IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort and Nessus Signature

From: Olaf Gellert <og () pre-secure de>
Date: Fri, 23 Sep 2005 10:05:00 +0200
Ron Gula wrote:

Continuous scanning will help you find some things, but won't find:

- new client software
- hosts protected by personal firewalls
- off-port services (you want to do continuous scanning for all 65k ports?)


Well, you are thinking of scanning as a network
related process (a la NMAP), I guess. But there
a many other possibilities of scanning: Scanning
your local logfiles (eg host based sensors),
scanning your local filesystem, scanning your local
installation database for new software. This way you
may get much more (and very accurate) information
than by actively scanning the network (or by
analyzing the traffic).

Sure this is not as easily deployed as a single
network sensor, but it can very well be worth
the effort.

Cheers, Olaf

-- 
Dipl.Inform. Olaf Gellert                  PRESECURE (R)
Senior Researcher,                       Consulting GmbH
Phone: (+49) 0700 / PRESECURE           og () pre-secure de

                        A daily view on Internet Attacks
                        https://www.ecsirt.net/sensornet


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: