Re: on NIDS/NIPS tuning
From: Raffael Marty (rmarty_at_arcsight.com)
Date: 06/14/05
- Previous message: Jackson Yu: "Vulnerability & Exploit Signatures"
- In reply to: David Kee: "RE: on NIDS/NIPS tuning"
- Next in thread: Anton A. Chuvakin: "RE: on NIDS/NIPS tuning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 14 Jun 2005 14:24:14 -0700 To: David Kee <templeofprs@hotmail.com>
David,
[Dislaimer: I work for a SIM vendor]
I think today's SIMs should address your needs:
> I am curious to know what SIM product can handle un-tuned IDS alerts in
> addition to firewall logs, server logs, and application logs.
If they provide an agent to parse those logs, this should not be a
problem. I can only speak for my company where we have agents for all
these types of sources and more (e.g., AV)
> How accurate is the list of message ID's and the message parsing?
As accurate as you want it. I consider it a bug if the fields you want
parsed do not show up in our normalized event.
> I doubt that there is
> a SIM vendor that has a correlation engine that can handle a fraction of
> the traffic in an average data-center or enterprise network.
Well. It depends what kind of event load you have. I could start playing
the numbers game here, but let me refrain from that. I can give you a
better answer: If you find that one manager (that's what we call our
server or collector or whatever) is not enough, you can deploy a
multi-tier setup and roll-up events where needed.
> Can they provide packaged reporting and alert management?
Definitely.
> Flat-file or relational database?
I am assuming you talk about data storage. You probably won't find a SIM
that uses flat-files to store the data. You are just missing too many
features and don't get the performance you need to query.
> Don't forget about your SOC operators who have to manage the
> message queue and respond to all of the alerts.
Event annotation, workflow, all there.
> You can not just push
> traffic to a SIM and have it magically (and accurately) generate some
> golden nugget message.
You can have it take action. And I know all the SIMs support this.
> What are you using to gather vulnerability
> assessment information
You import scanner information. There are adapters for vulnerability
scanners. (foundstone, qualys, nessus, you name it)
> and how is the SIM correlating against that information?
This is where I can't make a statement about the other SIMs. I know that
we cross-correlated the incoming events with the vulnerability they
target and take that into account to come up with the final priority of
the event.
> Valid alerts need to be measured against the vulnerability of
> the device/application (patch levels, hardening, etc).
That's done in the priority calculation mentioned in the last section.
Hope this helps...
-raffy
-- Raffael Marty, GCIA, CISSP raffael.marty@arcsight.com Senior Security Engineer Content Team @ ArcSight Inc. 5 Results Way Cupertino, CA 95014 (408) 864-2662 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
- Previous message: Jackson Yu: "Vulnerability & Exploit Signatures"
- In reply to: David Kee: "RE: on NIDS/NIPS tuning"
- Next in thread: Anton A. Chuvakin: "RE: on NIDS/NIPS tuning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
