Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ForeScout ActiveScout

from [Gadi Evron] Network Security [Permanent Link]
Subject: Re: ForeScout ActiveScout
Date: Sat, 08 Jan 2005 14:08:21 +0200
Brent Stackhouse wrote: 
Gadi,

Thanks very much for your detailed response.  I
understand their definition of 100% accuracy but it
still begs the question as to how they make the
initial determination of what to track or not.  Surely

You have access to the machine.. just take a look. They provide with a good events log, as well as the ability to go down to the traffic itself

they don't send their crafted data on every single
connection to see if it comes back.  Their web site
states that ActiveScout is looking for recon activity
so some threshold or "trigger" must exist for them to
differentiate recon from legitimate traffic.


Exactly.

Their site also states that they're not signature
based.  Again, if they have some sort of logic based
on thresholds (x amount of TCP packets per minute from
the same source IP, etc.), it sounds like a signature
to me.  At least I know that Cisco, ISS, etc. all have
threshold-based signatures in their IDS products.

Almost everything can be called a signature, to a level, but they usually don't use what you or me would call an IDS signature.

All that aside, I saw the results of a SuperScan port
scan that included a bunch of junk caused by
ActiveScout.  I would think that feeding an attacker a
bunch of info that leads them to believe that you're
really vulnerable is not a great idea (like open
SunRPC ports, NetBIOS, etc.).  I want less attention,

Than this is not about ActiveScout, it is about you not wanting to run an honey pot/net.

not more.  I suspect that anything out-of-the-ordinary
would perhaps cause more attention.  This is sort of a
honeypot idea gone berserk.  Instead of one host
appearing vulnerable, all of your hosts appear
vulnerable.

Not all hosts. You can set it to show how many hosts per how many attempts you want to be triggered, as well as what kind of hosts should they be. It doesn't have to work this way, it can also only monitor your network.. but that kind of beats the point.

The point being catch the bad guy and block him. Don't expect it to catch all bad guys.

Anyway, it doesn't sound like it buys much, if
anything, over "traditional" IDS/IPS.

I strongly disagree, but it is not for everyone and much like any other products, it isn't perfect.

        Gadi.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: ForeScout ActiveScout, dywzh dywzh
Next by Date:  Re: ForeScout ActiveScout, Brent Stackhouse
Previous by Thread:  Re: ForeScout ActiveScout, Brent Stackhouse
Next by Thread:  RE: ForeScout ActiveScout, Carey, Steve T GARRISON
Indexes:  [Date] [Thread] [Top] [All Lists]