IDS mailing list archives
Re: Tuning false positives
From: Raffael Marty <rmarty () arcsight com>
Date: Thu, 5 Jan 2006 12:56:31 -0800
On the subject of SIMs and vulnerability analysis scans...has anyone actually found this feature to be useful? 1) I can't even imaging letting my SIM scan the network in such an adhoc manner. It doesn't help that none of the vendors seem to bother with providing much in the way of documentation of the process. I'm in a wacky world where an outtage is almost never trivial;-) I've used Nessus enough to know that it WILL eventually cause an outtage.
I think you misunderstand what a SIM does with respect to vulnerability scans. SIMs import scans from vulnerability scanners that you have deployed. For example from Nessus. I think I remember that there is one product (not even sure if it is a SIM) that does ad-hoc scans for events it gets. That's just not a good idea, introduces a lot of latency (so doesn't scale) and has the problems you outline. Again. In general, SIMs import vuln-scans, they don't scan themselves. -raffy -- Raffael Marty, GCIA, CISSP raffael.marty () arcsight com Senior Security Engineer Strategic Application Solutions ArcSight, Inc. +1 (408) 864 2662 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Tuning false positives Joel M Snyder (Jan 02)
- <Possible follow-ups>
- RE: Tuning false positives Ofer Shezaf (Jan 05)
- RE: Tuning false positives mhellman (Jan 05)
- Re: Tuning false positives Raffael Marty (Jan 11)
- Re: Tuning false positives mhellman (Jan 09)
- Re: Tuning false positives (SIM and VM) Ron Gula (Jan 12)
- Re: Tuning false positives (SIM and VM) David W. Goodrum (Jan 13)
- Re: Tuning false positives Raffael Marty (Jan 11)
- Re: Tuning false positives Devdas Bhagat (Jan 05)
- RE: Tuning false positives Gary Halleen (ghalleen) (Jan 05)