RE: IDS event filtering
From: Ofer Shezaf (Ofer.Shezaf_at_breach.com)
Date: 01/14/05
- Previous message: Ofer Shezaf: "RE: Specification-based Anomaly Detection"
- Maybe in reply to: dcdave_at_att.net: "RE: IDS event filtering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 13 Jan 2005 22:22:03 -0500 To: "Phil Hollows" <phollows@open.com>, "Ofer Shezaf" <Ofer.Shezaf@breach.com>, <focus-ids@lists.securityfocus.com>
Or to build an adaptive system: one that would automatically compensate
for the dynamic nature of networks, application and threats.
Not easy, but we are certainly trying.
~ Ofefr
Ofer Shezaf
CTO, Breach Security
Tel: +972.9.956.0036 ext.212
Cell: +972.54.443.1119
ofers@breach.com
http://www.breach.com
> -----Original Message-----
> From: Phil Hollows [mailto:phollows@open.com]
> Sent: Tuesday, January 04, 2005 5:57 PM
> To: Ofer Shezaf; focus-ids@lists.securityfocus.com
> Subject: RE: IDS event filtering
>
> Part of the issue with any set of filters, especially ones that are
> manually managed, is that you create an ongoing management burden (and
> associated structural, recurring cists) as threats, hosts and
> vulnerabilities change.
>
> The trick with IDS and SIM is to find an approach, such as risk
> analysis, that enables you to automate this process when tied together
> with some kind of subscription service, which should dramatically
reduce
> your maintenance burden, yielding the severity reports Ofer mentions.
>
> FWIW
>
> Phil Hollows
> VP Marketing
> OpenService, Inc.
> 110 Turnpike Road, Suite 308
> Westborough, MA 01581
> http://www.open.com
>
>
> -----Original Message-----
> From: Ofer Shezaf [mailto:Ofer.Shezaf@breach.com]
> Sent: Tuesday, January 04, 2005 5:41 AM
> To: focus-ids@lists.securityfocus.com
> Subject: RE: IDS event filtering
>
>
> To add my two cents:
>
> Filtering is not only about yes and no, but also about severity.
>
> My experience shows that management report should include also a
summary
> of unsuccessful attacks as they are used for policy creation and
> budgeting. In other words, I would like to show my boss that the world
> is dangerous, and that it attacks our systems.
>
> On the other hand in real time monitoring that produced actionable
items
> I would not want to see events that do not pose immediate threat.
>
> The trick in many IDS/SIM systems is to set different severity levels:
> information only for non immediate events and high severity to events
> that pose immediate threat.
>
> Ofer Shezaf
> CTO, Breach Security
> Tel: +972.9.956.0036 ext.212
> Cell: +972.54.443.1119
> ofers@breach.com
> http://www.breach.com
>
>
> > -----Original Message-----
> > From: Billy Dodson [mailto:CraftedPacket@securitynerds.org]
> > Sent: Friday, December 31, 2004 5:37 PM
> > To: focus-ids@lists.securityfocus.com
> > Subject: IDS event filtering
> >
> > I am wanting to get an idea of what you guys out there filter from
> your
> > IDS sensors. Some of the sensors I monitor get TONS of events for
> MSSQL
> > control overflows. If the customer is patched for slammer and does
> not
> > have any SQL services on the internet, is it safe to filter out
those
> > events? Do you still want to see that traffic even though you know
> your
> > are not vulnerable? Thanks!
> >
> >
>
------------------------------------------------------------------------
> --
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks
from
> > CORE IMPACT.
> > Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> >
>
------------------------------------------------------------------------
> --
>
>
>
------------------------------------------------------------------------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>
> to learn more.
>
------------------------------------------------------------------------
> --
>
>
>
------------------------------------------------------------------------
-- > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world attacks from > CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
- Previous message: Ofer Shezaf: "RE: Specification-based Anomaly Detection"
- Maybe in reply to: dcdave_at_att.net: "RE: IDS event filtering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
