Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Tuning false positives

from [Balázs Imre] Network Security [Permanent Link]
Subject: RE: Tuning false positives
Date: Wed, 28 Dec 2005 10:08:16 +0100 
I would also recommend to take a look on Envision from Network Intelligence. It 
is similar to Cisco CS-MARS (ex Protego), but a
lot more devices and applications are supported.

Balazs

-----Original Message-----
From: Gary Halleen (ghalleen) [mailto:ghalleen@cisco.com] 
Sent: Wednesday, December 28, 2005 5:39 AM
To: Sam Heshbon
Cc: focus-ids@securityfocus.com
Subject: RE: Tuning false positives

Take a look at a good SIM product, like CS-MARS from Cisco Systems.
This correlates IPS/IDS events with firewall and other network device logs, and 
also with vulnerability assessment tools (including NESSUS built-in).  This 
correlation is again correlated with network topology information, and 
automatically tunes your events for you.

In addition, there is a wealth of reports and query capabilities, as well as a 
lot of options for manually creating rules and doing further tuning.

Even though it is from Cisco, it works with most IDS/IPS and firewall products, 
not just Cisco.

Gary
 


-----Original Message-----
From: Sam Heshbon [mailto:sheshbon@yahoo.com]
Sent: Sunday, December 25, 2005 3:21 AM
To: focus-ids@lists.securityfocus.com
Subject: Tuning false positives

My company is testing a few intrusion detection & prevention products.
On the first few hours/days after deployment the machines alert on ten of 
thousands of events, which is way too much for us to ever go through, most of 
which are false alarms.
   
The vendor's solution is tuning the systems, which means shutting down 
signatures, detection mechanisms, omitting defragmentation tests and so on. 
These tunings do reduce dramatically the number of alerts, but it seems most of 
the detection capabilities have been shut off too, so things are nice and quite 
but we've no idea what's really going on in our network apart from catching the 
trivial threats such as old worms, which don't get false alarms.
Has anyone encountered this situation? Anyone got a solution?
   
Thanks
   
Sam



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Tuning false positives, Hazel, Scott A.
Next by Date:  RE: Tuning false positives, Gary Halleen (ghalleen)
Previous by Thread:  RE: Tuning false positives, Hazel, Scott A.
Next by Thread:  RE: Tuning false positives, Gary Halleen (ghalleen)
Indexes:  [Date] [Thread] [Top] [All Lists]