IDS mailing list archives
Re: Tuning false positives
From: mhellman () taxandfinance com
Date: Thu, 5 Jan 2006 15:46:47 -0600 (CST)
I think you misunderstand what a SIM does with respect to vulnerability scans. SIMs import scans from vulnerability scanners that you have deployed. For example from Nessus. I think I remember that there is one product (not even sure if it is a SIM) that does ad-hoc scans for events it gets. That's just not a good idea, introduces a lot of latency (so doesn't scale) and has the problems you outline. Again. In general, SIMs import vuln-scans, they don't scan themselves.
Hi Marty, In general, I believe you're right and that most don't. Netforensics was this way I believe. But as a user of a "SIM" that has an integrated Nessus scanner, it obviously isn't a rule that a SIM can't do it's "own" scanning. It isn't necessarily adhoc either...that was a little misleading. I simply have no idea how this is implemented by CSMARS because they don't document it. I believe Cisco actually has 2 "SIM" products that do this (CiscoWorks VMS and CSMARS) and I would never use this functionality in either of them. Matt ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Tuning false positives Joel M Snyder (Jan 02)
- <Possible follow-ups>
- RE: Tuning false positives Ofer Shezaf (Jan 05)
- RE: Tuning false positives mhellman (Jan 05)
- Re: Tuning false positives Raffael Marty (Jan 11)
- Re: Tuning false positives mhellman (Jan 09)
- Re: Tuning false positives (SIM and VM) Ron Gula (Jan 12)
- Re: Tuning false positives (SIM and VM) David W. Goodrum (Jan 13)
- Re: Tuning false positives Raffael Marty (Jan 11)
- Re: Tuning false positives Devdas Bhagat (Jan 05)
- RE: Tuning false positives Gary Halleen (ghalleen) (Jan 05)