Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: CiscoWorks - VMS - IDS Monitoring and Alerting

from [Torben Grisell] Network Security [Permanent Link]
Subject: Re: CiscoWorks - VMS - IDS Monitoring and Alerting
Date: Thu, 02 Dec 2004 23:54:28 +0100 
Hi,

I know that many are using IBM's Tivoli Risk Manager.

You can read more about it her:
http://www-306.ibm.com/software/tivoli/products/risk-mgr/detail.html

You can read more about the Cisco IDS adapter her:
http://www.redbooks.ibm.com/abstracts/REDP0202.html

Cheers,
Torben Grisell

Terry S wrote:

I was wondering if Cisco has any “Best Practices” on the best ways to use IDS Event Manager and or do you know what other companies are doing to best us it. I feel that we are not getting 100% out of it. I am still having issues with monitoring and making sure we are getting the right alerts. I feel like unless I have someone sitting right in front of it watching every minute that we are missing things.

I have downloaded a Perl script from Cisco’s website but you are still limited on what you can assign the script to.

For example: When I go to assign the script to a filter the only choices I have are:

Originating Device Originating Device Address Attacker Address Victim Address Signature Name Signature ID Severity

From these choices not one is good because you have to know info, like Originating Device IP. If I pick Severity = High then all High alerts trigger the script. When I tested this one I was getting e-mail after e-mail. I did set the thresholds.

What would be nice if there was a way to do “Grouping” Signatures, meaning that I could make a group and add all the Virus/Worm related signatures to that group and then create a filter that would alert when a signature from that group was matched? Grouping would allow us to focus our alerts a little better.

Any help or suggestions would be nice on the best wayt to get the Event Manager to alert use to an issue. 

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------



Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Foolin an IDS ?, Maynor, David (ISS Atlanta)
Next by Date:  Re: Snort implementation question?, Thomas Ptacek
Previous by Thread:  CiscoWorks - VMS - IDS Monitoring and Alerting, Terry S
Next by Thread:  Re: CiscoWorks - VMS - IDS Monitoring and Alerting, Alexis Caurette
Indexes:  [Date] [Thread] [Top] [All Lists]