IDS mailing list archives
Re: Announcement: Alert Verification for Snort
From: "Sam f. Stover" <sstover () atrc sytexinc com>
Date: Fri, 24 Oct 2003 11:40:46 -0400
On Thursday, October 23, 2003, at 09:19 PM, Andrew Hall wrote:
I think what you are really after is to be found in a good security information management (SIM) tool.
No - I wasn't talking about correlating events from disparate sources. I'm looking for an intelligent IDS that will integrate into a SIM, sure. But my points were specifically targeted towards an IDS that is smarter today than the IDS of 10 or even 5 years ago.
An IDS is good at what it does ... ie in raw detection of "events" ... by what ever means that is (string matching, heuristics, protocol anomaly etc)
No - an IDS *sensor* is good at what you describe. However, I'm talking about the whole Intrusion Detection SYSTEM, which needs to do much more than just detect events. I'm guessing that this sort of thing is what Marty eluded to when he said that Sourcefire was working on developing the means to do this.
but as mentioned by others on the list the context is critical to determine if the event is really an "incident". And again, without context the priority of an incident can not be determined.
This is precisely my point. I need to be able to configure my IDS so that events (which will eventually make it to the SIM) have been categorized and prioritized in a way that helps me focus on important issues.
<snip>
Finally, there is the good old debate of why an IDS is even being deployed in a network. I argue that an IDS has three main purposes all of which are essential; - Real time event notification - Trending analysis - Forensics <snip>
I don't really disagree with your 3 items (except maybe the "real time" aspect of the first one).
I argue that the only way to get this flexibility is to use a SIM tool ... something which can store large amounts of raw data / logs, yet present a highly filtered and highly correlated view of all the data in your network.
I don't think it's very responsible of an IDS vendor to generate millions of alerts and then pass the responsibility for prioritizing those alerts to a third party SIM tool. It sounds like this is what you are suggesting? Or should IDS vendors become high-end SIM developers as well?
I think some middle ground can be found which allows users to prioritize without having to buy a SIM...
____ S.f.Stover sstover () iwc sytexinc com
Attachment:
PGP.sig
Description:
Current thread:
- RE: Announcement: Alert Verification for Snort, (continued)
- RE: Announcement: Alert Verification for Snort Craig H. Rowland (Oct 24)
- Re: Announcement: Alert Verification for Snort Robin Sommer (Oct 24)
- Re: Announcement: Alert Verification for Snort Raistlin (Oct 23)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Krieger (Oct 24)
- Re: Announcement: Alert Verification for Snort Stephen P. Berry (Oct 24)
- Re: Announcement: Alert Verification for Snort Bill Royds (Oct 24)
- Re: Announcement: Alert Verification for Snort Konrad Rieck (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 23)
- RE: Announcement: Alert Verification for Snort Andrew Hall (Oct 23)
- Re: Announcement: Alert Verification for Snort Sam f. Stover (Oct 24)
- RE: Announcement: Alert Verification for Snort PPowenski (Oct 24)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 24)
- Re: Announcement: Alert Verification for Snort Richard Bejtlich (Oct 24)