Re: Tuning false positives (SIM and VM)

At 03:56 PM 1/5/2006, Raffael Marty wrote: 
> On the subject of SIMs and vulnerability analysis scans...has anyone
> actually found this feature to be useful?
> 1) I can't even imaging letting my SIM scan the network in such an adhoc
> manner.  It doesn't help that none of the vendors seem to bother with
> providing much in the way of documentation of the process.  I'm in a wacky
> world where an outtage is almost never trivial;-) I've used Nessus enough
> to know that it WILL eventually cause an outtage.

I think you misunderstand what a SIM does with respect to vulnerability
scans. SIMs import scans from vulnerability scanners that you have
deployed. For example from Nessus. I think I remember that there is one
product (not even sure if it is a SIM) that does ad-hoc scans for events
it gets. That's just not a good idea, introduces a lot of latency (so
doesn't scale) and has the problems you outline. Again. In general, SIMs
import vuln-scans, they don't scan themselves.


One of the reasons we design Tenable's products as a blend of SIM and VM
is because this import function is a leap of faith. Too often, I see great
SIM products loaded with last year's vuln data, or vuln data that didn't
have the proper credentials or vuln data that was only a discovery scan.

With Tenable's products, you can do SIM and VM at the same time with one
product set. If scanning too often is an issue, we can also sniff network
traffic with NeVO to find new hosts, applications and vulnerabilities.

Having accurate vulnerability data makes any SIM process (incident response,
VA/IDS correlation, updated Asset inventory, .etc) much more relevant.

Ron Gula, CTO
Tenable Network Security 


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------

Relevant Pages

  • Re: Vodafone - No internet access.
    ... Almost immediately, the data service will enable itself, ... your account - the very brief delay occurs while the network realises, ... internet on one of their phones. ... Another approach maybe to ask them jut to send me a new SIM. ...
    (uk.telecom.mobile)
  • How the carrier is displayed on your GSM phone
    ... are typically changed only by updating the firmware, ... isn't directly affected by the network, although it can be overridden by ... the SIM, ... If found, that entry is displayed. ...
    (alt.cellular.cingular)
  • Re: Neural Network (training and simulation)
    ... cell array instead of double array as the input to sim function. ... For inline help on 'sim', ... tried using the NNTOOL and created and trained the network. ... from someone as I am falling short of time for my assignment. ...
    (comp.soft-sys.matlab)
  • Re: Vodafone - No internet access.
    ... >>The phone with the Vodafone Sim can lock onto a 3G network ... > normally attach to the network, ... >>I might take the SIM to a Vodafone shop and ask if they use it to access ... Internet access access is not allowed and can not be added. ...
    (uk.telecom.mobile)
  • Re: Unlocking w/ Cingular subsidy code-HELP
    ... input pin code to activate - then requested Subsidy code... ... I've seen that behaviour when roaming with a prepaid SIM which had no ... The phone would register with a network okay, ... calls and pretty decent outgoing rates in Puerto Rico and the US Virgin ...
    (alt.cellular.cingular)