RE: SourceFire RNA

["Lior Tal" <lior () us-path com>]

Marty,
Many thanks for the reply. 
When a computer is installed it usually includes many services that are
inactive and therefore passive detection may identify the device (IP and
OS) but it would be difficult or impossible to detect inactive services
that reflect open ports. These inactive services as far as I understand
still present vulnerabilities within the network. Also, if you try to
mitigate the false alarms problem of NIDS sensors, is it possible to
tell whether an attack is going to be successful if you do not know of
these services.
Another issue I have is the VA aspect of RNA presented on SourceFire's
web site - if passive detection can not detect all devices and running
services, how is it possible to provide reliable network map and
vulnerability information?
Kind regards,
Lior Tal  

-----Original Message-----
From: Martin Roesch [mailto:roesch () sourcefire com] 
Sent: Tuesday, December 02, 2003 6:27 PM
To: Lior Tal
Cc: focus-ids () securityfocus com
Subject: Re: SourceFire RNA

We can track and profile every active network element that's generating

traffic on the network and we can discover new elements in real-time.   
The answer to the "how do you detect inactive hosts" question is "we  
don't", you have to decide how important it is to know about machines  
that are completely inactive on a network.  This kind of falls into the

"if a tree falls in the woods..." category from a certain standpoint,  
but if you want to discover all the inactive hosts on your network and  
track them on an ongoing basis then you can simply run an initial  
discovery scan with any scanning tool (eg. nmap/strobe/hping/etc) and  
RNA will see the scan traffic and auto-populate itself with host  
representations for everything that responds.

      -Marty

On Dec 2, 2003, at 5:58 AM, Lior Tal wrote:

> Hi,
> Did anyone had a chance to evaluate the RNA published on SourceFire  
> web site?
> From what I coule understand, they claim that by passive traffic  
> analysis the RNA can trace every network device, service and open port

> within a network. It is difficult for me to understand how can passive

> traffic analysis detect inactive devices and services which do not  
> transmit any network traffic?
> Can anyone help figure that one?
> Lior
> US-Path Inc.
----------------------------------------------------------------------- 
> ----
----------------------------------------------------------------------- 
> ----
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org




---------------------------------------------------------------------------
---------------------------------------------------------------------------