IDS mailing list archives
Re: ForeScout ActiveScout
From: Gadi Evron <ge () linuxbox org>
Date: Sat, 08 Jan 2005 14:08:21 +0200
Brent Stackhouse wrote:
Gadi, Thanks very much for your detailed response. I understand their definition of 100% accuracy but it still begs the question as to how they make the initial determination of what to track or not. Surely
You have access to the machine.. just take a look. They provide with a good events log, as well as the ability to go down to the traffic itself
they don't send their crafted data on every single connection to see if it comes back. Their web site states that ActiveScout is looking for recon activity so some threshold or "trigger" must exist for them to differentiate recon from legitimate traffic.
Exactly.
Their site also states that they're not signature based. Again, if they have some sort of logic based on thresholds (x amount of TCP packets per minute from the same source IP, etc.), it sounds like a signature to me. At least I know that Cisco, ISS, etc. all have threshold-based signatures in their IDS products.
Almost everything can be called a signature, to a level, but they usually don't use what you or me would call an IDS signature.
All that aside, I saw the results of a SuperScan port scan that included a bunch of junk caused by ActiveScout. I would think that feeding an attacker a bunch of info that leads them to believe that you're really vulnerable is not a great idea (like open SunRPC ports, NetBIOS, etc.). I want less attention,
Than this is not about ActiveScout, it is about you not wanting to run an honey pot/net.
not more. I suspect that anything out-of-the-ordinary would perhaps cause more attention. This is sort of a honeypot idea gone berserk. Instead of one host appearing vulnerable, all of your hosts appear vulnerable.
Not all hosts. You can set it to show how many hosts per how many attempts you want to be triggered, as well as what kind of hosts should they be. It doesn't have to work this way, it can also only monitor your network.. but that kind of beats the point.
The point being catch the bad guy and block him. Don't expect it to catch all bad guys.
Anyway, it doesn't sound like it buys much, if anything, over "traditional" IDS/IPS.
I strongly disagree, but it is not for everyone and much like any other products, it isn't perfect.
Gadi. -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- ForeScout ActiveScout Brent Stackhouse (Jan 07)
- Re: ForeScout ActiveScout Gadi Evron (Jan 08)
- Re: ForeScout ActiveScout Brent Stackhouse (Jan 08)
- Re: ForeScout ActiveScout Gadi Evron (Jan 10)
- Re: ForeScout ActiveScout Brent Stackhouse (Jan 08)
- <Possible follow-ups>
- RE: ForeScout ActiveScout Carey, Steve T GARRISON (Jan 08)
- Re: ForeScout ActiveScout dywzh dywzh (Jan 10)
- Re: ForeScout ActiveScout Brent Stackhouse (Jan 10)
- Re: ForeScout ActiveScout Gadi Evron (Jan 12)
- Re: ForeScout ActiveScout Erik F (Jan 12)
- Re: ForeScout ActiveScout Gadi Evron (Jan 08)