IDS mailing list archives

RE: Snort

From: "Phil Hollows" <phollows () open com>
Date: Thu, 30 Sep 2004 22:44:39 -0400

Well, in the spirit of keeping Ron up to date, Open's SIM is one that has daily updates of vulnerabilities, exploits 
and IDS, PIS and VA signatures as part of the core offering, ensuring that our customers are always using the latest 
threat information when evaluating the risk of an event, and can take your VA data from multiple systems (open and 
proprietary) and use the very latest data to compute risk, identify threats and take remediative actions appropriately.
 
Phil
OpenService (Open)
www.open.com

        -----Original Message----- 
        From: Ron Gula [mailto:rgula () tenablesecurity com] 
        Sent: Thu 9/30/2004 1:03 PM 
        To: focus-ids () securityfocus com 
        Cc: 
        Subject: Re: Snort
        
        

        At 02:09 PM 9/27/2004 -0700, Jeremy Gonzales wrote:
        >Hi,
        >
        >Does anyone have experience with snort reports? How do
        >you deal with the loads of information? Is there a way
        >to  generate reports that eliminate the false
        >positives? Any help will be appreciated.
        >
        >Thanks,
        >
        >Jeremy.
        
        There are a variety of commercial and open source IDS
        and SIM solutions. Things you should check out include
        (and I am biased, so I list Lightning & NeVO & Nessus
        first) are:
        
        - Lightning Console and NeVO from Tenable Network Security.
           It can manage several dozen Snort sensors and correlate
           Snort IDS events with vulns discovered passively via
           NeVO, through distributed Nessus scanning or through
           Nessus's host-based UNIX and NT checks.
        
        - Sourcefire's RNA and their console can help qualify
           if an IDS event is relevant or not. I've seen people
           use RNA to highlight specific events which may target
           a known vulnerability.
        
        - SIM vendors like Guarded.net can take in IDS events
           from SNORT, and qualify them with other events and
           vulnerability data. My only caveat is that most of
           the SIMs take a one-time snapshot of vulns and don't
           integrate daily vuln data that you can get with RNA
           or NeVO.
        
        - In the open source arena, there are tools like
           Gherkin and I've seen people write scripts to use the
           output of p0f and nmap to remove non vuln snort events.
        
        Ron Gula, CTO
        Tenable Network Security
        
        
        
        
        
        --------------------------------------------------------------------------
        Test Your IDS
        
        Is your IDS deployed correctly?
        Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
        Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
        --------------------------------------------------------------------------

Current thread:

Re: Snort vvaduva (Sep 30)
- <Possible follow-ups>
- Re: Snort Graeme Connell (Sep 30)
- RE: Snort Leon De France (Oct 01)
- Re: Snort Martin Roesch (Oct 01)
  - Re: Snort Alex Butcher, ISC/ISYS (Oct 04)
    - Re: Snort James Riden (Oct 05)
- RE: Snort Eric Hines (Oct 01)
- Re: Snort Raffael Marty (Oct 01)
- RE: Snort Phil Hollows (Oct 01)