Re: SourceFire RNA

[Renaud Deraison <deraison () nessus org>]

On Tue, Dec 02, 2003 at 05:27:57PM -0500, Jason wrote:
> The concern is that an inactive host is a greater threat to your network 
> and the implication is that an active probe will flush these out. 
>                      This is simply not true. For a host to be truly 
> inactive it would have to not ARP, never broadcast, 

This assumes that your passive scanner is sitting on the same physical subnet
as the hosts you are monitoring. If you are a large organization, I
really doubt you can deploy such scanners easily, as it would be both
very costly and may raise political issues.

> and never respond to 
> a probe... 

Where does the probe come from ? If there is a no-scan policy, what will
make the remote host generate any traffic towards you ?



                                -- Renaud

---------------------------------------------------------------------------
---------------------------------------------------------------------------