Re: Cisco CTR

[Martin Roesch <roesch () sourcefire com>]

Vendor Alert: I work for Sourcefire.

RNA is not a passive vulnerability scanner, vulnerability analysis is  
only a subset of what it can accomplish.  I've taken to calling RNA a  
passive network discovery system (PNDS) since that's a more accurate  
description of what it does.

BTW, the demo that Joe saw was from a beta of RNA that we were running  
in-house, production versions should only be set to discover your  
internal network so you don't accidentally start mapping other people's  
networks with it.  We had our internal sensors tuned that way for  
testing of preproduction units only, we don't condone mapping other  
people's networks with RNA.

     -Marty

On Nov 12, 2003, at 1:48 PM, John Lampe wrote:

> ----- Original Message -----
> From: "Joe Bowling" <joebowling () comcast net>
> To: <liranil () optonline net>
> Cc: <focus-ids () securityfocus com>
> Sent: Tuesday, November 11, 2003 12:26 AM
> Subject: Re: Cisco CTR
>
>
> > the RNA runs on its own box
> > all it does is listen...so even if it dropped a packet in a stream it
> > wouldnt matter....its not matching signatures...its fingerpringting  
> > OS's
> and
> > Apps.
> >
> > the demo i saw of it rocked the house....cause it fingerprints not  
> > only
> your
> > internal network but also everyone you talk to on your "external"
> > network.....lets just say you will discover some interesting things  
> > out
> > there (IIS version 3.0)
>
> I work for Tenable Security, so I may be a little biased ;-)
> however, if you're into passive vulnerability scanning, you may
> also wish to check out Nevo from Tenable Security.  Nevo can
> work in 'stand-alone' mode.  In addition, it can forward it's
> alerts up to the Lightning console where it can be used to
> correlate IDS and scanner data.  So, for instance, you can have
> your Nessus, Newt, Snort, and Nevo data all residing on a central  
> console.
> The nice thing is that you can choose to only look at attacks which
> were directed against actually vulnerable machines....And, yes, since
> Nevo is passive, it can look at vulnerable machines on your business
> partner networks, external nets, etc.
>
> John Lampe
>
>
>
> ----------------------------------------------------------------------- 
> ----
> Network with over 10,000 of the brightest minds in information security
> at the largest, most highly-anticipated industry event of the year.
> Don't miss RSA Conference 2004! Choose from over 200 class sessions and
> see demos from more than 250 industry vendors. If your job touches
> security, you need to be here. Learn more or register at
> http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
> and use priority code SF4.
> ----------------------------------------------------------------------- 
> ----
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Enterprise-class Snort-based IDS Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------