IDS mailing list archives

Re: RE: RE: Tuning false positives - SIM is not the answer

From: brent () solissecurity com
Date: 4 Jan 2006 21:47:03 -0000

Gary,

A couple of points on Cisco CS-MARS 100 that I know from personal experience with it over the last year:

1. It can process a boatload of data from a lot of devices - very cool.
2. Reporting needs more flexibility and more speed. On the flexibility front, if I want to simply grab a device's raw
output for the last 24 hours and that output is of a significant size (more than a thousand rows), I have to resort to
dumping raw logs because queries have pre-defined limits and the reporting engine automatically performs summarization,
which I often don't want. Both MARS documentation and Cisco TAC confirm this as intentional behavior. Thus, I can't
generate non-summarized data on a scheduled basis.

On the speed front, it's not super-quick for grabbing anything of decent size, whether querying or reporting. There
aren't a lot of suggestions in the doc for tuning/maintenance (yes, even in the 4.x doc) or indications via the CLI for
disk space usage, in case the disk is (getting) full.

3. The MARS OS is a Linux distro but users can't get to the actual OS. This wouldn't normally be a problem but there
was a bad MARS build that was published recently, yanked within a day or so, and then required a TAC engineer to
remotely login to the MARS box to fix it. This is contrary to every other Cisco device, including Linux-based 42xx
IDS/IPS, that I've worked with.

Aside from the issues noted above, I think SIMS are great tools for bringing many devices' data together for easier
analysis and can really help the typically-understaffed security personnel in the right environment.

Brent Stackhouse
VP of Security
Solis Security, Inc.
Austin, Texas
www.solissecurity.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Current thread:

RE: RE: Tuning false positives - SIM is not the answer Gary Halleen (ghalleen) (Jan 02)
- Re: Tuning false positives - SIM is not the answer Stefano Zanero (Jan 05)
- <Possible follow-ups>
- RE: RE: Tuning false positives - SIM is not the answer Andrew Plato (Jan 02)
- Re: RE: RE: Tuning false positives - SIM is not the answer rassel_k (Jan 05)
- Re: RE: RE: Tuning false positives - SIM is not the answer brent (Jan 05)
  - Re: Tuning false positives - SIM is not the answer Jason (Jan 11)
    - Re: Tuning false positives - SIM is not the answer Brent Stackhouse (Jan 12)
    - Re: Tuning false positives - SIM is not the answer Jason (Jan 11)
    - Re: Tuning false positives - SIM is not the answer Brent Stackhouse (Jan 10)
- Re: RE: RE: Tuning false positives - SIM is not the answer brent (Jan 05)
- RE: Tuning false positives - SIM is not the answer Hellman, Matthew (Jan 11)
  - Re: Tuning false positives - SIM is not the answer Brent Stackhouse (Jan 11)
  - RE: Tuning false positives - SIM is not the answer Bruce Young (Jan 15)
- RE: Tuning false positives - SIM is not the answer Matthew Caldwell (Jan 13)
- RE: Tuning false positives - SIM is not the answer Mike Owen (Jan 13)

(Thread continues...)