Re: SourceFire RNA

[Renaud Deraison <deraison () nessus org>]

On Tue, Dec 02, 2003 at 08:32:27PM -0500, Jason wrote:
> We are entering the realm of religious debate here and definitely off 
> topic into the pro/con of active VS passive.

Correct. We'll see if this goes through :)


[...]
> > Oh right. Scan often.
>
> This is an option in some cases. There are practical limitations to 
> scanning often that get in the way.

Yes. This is why a passive scanner is good between two scans. However
the passive scanner will produce many false negatives (or positives,
depending on how you implement it - if you do a simple OS lookup in a
vuln database, then in the end you have something which is useless
from a VA standpoint).

[...]
> Of course this gets complicated quick, distributed scanning could help 
> but is it more realistic to deploy 14 scanning nodes over 14 passive 
> observation nodes?

It depends. You're talking about 14 physical segments. I'm talking about
the same physical location - it's not unrealistic to think that out
there there are some people using routers to only route traffic between
two subnets on the same campus, with no filtering between the twos. So
maybe we're talking about 4 scanning nodes vs. 14 passive ones.


> What about the remote office that
> Pulls in a DSL line
> Adds a new network
> Has mobile employees
> ...

This happens, of course. Then it's also a matter of HOW to use the
tools. I know a Nessus user who wrote a script which kicks off a scan
each time a DHCP lease is handed out. Passive scanners also have this
sort of shortcomings of their own kind.


[...]
> > The implementation of the scanners may be flawed, but the same can be
> > said of passive scanners as well - ie: maybe there are some changes in
> > behavior they don't see. Don't mix the principles with their actual
> > implementation.
>
> The technologies can be equally flawed so when deciding which technology 
> to use there is no useful measurement here.

This is totally correct.

> > > What more do you need to know?
> > > it is a WinXXX system.
> > You determine that passively.
>
> are you saying that you cannot?

No. I said "you can determine that passively". ie: you CAN determine
that passively. I'm not the native english speaker here, however I fail
to understand how I could be clearer than that. 

[...]
> In practice even an overworked disorganized admin can identify when they 
> last rolled out a patch. A very organized security team is not needed. 
> Odds are the last patch was the last time the press picked up a major 
> event any way. Who would selectively patch subnets and not know why and 
> how?

I don't know which world you live in. In the world I know, you have the
security team on the one hand who wants to make sure that every admin
*did* install the newest patch(es). And on the other hand,  you have the 
administrators who sometime apply the patch, sometimes not, or sometimes
think their uptime is more important so they apply it but don't reboot.

And my world is no fantasy world either - just ask the Nessus users.


[...]
> What about the shell listening on the non standard port 707?
> How did we miss that in our weekly scan of common ports?

Maybe you misconfigured your scanner ? :)


[...]
> I have not said active scanners are useless. I have presented some of 
> the reasons why I believe that passive is a better way to go. 

Then you've made your point and I hope this will conclude the thread.
You simply forgot one thing : the usual disclaimer about who you are
working for [ie: SourceFire(*)].


                                -- Renaud


(*) At least according to your headers

---------------------------------------------------------------------------
---------------------------------------------------------------------------