RE: on NIDS/NIPS tuning

From: Anton A. Chuvakin (anton_at_chuvakin.org)
Date: 06/15/05

  • Next message: Gary Halleen (ghalleen): "RE: on NIDS/NIPS tuning" 
    Date: Wed, 15 Jun 2005 13:06:11 -0400 (EDT)
To: David Kee <templeofprs@hotmail.com>

    Oh no, its me vs Raffy again :-)

    >I am curious to know what SIM product can handle un-tuned IDS alerts in
    >addition to firewall logs, server logs, and application logs. How accurate

    I am not here to sell a particular SIM product (but do contact me if you
    need more info on that). It will suffice to say that the best SIM products
    can do the above, provided that the hardware was spec'ed correctly before
    the implementation.

    >is the list of message ID's and the message parsing? I doubt that there is a
    >SIM vendor that has a correlation engine that can handle a fraction of the
    >traffic in an average data-center or enterprise network.

    There certainly is...

    >Can they provide
    >packaged reporting and alert management?

    Absolutely.

    >Flat-file or relational database?
    I do know that some folks use custom-coded "flat-file-like" "databases",
    but IMHO their advantages are not as significant as some think. At the
    same time, their disadvantages are obvious :-)

    >Don't forget about your SOC operators who have to manage the message queue
    >and respond to all of the alerts.

    Sure, a good SIM can handle the process side of the SOC operation.

    >You can not just push traffic to a SIM and
    >have it magically (and accurately) generate some golden nugget message.

    That is actually a key point! That is what I would call a 'ultimate SIM
    dream'. How close the real products are to that? It depends, but clearly
    they are not there yet.

    >What
    >are you using to gather vulnerability assessment information and how is the
    >SIM correlating against that information? Valid alerts need to be measured

    This actually presents the "secret sauce" of some SIM vendors and, in
    general, goes too deep into product specifics. Do contact me if you want
    more details on one possible way of doing it. In general, SIM will use
    vuln data to automatically qualify IDS alerts as well compute various
    risk metrics.

    Best, 

    -- 
Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA
     http://www.info-secure.org
   http://www.securitywarrior.com
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
  • Next message: Gary Halleen (ghalleen): "RE: on NIDS/NIPS tuning"

    Relevant Pages

    • RE: SIM Tools, and endpoint security.
      ... Tarpit, Cisco, and Microsoft Windows logs. ... SIM Tools, and endpoint security. ... syslog type perspective to complement our Network Intrusion plan. ... applications and new hosts without the need for network scanning. ...
      (Focus-IDS)
    • SIM Tools, and endpoint security.
      ... I am looking to get some information and some input on SIM Tools. ... Currently we have looked at the Protego Mars product as ... We would dump OS logs, app logs, fw logs, router and switch ... We are currently looking at Cisco CSA. ...
      (Focus-IDS)
    • Re: on NIDS/NIPS tuning
      ... I work for a SIM vendor] ... > addition to firewall logs, server logs, and application logs. ...
      (Focus-IDS)
    • RE: Tuning false positives
      ... If you configure a CSMARS with default rules to ... Cisco IDS events entirely (well deserved stab at Cisco for making me open ... line is that both your IDS and your SIM need considerable configuration to ... SIM product, ...
      (Focus-IDS)