IDS mailing list archives
RE: Tuning false positives
From: mhellman () taxandfinance com
Date: Tue, 3 Jan 2006 23:49:23 -0600 (CST)
I could see where a SIM product, in particular CSMARS but any that supports event correlation, could certainly give the impression of reducing false positives. If you configure a CSMARS with default rules to collect events from an unconfigured, noisy Cisco IDS sensor...and only pay attention to what the CSMARS considers an "incident", you'll only see a subset of the actual events that fired on the sensor. I'm sure that makes some people happy;-) It doesn't help that CSMARS fails to parse numerous Cisco IDS events entirely (well deserved stab at Cisco for making me open SEPARATE TICKETS for each signature the CSMARS fails to parse). Bottom line is that both your IDS and your SIM need considerable configuration to be useful. This is as good a place as any to mention that getting your host logs into the SIM is infinitely more valuable that those mostly bogus IDS events. On the subject of SIMs and vulnerability analysis scans...has anyone actually found this feature to be useful? 1) I can't even imaging letting my SIM scan the network in such an adhoc manner. It doesn't help that none of the vendors seem to bother with providing much in the way of documentation of the process. I'm in a wacky world where an outtage is almost never trivial;-) I've used Nessus enough to know that it WILL eventually cause an outtage. 2) I don't see how it would be helpful. The CSMARS is updated like once every 2 months. I would personally prefer something a little "lighter"...like an nmap OS ident or similar. -----Original Message----- From: Joel M Snyder [mailto:Joel.Snyder () Opus1 COM] Sent: Thursday, December 29, 2005 10:03 AM To: focus-ids () securityfocus com Subject: Re: Tuning false positives Gary Halleen (ghalleen) <ghalleen () cisco com> wrote:
Before I catch too many flames, let me clarify that I recommend a good
SIM product, of which MARS is one. Hmmm, speaking of flames... not sure that I would necessarily agree that MARS is even a SIM product at all, depending on your definition of SIM, but in any case rather than flame in public, I'll pitch out: http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss506_art1043,00.html which is a test I did of five SIMs late last year. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Tuning false positives Joel M Snyder (Jan 02)
- <Possible follow-ups>
- RE: Tuning false positives Ofer Shezaf (Jan 05)
- RE: Tuning false positives mhellman (Jan 05)
- Re: Tuning false positives Raffael Marty (Jan 11)
- Re: Tuning false positives mhellman (Jan 09)
- Re: Tuning false positives (SIM and VM) Ron Gula (Jan 12)
- Re: Tuning false positives (SIM and VM) David W. Goodrum (Jan 13)
- Re: Tuning false positives Raffael Marty (Jan 11)
- Re: Tuning false positives Devdas Bhagat (Jan 05)
- RE: Tuning false positives Gary Halleen (ghalleen) (Jan 05)