Re: Snort

[Ron Gula <rgula () tenablesecurity com>]

At 02:09 PM 9/27/2004 -0700, Jeremy Gonzales wrote:
> Hi,
>
> Does anyone have experience with snort reports? How do
> you deal with the loads of information? Is there a way
> to  generate reports that eliminate the false
> positives? Any help will be appreciated.
>
> Thanks,
>
> Jeremy.

There are a variety of commercial and open source IDS
and SIM solutions. Things you should check out include
(and I am biased, so I list Lightning & NeVO & Nessus
first) are:

- Lightning Console and NeVO from Tenable Network Security.
  It can manage several dozen Snort sensors and correlate
  Snort IDS events with vulns discovered passively via
  NeVO, through distributed Nessus scanning or through
  Nessus's host-based UNIX and NT checks.

- Sourcefire's RNA and their console can help qualify
  if an IDS event is relevant or not. I've seen people
  use RNA to highlight specific events which may target
  a known vulnerability.

- SIM vendors like Guarded.net can take in IDS events
  from SNORT, and qualify them with other events and
  vulnerability data. My only caveat is that most of
  the SIMs take a one-time snapshot of vulns and don't
  integrate daily vuln data that you can get with RNA
  or NeVO.

- In the open source arena, there are tools like
  Gherkin and I've seen people write scripts to use the
  output of p0f and nmap to remove non vuln snort events.

Ron Gula, CTO
Tenable Network Security





--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------