Re: Announcement: Alert Verification for Snort
From: Sam f. Stover (sstover_at_atrc.sytexinc.com)
Date: Fri, 24 Oct 2003 11:40:46 -0400 To: "Andrew Hall" <email@example.com>
On Thursday, October 23, 2003, at 09:19 PM, Andrew Hall wrote:
> I think what you are really after is to be found in a good security
> information management (SIM) tool.
No - I wasn't talking about correlating events from disparate sources.
I'm looking for an intelligent IDS that will integrate into a SIM,
sure. But my points were specifically targeted towards an IDS that is
smarter today than the IDS of 10 or even 5 years ago.
> An IDS is good at what it does ... ie in raw detection of "events" ...
> by what ever means that is (string matching, heuristics, protocol
> anomaly etc)
No - an IDS *sensor* is good at what you describe. However, I'm
talking about the whole Intrusion Detection SYSTEM, which needs to do
much more than just detect events. I'm guessing that this sort of
thing is what Marty eluded to when he said that Sourcefire was working
on developing the means to do this.
> but as mentioned by others on the list the context is
> critical to determine if the event is really an "incident". And again,
> without context the priority of an incident can not be determined.
This is precisely my point. I need to be able to configure my IDS so
that events (which will eventually make it to the SIM) have been
categorized and prioritized in a way that helps me focus on important
> Finally, there is the good old debate of why an IDS is even being
> deployed in a network. I argue that an IDS has three main purposes all
> of which are essential;
> - Real time event notification
> - Trending analysis
> - Forensics
I don't really disagree with your 3 items (except maybe the "real time"
aspect of the first one).
> I argue that the only way to get this flexibility is to use a SIM tool
> ... something which can store large amounts of raw data / logs, yet
> present a highly filtered and highly correlated view of all the data in
> your network.
I don't think it's very responsible of an IDS vendor to generate
millions of alerts and then pass the responsibility for prioritizing
those alerts to a third party SIM tool. It sounds like this is what
you are suggesting? Or should IDS vendors become high-end SIM
developers as well?
I think some middle ground can be found which allows users to
prioritize without having to buy a SIM...
- application/pgp-signature attachment: PGP.sig