RE: Tuning false positives (Nessus in CS-MARS)

["rgula () tenablesecurity com" <rgula () tenablesecurity com>]

I'd like to point out that although Cisco ships the Nessus 2
scanner inside the CS-MARS product, we (Tenable) have not 
licensed any vulnerability checks to them (or CS-MARS
customers)
so any VA/IDS correlation is very out of date. 

Tenable's solution for VA/IDS correlation not only includes
the latest vulnerability checks for Nessus, but also
host-based 
UNIX and Windows checks as well as continuous passive
monitoring 
with our NeVO product.  

Ron Gula, CTO
Tenable Network Security

----- Original Message -----
From: "Gary Halleen (ghalleen)" <ghalleen () cisco com>
To: "Sam Heshbon" <sheshbon () yahoo com>
Cc: <focus-ids () securityfocus com>
Subject: RE: Tuning false positives
Date: Tue, 27 Dec 2005 20:38:56 -0800

> Take a look at a good SIM product, like CS-MARS from Cisco
> Systems. This correlates IPS/IDS events with firewall and
> other network device logs, and also with vulnerability
> assessment tools (including NESSUS built-in).  This
> correlation is again correlated with network topology
> information, and automatically tunes your events for you.
>
> In addition, there is a wealth of reports and query
> capabilities, as well as a lot of options for manually
> creating rules and doing further tuning.
>
> Even though it is from Cisco, it works with most IDS/IPS
> and firewall products, not just Cisco.
>
> Gary
>  
>
>
> -----Original Message-----
> From: Sam Heshbon [mailto:sheshbon () yahoo com] 
> Sent: Sunday, December 25, 2005 3:21 AM
> To: focus-ids () lists securityfocus com
> Subject: Tuning false positives
>
> My company is testing a few intrusion detection &
> prevention products. On the first few hours/days after
> deployment the machines alert on ten of thousands of
> events, which is way too much for us to ever go through,
> most of which are false alarms.
>    
> The vendor's solution is tuning the systems, which means
> shutting down signatures, detection mechanisms, omitting
> defragmentation tests and so on. These tunings do reduce
> dramatically the number of alerts, but it seems most of
> the detection capabilities have been shut off too, so
> things are nice and quite but we've no idea what's really
> going on in our network apart from catching the trivial
> threats such as old worms, which don't get false alarms.
> Has anyone encountered this situation? Anyone got a
> solution?
>    
> Thanks
>    
> Sam
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection
> around http://mail.yahoo.com 
>
> ----------------------------------------------------------
> -------------- Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world
> attacks from CORE IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ----------------------------------------------------------
> --------------
>
> ----------------------------------------------------------
> -------------- Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it 
> with real-world attacks from CORE IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ----------------------------------------------------------
> --------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------