IDS mailing list archives

Re: Snort

From: Raffael Marty <rmarty () arcsight com>
Date: Thu, 30 Sep 2004 17:15:58 -0700

(and I am biased, so I list Lightning & NeVO & Nessus
first) are:


Note that I am biased too ...

  from SNORT, and qualify them with other events and
  vulnerability data. My only caveat is that most of
  the SIMs take a one-time snapshot of vulns and don't
  integrate daily vuln data that you can get with RNA
  or NeVO.


Make sure you note the "most of the SIMs"! I can't really talk about
too many of them, but the one I know quite well, deals very nicely with
updates of vulnerability scans. As many as you want! 

To throw out another thing you want to do with regards to snort alerts
and false positives: Take into account your environment! By environment
I mean things like what assets you have, how critical they are, what
ports are open, ... That's where the SIMs really come in and help a lot.

-raffy


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

Current thread:

Re: Snort vvaduva (Sep 30)
- <Possible follow-ups>
- Re: Snort Graeme Connell (Sep 30)
- RE: Snort Leon De France (Oct 01)
- Re: Snort Martin Roesch (Oct 01)
  - Re: Snort Alex Butcher, ISC/ISYS (Oct 04)
    - Re: Snort James Riden (Oct 05)
- RE: Snort Eric Hines (Oct 01)
- Re: Snort Raffael Marty (Oct 01)
- RE: Snort Phil Hollows (Oct 01)