IDS mailing list archives
RE: Tuning false positives (SIM and VM)
From: "Jasun Tate" <jtate () ICWGROUP com>
Date: Fri, 13 Jan 2006 08:39:45 -0800
In reference to SIM management I have a question almost on another tier, what is your outtake on the new Advanton appliance and centrally "clustering" them. Jasun Tate Network Operations ICW System Security Specialist Office #858-350-2459 ~~INVEST IN LOSS~~ Chen Man Ching -----Original Message----- From: Ron Gula [mailto:rgula () tenablesecurity com] Sent: Wednesday, January 11, 2006 9:05 AM To: focus-ids () securityfocus com Subject: Re: Tuning false positives (SIM and VM) At 03:56 PM 1/5/2006, Raffael Marty wrote:
On the subject of SIMs and vulnerability analysis scans...has anyone actually found this feature to be useful? 1) I can't even imaging letting my SIM scan the network in such an
adhoc
manner. It doesn't help that none of the vendors seem to bother
with
providing much in the way of documentation of the process. I'm in a
wacky
world where an outtage is almost never trivial;-) I've used Nessus
enough
to know that it WILL eventually cause an outtage.I think you misunderstand what a SIM does with respect to vulnerability scans. SIMs import scans from vulnerability scanners that you have deployed. For example from Nessus. I think I remember that there is one product (not even sure if it is a SIM) that does ad-hoc scans for
events
it gets. That's just not a good idea, introduces a lot of latency (so doesn't scale) and has the problems you outline. Again. In general,
SIMs
import vuln-scans, they don't scan themselves.
One of the reasons we design Tenable's products as a blend of SIM and VM is because this import function is a leap of faith. Too often, I see great SIM products loaded with last year's vuln data, or vuln data that didn't have the proper credentials or vuln data that was only a discovery scan. With Tenable's products, you can do SIM and VM at the same time with one product set. If scanning too often is an issue, we can also sniff network traffic with NeVO to find new hosts, applications and vulnerabilities. Having accurate vulnerability data makes any SIM process (incident response, VA/IDS correlation, updated Asset inventory, .etc) much more relevant. Ron Gula, CTO Tenable Network Security ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ##################################################################################### Warning: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which it is addressed. If you are not the named addressee any review, dissemination, distribution or duplication of this e-mail is strictly prohibited. If you have received this email in error, please let us know by e-mail and delete it from your system. Please note that any personal views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Thank You. ##################################################################################### ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: Tuning false positives (SIM and VM) Jasun Tate (Jan 16)