Re: Snort and Nessus Signature

[Ron Gula <rgula () tenablesecurity com>]

At 04:05 AM 9/23/2005, Olaf Gellert wrote:
> Ron Gula wrote:
> > Continuous scanning will help you find some things, but won't find:
> >
> > - new client software
> > - hosts protected by personal firewalls
> > - off-port services (you want to do continuous scanning for all 65k ports?)
>
> Well, you are thinking of scanning as a network
> related process (a la NMAP), I guess. But there
> a many other possibilities of scanning: Scanning
> your local logfiles (eg host based sensors),
> scanning your local filesystem, scanning your local
> installation database for new software. This way you
> may get much more (and very accurate) information
> than by actively scanning the network (or by
> analyzing the traffic).
>
> Sure this is not as easily deployed as a single
> network sensor, but it can very well be worth
> the effort.

Yes, much agreed. Many of the talks I've given recently usually
start off with a slide saying "there are more ways to detect
vulnerabilities than with network scanners". Every technique
has a pro and con and I also like to point out some sort of
political or management cost.

With how well this relates to IDS/VA correlation, all of these
processes need to be fairly centralized and real time.

Ron Gula, CTO
Tenable Network Security







------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------