IDS mailing list archives
Re: Snort with an expert system
From: Martin Roesch <roesch () sourcefire com>
Date: Sun, 28 Jun 2009 21:46:28 -0400
On Fri, Jun 26, 2009 at 4:14 PM, Stefano Zanero<s.zanero () securenetwork it> wrote:
Not for nothing but #2 is exactly what Sourcefire's been doing since 2004. Sorry for the commercial but I think I've been pretty outspoken on this topic since 2000 or so...Well, I guess I have to pipe in also, then. Cisco is doing the same. Read my book "Security Monitoring with CS-MARS" for more info.Sorry Marty, sorry Gary, I love both products, but they are not even close to realizing what Greg asked for :)
They may not even be close to being able to detect if an attack was actually successful but they're tremendously better than the status quo. It's pretty easy to look at the Verizon data and see that: a) People can't tune their sensors. b) People can't do even basic analysis of the event loads that result. c) People don't know what's on their networks and how its configured or how its changing which makes a) virtually impossible. Automated tuning reduces the data loads up front and also makes the sensors harder to evade when done properly. Back-end impact analysis tremendously improves the signal to noise ratio which in turn makes the event loads something that humans can deal with.
Of course, they do reduce "false positives/noncontextual alerts/whatevers", and so they are to be commended, but knowing "if the attack has been successful" is actually way beyond anybody's capability, short of a crystal sphere :)
Exactly, but then again perfect is the enemy of good enough. I prefer to give people solutions that make their quality of life better today than do nothing because it's not perfect. Marty -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
Current thread:
- Re: Snort with an expert system, (continued)
- Re: Snort with an expert system Stefano Zanero (Jun 25)
- Re: Snort with an expert system Tomas Olsson (Jun 25)
- Re: Snort with an expert system Stefano Zanero (Jun 25)
- Re: Snort with an expert system Tomas Olsson (Jun 25)
- Re: Snort with an expert system Joel Esler (Jun 25)
- Re: Snort with an expert system Greg Shipley (Jun 25)
- Re: Snort with an expert system Martin Roesch (Jun 25)
- Re: Snort with an expert system Gary Halleen (Jun 26)
- Re: Snort with an expert system Stefano Zanero (Jun 26)
- Re: Snort with an expert system mhellman (Jun 26)
- Re: Snort with an expert system Martin Roesch (Jun 29)
- Re: Snort with an expert system Tomas Olsson (Jun 30)
- Re: Snort with an expert system Stefano Zanero (Jun 30)
- Re: Snort with an expert system Richard Bejtlich (Jun 25)
- Re: Snort with an expert system Martin Roesch (Jun 26)
- Re: Snort with an expert system Gary Halleen (Jun 26)
- Re: Snort with an expert system Gary Halleen (Jun 26)
- Re: Snort with an expert system Stuart Staniford (Jun 26)
- Re: Snort with an expert system Gary Halleen (Jun 26)