Re: RE: Tuning false positives - SIM is not the answer

[Anton Chuvakin <anton () chuvakin org>]

All,

> SIM systems have nothing to do with the fact your IDS/IPS gets 300,000 alerts
> per day. It'll just sum it up nicely for you so you don't read them
one at a time,

I might be going against the flow and, additionally, running a risk of
my vendor hat burning my head, but I just have to barge in.

SIM *can* help with false positives. No, really, it can! And, not only
thru the use of vulnerability data (collected before or after the
alert in question). So, let's say we have an IDS alert that we suspect
might be false. What is one of the things an analyst can do (apart
from looking at a payload)? Look at what impact the alert had on the
target! If your SIM can intelligently match up the logs from target OS
and applications,  it can do pretty much the same to conclude the
validity of the alert. One of my favorite example is matching NIDS web
attack sigs with 404 codes in the web server logs. I don't want to go
into product details, but I am sure you get a general theme here...

Will SIM eliminate *all* false positives and totally replace  IDS
tuning? No way, but it can help a lot if used diligently, especially
in the environment with multiple IDS brands running.

Best,
--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA     http://www.chuvakin.org
http://www.securitywarrior.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------