IDS mailing list archives
RE: Tuning false positives (Nessus in CS-MARS)
From: "rgula () tenablesecurity com" <rgula () tenablesecurity com>
Date: Wed, 28 Dec 2005 09:19:44 -0500
I'd like to point out that although Cisco ships the Nessus 2 scanner inside the CS-MARS product, we (Tenable) have not licensed any vulnerability checks to them (or CS-MARS customers) so any VA/IDS correlation is very out of date. Tenable's solution for VA/IDS correlation not only includes the latest vulnerability checks for Nessus, but also host-based UNIX and Windows checks as well as continuous passive monitoring with our NeVO product. Ron Gula, CTO Tenable Network Security ----- Original Message ----- From: "Gary Halleen (ghalleen)" <ghalleen () cisco com> To: "Sam Heshbon" <sheshbon () yahoo com> Cc: <focus-ids () securityfocus com> Subject: RE: Tuning false positives Date: Tue, 27 Dec 2005 20:38:56 -0800
Take a look at a good SIM product, like CS-MARS from Cisco Systems. This correlates IPS/IDS events with firewall and other network device logs, and also with vulnerability assessment tools (including NESSUS built-in). This correlation is again correlated with network topology information, and automatically tunes your events for you. In addition, there is a wealth of reports and query capabilities, as well as a lot of options for manually creating rules and doing further tuning. Even though it is from Cisco, it works with most IDS/IPS and firewall products, not just Cisco. Gary -----Original Message----- From: Sam Heshbon [mailto:sheshbon () yahoo com] Sent: Sunday, December 25, 2005 3:21 AM To: focus-ids () lists securityfocus com Subject: Tuning false positives My company is testing a few intrusion detection & prevention products. On the first few hours/days after deployment the machines alert on ten of thousands of events, which is way too much for us to ever go through, most of which are false alarms. The vendor's solution is tuning the systems, which means shutting down signatures, detection mechanisms, omitting defragmentation tests and so on. These tunings do reduce dramatically the number of alerts, but it seems most of the detection capabilities have been shut off too, so things are nice and quite but we've no idea what's really going on in our network apart from catching the trivial threats such as old worms, which don't get false alarms. Has anyone encountered this situation? Anyone got a solution? Thanks Sam __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ---------------------------------------------------------- -------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more. ---------------------------------------------------------- -------------- ---------------------------------------------------------- -------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more. ---------------------------------------------------------- --------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: Tuning false positives (Nessus in CS-MARS) rgula () tenablesecurity com (Dec 28)