Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: on NIDS/NIPS tuning

from [Anton A. Chuvakin] Network Security [Permanent Link]
Subject: RE: on NIDS/NIPS tuning
Date: Wed, 15 Jun 2005 13:06:11 -0400 (EDT) 
Oh no, its me vs Raffy again :-)


I am curious to know what SIM product can handle un-tuned IDS alerts in
addition to firewall logs, server logs, and application logs. How accurate


I am not here to sell a particular SIM product (but do contact me if you
need more info on that). It will suffice to say that the best SIM products
can do the above, provided that the hardware was spec'ed correctly before
the implementation.


is the list of message ID's and the message parsing? I doubt that there is a
SIM vendor that has a correlation engine that can handle a fraction of the
traffic in an average data-center or enterprise network.


There certainly is...


Can they provide
packaged reporting and alert management?


Absolutely.


Flat-file or relational database?

I do know that some folks use custom-coded "flat-file-like" "databases",
but IMHO their advantages are not as significant as some think. At the
same time, their disadvantages are obvious :-)


Don't forget about your SOC operators who have to manage the message queue
and respond to all of the alerts.


Sure, a good SIM can handle the process side of the SOC operation.


You can not just push traffic to a SIM and
have it magically (and accurately) generate some golden nugget message.


That is actually a key point! That is what I would call a 'ultimate SIM
dream'. How close the real products are to that? It depends, but clearly
they are not there yet.


What
are you using to gather vulnerability assessment information and how is the
SIM correlating against that information? Valid alerts need to be measured


This actually presents the "secret sauce" of some SIM vendors and, in
general, goes too deep into product specifics. Do contact me if you want
more details on one possible way of doing it. In general, SIM will use
vuln data to automatically qualify IDS alerts as well compute various
risk metrics.

Best,
-- 
Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA
     http://www.info-secure.org
   http://www.securitywarrior.com


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Vulnerability & Exploit Signatures, dgr8hunt
Next by Date:  RE: on NIDS/NIPS tuning, Gary Halleen (ghalleen)
Previous by Thread:  Re: on NIDS/NIPS tuning, Raffael Marty
Next by Thread:  RE: on NIDS/NIPS tuning, Kohlenberg, Toby
Indexes:  [Date] [Thread] [Top] [All Lists]