RE: IDS event filtering

From: Phil Hollows (phollows_at_open.com)
Date: 01/04/05

  • Next message: naga raj peddisetty: "IDS Evaluation"
    Date: Tue, 4 Jan 2005 10:57:27 -0500
    To: "Ofer Shezaf" <Ofer.Shezaf@breach.com>, <focus-ids@lists.securityfocus.com>
    
    

    Part of the issue with any set of filters, especially ones that are
    manually managed, is that you create an ongoing management burden (and
    associated structural, recurring cists) as threats, hosts and
    vulnerabilities change.

    The trick with IDS and SIM is to find an approach, such as risk
    analysis, that enables you to automate this process when tied together
    with some kind of subscription service, which should dramatically reduce
    your maintenance burden, yielding the severity reports Ofer mentions.

    FWIW

    Phil Hollows
    VP Marketing
    OpenService, Inc.
    110 Turnpike Road, Suite 308
    Westborough, MA 01581
    http://www.open.com

    -----Original Message-----
    From: Ofer Shezaf [mailto:Ofer.Shezaf@breach.com]
    Sent: Tuesday, January 04, 2005 5:41 AM
    To: focus-ids@lists.securityfocus.com
    Subject: RE: IDS event filtering

    To add my two cents:

    Filtering is not only about yes and no, but also about severity.

    My experience shows that management report should include also a summary
    of unsuccessful attacks as they are used for policy creation and
    budgeting. In other words, I would like to show my boss that the world
    is dangerous, and that it attacks our systems.

    On the other hand in real time monitoring that produced actionable items
    I would not want to see events that do not pose immediate threat.

    The trick in many IDS/SIM systems is to set different severity levels:
    information only for non immediate events and high severity to events
    that pose immediate threat.

    Ofer Shezaf
    CTO, Breach Security
    Tel: +972.9.956.0036 ext.212
    Cell: +972.54.443.1119
    ofers@breach.com
    http://www.breach.com

    > -----Original Message-----
    > From: Billy Dodson [mailto:CraftedPacket@securitynerds.org]
    > Sent: Friday, December 31, 2004 5:37 PM
    > To: focus-ids@lists.securityfocus.com
    > Subject: IDS event filtering
    >
    > I am wanting to get an idea of what you guys out there filter from
    your
    > IDS sensors. Some of the sensors I monitor get TONS of events for
    MSSQL
    > control overflows. If the customer is patched for slammer and does
    not
    > have any SQL services on the internet, is it safe to filter out those
    > events? Do you still want to see that traffic even though you know
    your
    > are not vulnerable? Thanks!
    >
    >
    ------------------------------------------------------------------------

    --
    > Test Your IDS
    > 
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE IMPACT.
    > Go to
    http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    >
    ------------------------------------------------------------------------
    --
    ------------------------------------------------------------------------
    --
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------
    --
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    --------------------------------------------------------------------------
    

  • Next message: naga raj peddisetty: "IDS Evaluation"

    Relevant Pages

    • RE: IDS event filtering
      ... Filtering is not only about yes and no, but also about severity. ... > IDS sensors. ... > Find out quickly and easily by testing it with real-world attacks from ...
      (Focus-IDS)
    • Re: RFD: uk.radio.amateur.moderated
      ... subject to filtering by my killfile. ... I think you''ll find some of the most prolific and inane posters morph into multiple new IDs on a daily basis. ...
      (uk.net.news.config)
    • Re: Updating null values
      ... work I mean its not filtering the null values when I bring the IDs table for ... Stefan Hoffmann wrote: ... ID field and I have made another table for IDs which has 2864 unique values ... update query, add both tables, add the relation between them. ...
      (microsoft.public.access.queries)
    • Dynamic Filtering
      ... I have been playing with dynamic filtering in merge replication and I ... the list of ids that the UDF returns changes, it makes no difference when I ... subscriber and synchronize again. ...
      (microsoft.public.sqlserver.replication)
    • Re: [fw-wiz] RE: In defense of non standard ports
      ... > professionals with some pull with management. ... This is the frustration of many technical security professionals. ... Deploying IDS doesn't help this issue long-term. ... Not show them how valuable their firewall investment is? ...
      (Firewall-Wizards)