply run an initial discovery scan with any scanning tool (eg. nmap/strobe/hping/etc) and RNA will see the scan traffic and auto-populate itself with host representations for everything that responds. -Marty On Dec 2, 2003, at 5:58 AM, Lior Tal wrote:Hi, Did anyone had a chance to evaluate the RNA published on SourceFire web site? From what I coule understand, they claim that by passive traffic analysis the RNA can trace every network device, service and open portwithin a network. It is difficult for me to understand how can passivetraffic analysis detect inactive devices and services which do not transmit any network traffic? Can anyone help figure that one? Lior US-Path Inc.-------------------------------------------------------------------------------------------------------------------------------------------------------- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: SourceFire RNA, (continued)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- RE: SourceFire RNA Lior Tal (Dec 03)
- Re: SourceFire RNA Martin Roesch (Dec 03)
- Re: SourceFire RNA Ron Gula (Dec 03)
- Re: SourceFire RNA Martin Roesch (Dec 03)
- Re: SourceFire RNA Ron Gula (Dec 03)