Re: SourceFire RNA

[Martin Roesch <roesch () sourcefire com>]

On Dec 3, 2003, at 3:14 PM, Ron Gula wrote:
> On Wed, 3 Dec 2003 1:21pm, Martin Roesch wrote:
>
> (Stuff deleted)
>
> > The same can be said of active discovery techniques, it is just as 
> > possible to hide from an active scanner as it is to hide from a 
> > passive one, so we can never know that we have 100% perfect knowledge 
> > of what's on our networks with either technology.  On the other hand, 
> > I'm an advocate of the "perfect is the enemy of good enough" school 
> > of engineering, we need solutions that can detect changes in the 
> > network environment in real-time and scanners can't do that, RNA can 
> > and so it provides a good solution to a hard
                              ^^^^^^^^^^
> >  problem.
>
> Of course scanners can detect change in networks. They may not be able 
> to detect them as near time as a passive scanner like RNA, NeVO, 
> Securify or Arbour's products, but doing a diff of multiple active 
> scans shows lots of change. Products like Lightning, Foundstone, and 
> eEye detect change in networks each time they run.

I said "in real-time", we were doing diffs on active scans when you and 
I helped to build the GNI IDS back at GTE-I in 1997 as I'm sure you'll 
recall, that's nothing new.  Real-time detection of change is a far cry 
from periodic interrogative passes though, as you know timeliness can 
be a big factor in providing defense and response to a variety of 
nondeterministic situations that can arise on networks that are poorly 
served by active discovery methods.

    -Marty

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


---------------------------------------------------------------------------
---------------------------------------------------------------------------