IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tuning false positives

From: mhellman () taxandfinance com
Date: Thu, 5 Jan 2006 15:46:47 -0600 (CST)
I think you misunderstand what a SIM does with respect to vulnerability
scans. SIMs import scans from vulnerability scanners that you have
deployed. For example from Nessus. I think I remember that there is one
product (not even sure if it is a SIM) that does ad-hoc scans for events
it gets. That's just not a good idea, introduces a lot of latency (so
doesn't scale) and has the problems you outline. Again. In general, SIMs
import vuln-scans, they don't scan themselves.


Hi Marty,
In general, I believe you're right and that most don't. Netforensics was
this way I believe.  But as a user of a "SIM" that has an integrated
Nessus scanner, it obviously isn't a rule that a SIM can't do it's "own"
scanning.  It isn't necessarily adhoc either...that was a little
misleading.  I simply have no idea how this is implemented by CSMARS
because they don't document it.

I believe Cisco actually has 2 "SIM" products that do this (CiscoWorks VMS
and CSMARS) and I would never use this functionality in either of them.

Matt


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: