RE: NeVO Scan Application was RE: Cisco CTR

[Ron Gula <rgula () tenablesecurity com>]

Yes!

Those were the "real complex things" I was talking about in my
previous email. Of course detecting passive sniffing devices
is mere child's play for subscribers to this list ;)

If you have a NIDS or sniffer deployed on a tap or off of a span
port and it does nothing like DNS lookups, it's difficult to
find.

My point that I thought we beat to death was that tools like
NeVO and RNA don't send packets.

Ron
Tenable Network Security

At 12:49 PM 11/20/2003 -0700, Teicher, Mark (Mark) wrote:
> Ron,
>
> Didn't @Stake produce AntiSniff to detect passive type monitoring
> applications ??
>
> /mark
>
> -----Original Message-----
> From: Ron Gula [mailto:rgula () tenablesecurity com]
> Sent: Thursday, November 20, 2003 12:45 PM
> To: Teicher, Mark (Mark); focus-ids () securityfocus com
> Subject: Re: NeVO Scan Application was RE: Cisco CTR
>
>
> Woah ... no-one should be able to detect NeVO or RNA (or a NIDS) just by
> sitting there. You need to do real complex things invoking timing and
> other checks to find hosts that are passively listening.
>
> Desktop agents like Sygate will see scans from Nessus, Nmap, pings, etc.
> but they will have a hard time detecting passive analysis of their
> network traffic.
>
> Ron
>
>
>
> At 12:27 PM 11/20/2003 -0700, Teicher, Mark (Mark) wrote:
> >Ron,
> >
> >Interesting, another lightweight and inexpensive monitoring/scanning
> >software ??  Wondering if the Enterprise/Desktop firewall products can
> >detect NeVO scans as they can nmap scans. It will be very interesting
> >to see how Desktop firewalls in the corporate environment stand up to
> >NeVO scans..
> >
> >Something to try in the lab against all those Enterprise/Desktop
> >Firewall products.. :)
> >
> >/mark
> >
> >-----Original Message-----
> >From: Ron Gula [mailto:rgula () tenablesecurity com]
> >Sent: Thursday, November 20, 2003 7:38 AM
> >To: focus-ids () securityfocus com
> >Subject: Re: Cisco CTR
> >
> >
> >At 04:54 AM 11/20/2003 -0700, Mark Teicher wrote:
> > >Just curious on how NeVO compares to Intrusec Expose ??
> >
> >I have not seen Expose recently, but my thought was that it was a
> >continuous low-volume active scan that could launch other vulnerability
>
> >scanners when change was detected. NeVO does the same sort of thing,
> >but passively through network packet/session monitoring. Besides
> >looking for change in the network, it also looks for the vulnerability.
>
> >NeVO needs to wait for a packet to be sent before it sees a host, port,
>
> >client, server or vulnerability. If folks deploy NeVO with a Lightning
> >Console, they can launch distributed Nessus scans if they see a system
> >or a vulnerability data that they would like to follow up with an
> >active scan.
> >
> >Ron Gula
> >Tenable Network Security
> >http://www.tenablesecurity.com
> >
> >
> >
> >
> >
> >-----------------------------------------------------------------------
> >-
> >---
> >-----------------------------------------------------------------------
> -
> >---


---------------------------------------------------------------------------
---------------------------------------------------------------------------