Ron Gula wrote:
> Continuous scanning will help you find some things, but won't find:
>
> - new client software
> - hosts protected by personal firewalls
> - off-port services (you want to do continuous scanning for all 65k ports?)
Well, you are thinking of scanning as a network
related process (a la NMAP), I guess. But there
a many other possibilities of scanning: Scanning
your local logfiles (eg host based sensors),
scanning your local filesystem, scanning your local
installation database for new software. This way you
may get much more (and very accurate) information
than by actively scanning the network (or by
analyzing the traffic).
Sure this is not as easily deployed as a single
network sensor, but it can very well be worth
the effort.
Cheers, Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
