IDS mailing list archives
Re: SourceFire RNA
From: Renaud Deraison <deraison () nessus org>
Date: Tue, 2 Dec 2003 17:33:21 -0500
On Tue, Dec 02, 2003 at 05:27:57PM -0500, Jason wrote:
The concern is that an inactive host is a greater threat to your network and the implication is that an active probe will flush these out. This is simply not true. For a host to be truly inactive it would have to not ARP, never broadcast,
This assumes that your passive scanner is sitting on the same physical subnet as the hosts you are monitoring. If you are a large organization, I really doubt you can deploy such scanners easily, as it would be both very costly and may raise political issues.
and never respond to a probe...
Where does the probe come from ? If there is a no-scan policy, what will make the remote host generate any traffic towards you ? -- Renaud --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- SourceFire RNA Lior Tal (Dec 02)
- RE: SourceFire RNA Rob Shein (Dec 02)
- Re: SourceFire RNA Renaud Deraison (Dec 02)
- RE: SourceFire RNA Rob Shein (Dec 02)
- Re: SourceFire RNA Renaud Deraison (Dec 02)
- RE: SourceFire RNA Rob Shein (Dec 02)
- RE: SourceFire RNA Lior Tal (Dec 03)
- Re: SourceFire RNA Martin Roesch (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 02)
- RE: SourceFire RNA Rob Shein (Dec 02)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- RE: SourceFire RNA Lior Tal (Dec 03)
- Re: SourceFire RNA Martin Roesch (Dec 03)
- Re: SourceFire RNA Ron Gula (Dec 03)