Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

focus-ids logo IDS mailing list archives

Re: SourceFire RNA
From: Renaud Deraison <deraison () nessus org>
Date: Tue, 2 Dec 2003 17:33:21 -0500
On Tue, Dec 02, 2003 at 05:27:57PM -0500, Jason wrote:

The concern is that an inactive host is a greater threat to your network 
and the implication is that an active probe will flush these out. 
                     This is simply not true. For a host to be truly 
inactive it would have to not ARP, never broadcast, 


This assumes that your passive scanner is sitting on the same physical subnet
as the hosts you are monitoring. If you are a large organization, I
really doubt you can deploy such scanners easily, as it would be both
very costly and may raise political issues.


and never respond to 
a probe... 


Where does the probe come from ? If there is a no-scan policy, what will
make the remote host generate any traffic towards you ?



                                -- Renaud

---------------------------------------------------------------------------
---------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]