RE: IDS event filtering (NeVO comments)

[Ron Gula <rgula () tenablesecurity com>]

At 08:03 PM 12/31/2004, Evans, Arian wrote:

(nice stuff deleted)

> 3. Correlation of known-platforms vs. signature variables.
> Sourcefire does this in a backend database now. RNA can let
> you know that the server being attacked by Code Red is Apache
> so you can filter out that noise. RNA is fairly accurate in
> detection. Nevo does something like this but I haven't looked
> at in over a year so not sure if any backend IDS correlation.

NeVO does two things for you.

First, it finds out your vulnerabilities passively so that
the Lightning Console can do correlation between those vulns
and events from Snort, ISS, Dragon, .etc.

Second, NeVO looks for likely compromises in the applications
it detects. It's not a signature or anomaly system. Think of
doing the sort of IDS/VA correlation that SIMs do, right in
the actual sensor. Customers of ours that run NeVO and one or
more NIDS receive 1000s of times more alerts than what they
get with NeVO.

Ron Gula, CTO
Tenable Network Security



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------