IDS mailing list archives
Re: Snort
From: Ron Gula <rgula () tenablesecurity com>
Date: Thu, 30 Sep 2004 13:03:25 -0400
At 02:09 PM 9/27/2004 -0700, Jeremy Gonzales wrote:
Hi, Does anyone have experience with snort reports? How do you deal with the loads of information? Is there a way to generate reports that eliminate the false positives? Any help will be appreciated. Thanks, Jeremy.
There are a variety of commercial and open source IDS and SIM solutions. Things you should check out include (and I am biased, so I list Lightning & NeVO & Nessus first) are: - Lightning Console and NeVO from Tenable Network Security. It can manage several dozen Snort sensors and correlate Snort IDS events with vulns discovered passively via NeVO, through distributed Nessus scanning or through Nessus's host-based UNIX and NT checks. - Sourcefire's RNA and their console can help qualify if an IDS event is relevant or not. I've seen people use RNA to highlight specific events which may target a known vulnerability. - SIM vendors like Guarded.net can take in IDS events from SNORT, and qualify them with other events and vulnerability data. My only caveat is that most of the SIMs take a one-time snapshot of vulns and don't integrate daily vuln data that you can get with RNA or NeVO. - In the open source arena, there are tools like Gherkin and I've seen people write scripts to use the output of p0f and nmap to remove non vuln snort events. Ron Gula, CTO Tenable Network Security -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------