IDS mailing list archives
Re: Cisco CTR
From: Eric Hacker <focus () erichacker com>
Date: Mon, 01 Dec 2003 21:17:06 -0500
Martin Roesch wrote:
This is an interesting point and worth debating I think. Accuracy is a tricky thing in passive and active systems, on the one hand active systems get to send what ever stimuli they want to elicit a response, but when they're wrong about their interpretation of the results they're 100% wrong and depending on the circumstances of the error they may give you information that's 100% wrong with 100% confidence (i.e. false positives/negatives).There is no requirement that active VA systems produce a result based on a single stimuli-response cycle. The fact that they do is a weakness in product design and not active probes in general.Passive systems have more time to play with and therefore can introduce the concept of variable confidence levels and integrating data points over time ranges, but they are data driven and have to wait for the hosts/services/protocols/etc to reveal themselves. In the context of how accurate the two methods are, I think it'll be interesting to see just how accurate passive systems can be versus the false positive/negative rate of active methods.
I like what I'm hearing about passive VA tools and how they can complement active VA. What I can't figure out is how I could get passive sensors deployed anywhere near the entire environment. I have IDS requirements for only a small part of the overall network and even a relatively small section of the server farms. I have VA requirements everywhere some idiot has access to a network jack.
Eric Hacker --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: RE: Cisco CTR liranil (Dec 01)
- Re: RE: Cisco CTR Anton A. Chuvakin (Dec 05)
- <Possible follow-ups>
- RE: RE: Cisco CTR Teicher, Mark (Mark) (Dec 01)
- Re: Cisco CTR Eric Hacker (Dec 02)
- Re: Cisco CTR Martin Roesch (Dec 02)
- Re: Cisco CTR Martin Roesch (Dec 03)