Re: Snort

• Previous message: Matt Shelton: "Passive Asset Detection System v1.1.3 Released"
• In reply to: Ron Gula: "Re: Snort"
• Next in thread: Jose Maria Lopez: "Re: Snort"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 30 Sep 2004 17:15:58 -0700
To: Ron Gula <rgula@tenablesecurity.com>

> (and I am biased, so I list Lightning & NeVO & Nessus
> first) are:

Note that I am biased too ...

> from SNORT, and qualify them with other events and
> vulnerability data. My only caveat is that most of
> the SIMs take a one-time snapshot of vulns and don't
> integrate daily vuln data that you can get with RNA
> or NeVO.

Make sure you note the "most of the SIMs"! I can't really talk about
too many of them, but the one I know quite well, deals very nicely with
updates of vulnerability scans. As many as you want!

To throw out another thing you want to do with regards to snort alerts
and false positives: Take into account your environment! By environment
I mean things like what assets you have, how critical they are, what
ports are open, ... That's where the SIMs really come in and help a lot.

-raffy

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

• Previous message: Matt Shelton: "Passive Asset Detection System v1.1.3 Released"
• In reply to: Ron Gula: "Re: Snort"
• Next in thread: Jose Maria Lopez: "Re: Snort"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]