Re: Tuning false positives

[Raffael Marty <rmarty () arcsight com>]

> On the subject of SIMs and vulnerability analysis scans...has anyone
> actually found this feature to be useful?
> 1) I can't even imaging letting my SIM scan the network in such an adhoc
> manner.  It doesn't help that none of the vendors seem to bother with
> providing much in the way of documentation of the process.  I'm in a wacky
> world where an outtage is almost never trivial;-) I've used Nessus enough
> to know that it WILL eventually cause an outtage.

I think you misunderstand what a SIM does with respect to vulnerability
scans. SIMs import scans from vulnerability scanners that you have
deployed. For example from Nessus. I think I remember that there is one
product (not even sure if it is a SIM) that does ad-hoc scans for events
it gets. That's just not a good idea, introduces a lot of latency (so
doesn't scale) and has the problems you outline. Again. In general, SIMs
import vuln-scans, they don't scan themselves.

        -raffy

-- 

Raffael Marty, GCIA, CISSP                    raffael.marty () arcsight com
Senior Security Engineer                 Strategic Application Solutions
ArcSight, Inc.                                         +1 (408) 864 2662

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------