IDS mailing list archives

Re: Cisco CTR

From: Ron Gula <rgula () tenablesecurity com>
Date: Mon, 17 Nov 2003 15:32:19 -0500

Thanks,

Congratulations on the release of RNA.

My confusion was with if RNA finds specific vulnerabilities or if
it says that you may have a whole class of vulnerabilities. For
example, in the screen shot you have of RNA on Sourcefire's home
page, (BTW, I thought you liked Apple), it shows a Mac OS-X running
Apache version 1.3.27 and below a list of vulnerabilities. One of
the vulnerabilities is "OpenSSLv2 malformed client key remote buffer
overflow vulnerability". If you visit the Bugtraq record on this:
http://www.securityfocus.com/bid/5363 , it does not list Apache
1.3.27 as being vulnerable to this flow. If you were doing VA/IDS
correlation, this would cause a serious, contextual, well qualified
sort of event, when in fact there would be no vulnerability there.

Ron Gula


At 03:03 PM 11/17/2003 -0500, Martin Roesch wrote:

Hi Ron,
Actually, RNA went out the door this morning after a year of developmentand another 2 years of research and planning as an early availabilityrelease and it will be GA in a couple weeks. From what I can see, RNA andNevo have different missions, Nevo is being billed as a passivevulnerability "scanner" whereas RNA is being billed as a passive networkdiscovery system. We have multi-mode passive OS fingerprinting, topologydiscovery, active service identification, flow monitoring, real-timechange analysis and passive vulnerability inference mechanisms built-in toRNA. The version of Nevo that I saw a couple months ago was doing OSfingerprinting in support of passive vulnerability analysis, I'munfamiliar/unaware of how it has evolved since then.
I don't know what you mean by "looking for unique vulnerabilities", we'redoing vulnerability inference by looking at platform and application dataand inferring classes of vulnerabilities that can be available. Thiscapability is primarily there to support dynamic prioritization of IDSevents and to gauge potential impact of attacks that we see on thenetwork. We're planning on leveraging the information in the future for avariety of purposes, but RNA's focus is much broader than providingvulnerability analysis solely.
We've also wrapped RNA with a variety of supporting management andanalysis technology. We've got a full web-based management and analysisGUI built-in to the appliances that incorporates a common look and feelwith our new version 3.0 ISM (IDS) product line, we can manage multipleRNA sensors from the Sourcefire Management Console and provide dataaggregation and topology analysis from a central point, we've got a 3Dvisualization GUI for data analysis, administration tools for systemmaintenance, etc etc.
     -Marty

On Nov 17, 2003, at 10:52 AM, Ron Gula wrote:
I know RNA has not officially shipped yet, but from the web site,
it looks very similar to NeVO. It does similar OS fingerprinting,
traffic profiling, security vulnerabilities and so on.

The question I've not been able to get a good answer for is if
RNA looks for unique vulnerabilities, or if it using the operating
systems or application fingerprint to determine which vulnerabilities
are active.

Ron Gula
Tenable Network Security


At 09:41 PM 11/13/2003 -0500, Martin Roesch wrote:
Vendor Alert: I work for Sourcefire.

RNA is not a passive vulnerability scanner, vulnerability analysis is
only a subset of what it can accomplish.  I've taken to calling RNA a
passive network discovery system (PNDS) since that's a more accurate
description of what it does.

BTW, the demo that Joe saw was from a beta of RNA that we were running
in-house, production versions should only be set to discover your
internal network so you don't accidentally start mapping other people's
networks with it.  We had our internal sensors tuned that way for
testing of preproduction units only, we don't condone mapping other
people's networks with RNA.

     -Marty
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at

http://www.securityfocus.com/sponsor/RSA_focus-ids_031023and use priority code SF4.

---------------------------------------------------------------------------

Current thread:

Re: Cisco CTR, (continued)
- - Re: Cisco CTR John Lampe (Nov 10)
- Re: Cisco CTR Petr Ruzicka (Nov 10)
- RE: Cisco CTR John Petropoulos (Nov 07)
- Re: Cisco CTR liranil (Nov 12)
  - Re: Cisco CTR Joe Bowling (Nov 12)
    - Re: Cisco CTR Ron Gula (Nov 13)
    - Re: Cisco CTR John Lampe (Nov 13)
    - Re: Cisco CTR Martin Roesch (Nov 17)
    - Re: Cisco CTR Ron Gula (Nov 17)
    - Re: Cisco CTR Martin Roesch (Nov 17)
    - Re: Cisco CTR Ron Gula (Nov 17)
    - Re: Cisco CTR Martin Roesch (Nov 19)
    - Re: Cisco CTR Ron Gula (Nov 19)
    - Re: Cisco CTR Martin Roesch (Nov 20)
    - Re: Cisco CTR Ron Gula (Nov 19)
    - Re: Cisco CTR Renaud Deraison (Nov 19)
    - Re: Cisco CTR Martin Roesch (Nov 19)
    - Re: Cisco CTR Renaud Deraison (Nov 20)
    - Re: Cisco CTR Martin Roesch (Nov 20)
    - Re: Cisco CTR Renaud Deraison (Nov 20)
    - Message not available
    - Re: Cisco CTR Mark Teicher (Nov 20)

(Thread continues...)