[Snort-users] RNA Config

Michael Schwartzkopff misch at ...3397...
Mon Aug 15 11:03:30 EDT 2005


Am Montag, 15. August 2005 16:28 schrieb Ollie Walsh:
> Hi,
(...)
>
> How do i maintian the vulnerability level for each
> host. If the RNA sensor tells me that hosts are
> potentially vulnerable to say Windows vulnerabilities,
> how  do I get that info. Do I need to ask the customer
> to scan their hosts and give me a list of
> vulnerabilities that its currently exposed to. Then
> how do we maintain that if new servers get patched, or
> patches don’t install properly and we think we are not
> vulnerable when in fact we are ???

In fact if you use a defenve center appliance from Sourcefire the correlation 
between attacks and vulnarabilities is done automatically. The vulnarabillity 
data come from the RNA. In the defense center RNA page (also in the RNS page) 
all vulnarabilities are listed RNA thinks it found. Sometimes RNA is nor very 
precise in that assumtion. But you can manually clear every single 
vulnarability.

> For MSSP type scenarios, whos responsibility does it
> fall on to keep RNA updated. Any recommendations ??

Buy the service from Sourcefire and configure RNA the update automatically.

> If RNA needs to be kept updated with vulnerability
> info and the baselining of all hosts initially, to me
> that involves a lot of man hours.
> Also, a question that I did not get to ask at the
> Sourcefire Training Course is that if a system is NOT
> vulnerable to a particular exploit due to a patch
> being deployed, does it still create and alert, all be
> it a low one or does it ignore it totally.

Defense Center does this correlation.

>
> Hopefully someone can answer my questions and
> assumptions.

Just ask for a demo version of the defense center and play with it.

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050815/f11ee05f/attachment.sig>


More information about the Snort-users mailing list