At 02:09 PM 9/27/2004 -0700, Jeremy Gonzales wrote:
Hi,
Does anyone have experience with snort reports? How do
you deal with the loads of information? Is there a way
to generate reports that eliminate the false
positives? Any help will be appreciated.
Thanks,
Jeremy.
There are a variety of commercial and open source IDS
and SIM solutions. Things you should check out include
(and I am biased, so I list Lightning & NeVO & Nessus
first) are:
- Lightning Console and NeVO from Tenable Network Security.
It can manage several dozen Snort sensors and correlate
Snort IDS events with vulns discovered passively via
NeVO, through distributed Nessus scanning or through
Nessus's host-based UNIX and NT checks.
- Sourcefire's RNA and their console can help qualify
if an IDS event is relevant or not. I've seen people
use RNA to highlight specific events which may target
a known vulnerability.
- SIM vendors like Guarded.net can take in IDS events
from SNORT, and qualify them with other events and
vulnerability data. My only caveat is that most of
the SIMs take a one-time snapshot of vulns and don't
integrate daily vuln data that you can get with RNA
or NeVO.
- In the open source arena, there are tools like
Gherkin and I've seen people write scripts to use the
output of p0f and nmap to remove non vuln snort events.
Ron Gula, CTO
Tenable Network Security
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
