IDS mailing list archives
Re: on NIDS/NIPS tuning
From: Raffael Marty <rmarty () arcsight com>
Date: Tue, 14 Jun 2005 14:24:14 -0700
David, [Dislaimer: I work for a SIM vendor] I think today's SIMs should address your needs:
I am curious to know what SIM product can handle un-tuned IDS alerts in addition to firewall logs, server logs, and application logs.
If they provide an agent to parse those logs, this should not be a problem. I can only speak for my company where we have agents for all these types of sources and more (e.g., AV)
How accurate is the list of message ID's and the message parsing?
As accurate as you want it. I consider it a bug if the fields you want parsed do not show up in our normalized event.
I doubt that there is a SIM vendor that has a correlation engine that can handle a fraction of the traffic in an average data-center or enterprise network.
Well. It depends what kind of event load you have. I could start playing the numbers game here, but let me refrain from that. I can give you a better answer: If you find that one manager (that's what we call our server or collector or whatever) is not enough, you can deploy a multi-tier setup and roll-up events where needed.
Can they provide packaged reporting and alert management?
Definitely.
Flat-file or relational database?
I am assuming you talk about data storage. You probably won't find a SIM that uses flat-files to store the data. You are just missing too many features and don't get the performance you need to query.
Don't forget about your SOC operators who have to manage the message queue and respond to all of the alerts.
Event annotation, workflow, all there.
You can not just push traffic to a SIM and have it magically (and accurately) generate some golden nugget message.
You can have it take action. And I know all the SIMs support this.
What are you using to gather vulnerability assessment information
You import scanner information. There are adapters for vulnerability scanners. (foundstone, qualys, nessus, you name it)
and how is the SIM correlating against that information?
This is where I can't make a statement about the other SIMs. I know that we cross-correlated the incoming events with the vulnerability they target and take that into account to come up with the final priority of the event.
Valid alerts need to be measured against the vulnerability of the device/application (patch levels, hardening, etc).
That's done in the priority calculation mentioned in the last section. Hope this helps... -raffy -- Raffael Marty, GCIA, CISSP raffael.marty () arcsight com Senior Security Engineer Content Team @ ArcSight Inc. 5 Results Way Cupertino, CA 95014 (408) 864-2662 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: on NIDS/NIPS tuning, (continued)
- Re: on NIDS/NIPS tuning Drew Simonis (Jun 10)
- RE: on NIDS/NIPS tuning Gary Halleen (Jun 10)
- Re: on NIDS/NIPS tuning Adam Powers (Jun 12)
- RE: on NIDS/NIPS tuning Gary Halleen (Jun 10)
- RE: on NIDS/NIPS tuning M. Shirk (Jun 10)
- RE: on NIDS/NIPS tuning Phil Hollows (Jun 10)
- Re: on NIDS/NIPS tuning Brent Stackhouse (Jun 12)
- RE: on NIDS/NIPS tuning Hazel, Scott A. (Jun 12)
- RE: on NIDS/NIPS tuning Anton A. Chuvakin (Jun 14)
- RE: on NIDS/NIPS tuning Kohlenberg, Toby (Jun 14)
- RE: on NIDS/NIPS tuning David Kee (Jun 14)
- Re: on NIDS/NIPS tuning Raffael Marty (Jun 15)
- RE: on NIDS/NIPS tuning Anton A. Chuvakin (Jun 16)
- RE: on NIDS/NIPS tuning Kohlenberg, Toby (Jun 16)
- RE: on NIDS/NIPS tuning Gary Halleen (ghalleen) (Jun 16)
- Re: on NIDS/NIPS tuning Drew Simonis (Jun 10)