IDS: Re: SourceFire RNA

[Martin Roesch <roesch () sourcefire com>]

We can track and profile every active network element that's generating  
traffic on the network and we can discover new elements in real-time.   
The answer to the "how do you detect inactive hosts" question is "we  
don't", you have to decide how important it is to know about machines  
that are completely inactive on a network.  This kind of falls into the  
"if a tree falls in the woods..." category from a certain standpoint,  
but if you want to discover all the inactive hosts on your network and  
track them on an ongoing basis then you can simply run an initial  
discovery scan with any scanning tool (eg. nmap/strobe/hping/etc) and  
RNA will see the scan traffic and auto-populate itself with host  
representations for everything that responds.
     -Marty

On Dec 2, 2003, at 5:58 AM, Lior Tal wrote:

> Hi,
> Did anyone had a chance to evaluate the RNA published on SourceFire  
> web site?
> From what I coule understand, they claim that by passive traffic  
> analysis the RNA can trace every network device, service and open port  
> within a network. It is difficult for me to understand how can passive  
> traffic analysis detect inactive devices and services which do not  
> transmit any network traffic?
> Can anyone help figure that one?
> Lior
> US-Path Inc.
>
> ----------------------------------------------------------------------- 
> ----
> ----------------------------------------------------------------------- 
> ----
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


---------------------------------------------------------------------------
---------------------------------------------------------------------------