IDS mailing list archives
RE: Snort
From: "Phil Hollows" <phollows () open com>
Date: Thu, 30 Sep 2004 22:44:39 -0400
Well, in the spirit of keeping Ron up to date, Open's SIM is one that has daily updates of vulnerabilities, exploits and IDS, PIS and VA signatures as part of the core offering, ensuring that our customers are always using the latest threat information when evaluating the risk of an event, and can take your VA data from multiple systems (open and proprietary) and use the very latest data to compute risk, identify threats and take remediative actions appropriately. Phil OpenService (Open) www.open.com -----Original Message----- From: Ron Gula [mailto:rgula () tenablesecurity com] Sent: Thu 9/30/2004 1:03 PM To: focus-ids () securityfocus com Cc: Subject: Re: Snort At 02:09 PM 9/27/2004 -0700, Jeremy Gonzales wrote: >Hi, > >Does anyone have experience with snort reports? How do >you deal with the loads of information? Is there a way >to generate reports that eliminate the false >positives? Any help will be appreciated. > >Thanks, > >Jeremy. There are a variety of commercial and open source IDS and SIM solutions. Things you should check out include (and I am biased, so I list Lightning & NeVO & Nessus first) are: - Lightning Console and NeVO from Tenable Network Security. It can manage several dozen Snort sensors and correlate Snort IDS events with vulns discovered passively via NeVO, through distributed Nessus scanning or through Nessus's host-based UNIX and NT checks. - Sourcefire's RNA and their console can help qualify if an IDS event is relevant or not. I've seen people use RNA to highlight specific events which may target a known vulnerability. - SIM vendors like Guarded.net can take in IDS events from SNORT, and qualify them with other events and vulnerability data. My only caveat is that most of the SIMs take a one-time snapshot of vulns and don't integrate daily vuln data that you can get with RNA or NeVO. - In the open source arena, there are tools like Gherkin and I've seen people write scripts to use the output of p0f and nmap to remove non vuln snort events. Ron Gula, CTO Tenable Network Security -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Snort vvaduva (Sep 30)