IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ForeScout ActiveScout

From: Gadi Evron <ge () linuxbox org>
Date: Sat, 08 Jan 2005 14:08:21 +0200
Brent Stackhouse wrote:

Gadi,

Thanks very much for your detailed response.  I
understand their definition of 100% accuracy but it
still begs the question as to how they make the
initial determination of what to track or not.  Surely
You have access to the machine.. just take a look. They provide with a good events log, as well as the ability to go down to the traffic itself 


they don't send their crafted data on every single
connection to see if it comes back.  Their web site
states that ActiveScout is looking for recon activity
so some threshold or "trigger" must exist for them to
differentiate recon from legitimate traffic.


Exactly.


Their site also states that they're not signature
based.  Again, if they have some sort of logic based
on thresholds (x amount of TCP packets per minute from
the same source IP, etc.), it sounds like a signature
to me.  At least I know that Cisco, ISS, etc. all have
threshold-based signatures in their IDS products.
Almost everything can be called a signature, to a level, but they usually don't use what you or me would call an IDS signature. 


All that aside, I saw the results of a SuperScan port
scan that included a bunch of junk caused by
ActiveScout.  I would think that feeding an attacker a
bunch of info that leads them to believe that you're
really vulnerable is not a great idea (like open
SunRPC ports, NetBIOS, etc.).  I want less attention,
Than this is not about ActiveScout, it is about you not wanting to run an honey pot/net. 


not more.  I suspect that anything out-of-the-ordinary
would perhaps cause more attention.  This is sort of a
honeypot idea gone berserk.  Instead of one host
appearing vulnerable, all of your hosts appear
vulnerable.
Not all hosts. You can set it to show how many hosts per how many attempts you want to be triggered, as well as what kind of hosts should they be. It doesn't have to work this way, it can also only monitor your network.. but that kind of beats the point.
The point being catch the bad guy and block him. Don't expect it to catch all bad guys. 


Anyway, it doesn't sound like it buys much, if
anything, over "traditional" IDS/IPS.
I strongly disagree, but it is not for everyone and much like any other products, it isn't perfect. 

        Gadi.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: