I'd like to point out that although Cisco ships the Nessus 2
scanner inside the CS-MARS product, we (Tenable) have not
licensed any vulnerability checks to them (or CS-MARS
customers)
so any VA/IDS correlation is very out of date.
Tenable's solution for VA/IDS correlation not only includes
the latest vulnerability checks for Nessus, but also
host-based
UNIX and Windows checks as well as continuous passive
monitoring
with our NeVO product.
Ron Gula, CTO
Tenable Network Security
----- Original Message -----
From: "Gary Halleen (ghalleen)" <ghalleen@cisco.com>
To: "Sam Heshbon" <sheshbon@yahoo.com>
Cc: <focus-ids@securityfocus.com>
Subject: RE: Tuning false positives
Date: Tue, 27 Dec 2005 20:38:56 -0800
Take a look at a good SIM product, like CS-MARS from Cisco
Systems. This correlates IPS/IDS events with firewall and
other network device logs, and also with vulnerability
assessment tools (including NESSUS built-in). This
correlation is again correlated with network topology
information, and automatically tunes your events for you.
In addition, there is a wealth of reports and query
capabilities, as well as a lot of options for manually
creating rules and doing further tuning.
Even though it is from Cisco, it works with most IDS/IPS
and firewall products, not just Cisco.
Gary
-----Original Message-----
From: Sam Heshbon [mailto:sheshbon@yahoo.com]
Sent: Sunday, December 25, 2005 3:21 AM
To: focus-ids@lists.securityfocus.com
Subject: Tuning false positives
My company is testing a few intrusion detection &
prevention products. On the first few hours/days after
deployment the machines alert on ten of thousands of
events, which is way too much for us to ever go through,
most of which are false alarms.
The vendor's solution is tuning the systems, which means
shutting down signatures, detection mechanisms, omitting
defragmentation tests and so on. These tunings do reduce
dramatically the number of alerts, but it seems most of
the detection capabilities have been shut off too, so
things are nice and quite but we've no idea what's really
going on in our network apart from catching the trivial
threats such as old worms, which don't get false alarms.
Has anyone encountered this situation? Anyone got a
solution?
Thanks
Sam
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection
around http://mail.yahoo.com
----------------------------------------------------------
-------------- Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world
attacks from CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
----------------------------------------------------------
--------------
----------------------------------------------------------
-------------- Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
----------------------------------------------------------
--------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
