RE: Networking IDS Correlation Question

From: John Kelly (idswizard@hotmail.com)
Date: 01/28/02 

From: "John Kelly" <idswizard@hotmail.com>
To: focus-ids@securityfocus.com
Date: Mon, 28 Jan 2002 14:28:04 -0500

You may want to look at a product like neuSECURE from Guarded.net
http://www.guarded.net/ They are vendor neutral, so you are not stuck if
you need to expand your solution. neuSECURE can correlate IDS, firewalls,
routers, basically any device that can syslog or provide SNMP. They also
have a solution for Windows logs. The product provides a threat
calculation, which helps in determining what alerts to address first.
Additionally, it does passive, semi-active and active responses (DNS
queries, portscans, etc.) It was built with RealSecure in mind.

However it does run on Unix, so it may be beyond your client's skill level.
There are other products out there such as Spectrum, netForensics,
Intellitactics, eSecurity etc. Each have their own advantages and
disadvantages. There is an article online outlining some of these types of
solutions:

http://www.infosecuritymag.com/2002/jan/features_command.shtml

I would recommend staying away from vendor-specific solutions if your client
has any intention of expanding their threat view beyond IDS.

Just a thought.

-----------------------------------------------------------
I have been asked by one of my clients to purchase a program which
correlates Intrusion Detection System (IDS) data from network and host based
systems. My clients company is running ISS's RealSecure which is guarding
its perimeter and high value targets and a proprietary third party IDS which
is placed on many of its hosts. The software is searching for all sorts of
attacks, both internal and external to the network. Does anyone know of any
COTS software products which could aide in this problem? Most of the
client's enterprise networking is Windows NT 4.0 based. I have been looking
at ISS's
SAFEsuite Decisions? and Enterasys Networks' Vulnerability Correlation Tool.

Looking for any opinions, suggestions, comments.

Thanks-
Scott Margulis
MCSE/MCP+I

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

Relevant Pages

  • Re: IDS and NMS
    ... Start by designing and installing a network. ... Next, a more detailed view of the network is required, so a NMS is ... the network administrator wants to see what ... This is where integrating the IDS console into the NMS makes sense. ...
    (Focus-IDS)
  • Re: "false positive" inanity
    ... So Mr. Snyder is asking for an IDS that does not need to be configured? ... maximum control of his/her network. ... attack. ... > assuming that it is not an intrusion. ...
    (Focus-IDS)
  • Re: Secure Network Design (DMZ, LAN, etc)
    ... I'd like one outside the firewall and one ... I assumed I could make the first IDS ... should I have the IDS listening on the 192.168.1.0/24 network as well (web ... >Since the whole world will need access to your web servers, ...
    (Security-Basics)
  • Re: Need some information on HIDS!
    ... I have already invoked such a scenario in some of my previous IDS ... What I had in mind is something like encrypting the whole ... network traffic, to prevent sniffing from intruders (let's say wall-to-wall ... analysing and displaying logs. ...
    (Focus-IDS)
  • Re: which attacks will generate false positive or false negative?
    ... addresses of the servers on your network that are allowed to do DNS Zone ... you first install a Network IDS, snmpwalks may trigger from your network ... Matt brings up the point of alerts to things that didn't have any ... you're not sure of the best way to tune out false positives during your ...
    (Focus-IDS)