RE: ISS Siteprotector as syslog server?

[<PPowenski () oag com>]

As an ISS user I would like to confirm all that was said in this note.

We are using ISS components.
We purchased the 'firewall' third party module and had NO options after
installation of our choices to pull data in from the firewall. We
received a small set of smart defense alerts from checkpoint
Secureplatform NG R55 and nothing more with no options either.

If you read the salesheet it 'suggest' you can (more options are
available if you use a CISCO PIX), but if you read the technical spec
and the installation manual it is quite a different story at least for
checkpoint.

We were told for syslog events i.e. from snort we could get the
third-party 'adapter' instead of or in addition to the module, but have
not seen it for sale on the website of their products... Do not know if
it is really for sale. An ISS tech rep. advised us on this software
module.

The best thing anyone can do in this market is READ ALL THE DOCUMENTS
and READ IT VERY VERY CAREFULLY. If you can get the box or software
in-house and verify as well....

Cheers
paul







-----Original Message-----
From: Eric Hines [mailto:eric.hines () appliedwatch com] 
Sent: 22 November 2004 20:19
To: 'Rob Shein'; 'Bowes, Ronald (EST)'; focus-ids () securityfocus com
Subject: RE: ISS Siteprotector as syslog server?


Rob is correct. ISS has on numerous occasions got their foot in the door
at previous organizations I worked at on RFP's where we were looking for
a SIM solution. After they got their foot in, they admitted to only
being a SIM for ISS branded products. Its really disgusting how some
vendors out there are abusing that term. Security Information Management
(SIM), Security Event Management (SEM) is defined as aggregating and
correlating information from DIFFERENT vendors and solutions. ISS Site
Protector is simply a tool that ISS created to manage and tie together
all their own products -- which is something I'd expect ANY vendor to be
able to do. Site Protector is similar to Cisco's VMS, which ties
together all their Cisco security products, etc.

So in summary, no, ISS Site Protector does not have the capability to
import in data from other solutions. You will want to look at other
solutions to do this. If this is simply for completing your evaluations,
unfortunately, the only free solution I am aware of is OSSIM -- however,
I've not personally looked at it.

Hope this helps.

Regards,
Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, Inc.
Direct: (877) 262-7593 x327
http://www.appliedwatch.com
"Open Source Security Management"

 

-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net] 
Sent: Sunday, November 21, 2004 4:47 PM
To: 'Bowes, Ronald (EST)'; focus-ids () securityfocus com
Subject: RE: ISS Siteprotector as syslog server?

In my experience with SiteProtector, it doesn't seem to have had any
facility for even managing the data.  It's not a vendor-agnostic,
glue-everything-together kind of SIM; it's designed to provide central
management for multiple ISS products and allow you to correlate data
that comes from them.

> -----Original Message-----
> From: Bowes, Ronald (EST) [mailto:RBowes () gov mb ca]
> Sent: Thursday, November 18, 2004 10:09 AM
> To: 'focus-ids () securityfocus com'
> Subject: ISS Siteprotector as syslog server?
>
>
> We're trying to get several different systems (ips and ids) to work
> together, as we're evaluating ips products made by various vendors.
>
> The ips appliances we're using can export their data to a syslog
> server, and it would be nice if we could import the syslog data into 
> ISS SiteProtector. Has anybody tried to do that before?
>
> Thanks,
> Ron Bowes
>
>
> --------------------------------------------------------------
> ------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
0708
to learn more.
------------------------------------------------------------------------
--




------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--



------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--
NOTICE: This e-mail is intended for the named recipient(s). It may contain privileged and/or confidential information. 
If you are not one of the intended recipients, please notify the sender immediately and destroy this e-mail and 
attachment(s): you must not copy, distribute, retain or take any action in reliance upon the email or attachment(s). 
While all reasonable efforts are made to safeguard inbound and outbound e-mails, OAG Worldwide Ltd and its affiliate 
companies cannot guarantee that attachments are virus-free or are compatible with your systems, and does not accept 
liability in respect of viruses or computer problems experienced. Thank you.


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------