Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Tuning false positives

from [mhellman] Network Security [Permanent Link]
Subject: RE: Tuning false positives
Date: Tue, 3 Jan 2006 23:49:23 -0600 (CST) 
I could see where a SIM product, in particular CSMARS but any that
supports event correlation, could certainly give the impression of
reducing false positives. If you configure a CSMARS with default rules to
collect events from an unconfigured, noisy Cisco IDS sensor...and only pay
attention to what the CSMARS considers an "incident", you'll only see a
subset of the actual events that fired on the sensor.  I'm sure that makes
some people happy;-)  It doesn't help that CSMARS fails to parse numerous
Cisco IDS events entirely (well deserved stab at Cisco for making me open
SEPARATE TICKETS for each signature the CSMARS fails to parse).  Bottom
line is that both your IDS and your SIM need considerable configuration to
be useful.  This is as good a place as any to mention that getting your
host logs into the SIM is infinitely more valuable that those mostly bogus
IDS events.

On the subject of SIMs and vulnerability analysis scans...has anyone
actually found this feature to be useful?
1) I can't even imaging letting my SIM scan the network in such an adhoc
manner.  It doesn't help that none of the vendors seem to bother with
providing much in the way of documentation of the process.  I'm in a wacky
world where an outtage is almost never trivial;-) I've used Nessus enough
to know that it WILL eventually cause an outtage.
2) I don't see how it would be helpful. The CSMARS is updated like once
every 2 months.  I would personally prefer something a little
"lighter"...like an nmap OS ident or similar.

-----Original Message-----
From: Joel M Snyder [mailto:Joel.Snyder@Opus1.COM]
Sent: Thursday, December 29, 2005 10:03 AM
To: focus-ids@securityfocus.com
Subject: Re: Tuning false positives


Gary Halleen (ghalleen) <ghalleen@cisco.com> wrote:


Before I catch too many flames, let me clarify that I recommend a good

SIM product, of which MARS is one.

Hmmm, speaking of flames... not sure that I would necessarily agree that 
MARS is even a SIM product at all, depending on your definition of SIM, 
but in any case rather than flame in public, I'll pitch out:

http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss506_art1043,00.html

which is a test I did of five SIMs late last year.





------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Tuning false positives, Ofer Shezaf
Next by Date:  WMF and IPS products?, Sam Evans
Previous by Thread:  RE: Tuning false positives, Ofer Shezaf
Next by Thread:  Re: Tuning false positives, Raffael Marty
Indexes:  [Date] [Thread] [Top] [All Lists]