IDS mailing list archives
Re: RE: RE: Tuning false positives - SIM is not the answer
From: brent () solissecurity com
Date: 4 Jan 2006 21:47:03 -0000
Gary, A couple of points on Cisco CS-MARS 100 that I know from personal experience with it over the last year: 1. It can process a boatload of data from a lot of devices - very cool. 2. Reporting needs more flexibility and more speed. On the flexibility front, if I want to simply grab a device's raw output for the last 24 hours and that output is of a significant size (more than a thousand rows), I have to resort to dumping raw logs because queries have pre-defined limits and the reporting engine automatically performs summarization, which I often don't want. Both MARS documentation and Cisco TAC confirm this as intentional behavior. Thus, I can't generate non-summarized data on a scheduled basis. On the speed front, it's not super-quick for grabbing anything of decent size, whether querying or reporting. There aren't a lot of suggestions in the doc for tuning/maintenance (yes, even in the 4.x doc) or indications via the CLI for disk space usage, in case the disk is (getting) full. 3. The MARS OS is a Linux distro but users can't get to the actual OS. This wouldn't normally be a problem but there was a bad MARS build that was published recently, yanked within a day or so, and then required a TAC engineer to remotely login to the MARS box to fix it. This is contrary to every other Cisco device, including Linux-based 42xx IDS/IPS, that I've worked with. Aside from the issues noted above, I think SIMS are great tools for bringing many devices' data together for easier analysis and can really help the typically-understaffed security personnel in the right environment. Brent Stackhouse VP of Security Solis Security, Inc. Austin, Texas www.solissecurity.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: RE: Tuning false positives - SIM is not the answer Gary Halleen (ghalleen) (Jan 02)
- Re: Tuning false positives - SIM is not the answer Stefano Zanero (Jan 05)
- <Possible follow-ups>
- RE: RE: Tuning false positives - SIM is not the answer Andrew Plato (Jan 02)
- Re: RE: RE: Tuning false positives - SIM is not the answer rassel_k (Jan 05)
- Re: RE: RE: Tuning false positives - SIM is not the answer brent (Jan 05)
- Re: Tuning false positives - SIM is not the answer Jason (Jan 11)
- Re: Tuning false positives - SIM is not the answer Brent Stackhouse (Jan 12)
- Re: Tuning false positives - SIM is not the answer Jason (Jan 11)
- Re: Tuning false positives - SIM is not the answer Brent Stackhouse (Jan 10)
- Re: Tuning false positives - SIM is not the answer Jason (Jan 11)
- Re: Tuning false positives - SIM is not the answer Brent Stackhouse (Jan 11)
- RE: Tuning false positives - SIM is not the answer Bruce Young (Jan 15)