Re: Snort with an expert system

[mhellman () taxandfinance com]

> > > Not for nothing but #2 is exactly what Sourcefire's been doing since
> > > 2004.  Sorry for the commercial but I think I've been pretty outspoken
> > > on this topic since 2000 or so...
>
> > Well, I guess I have to pipe in also, then.  Cisco is doing the same.
> > Read
> > my book "Security Monitoring with CS-MARS" for more info.
>
> Sorry Marty, sorry Gary, I love both products, but they are not even
> close to realizing what Greg asked for :)
>
> Of course, they do reduce "false positives/noncontextual
> alerts/whatevers", and so they are to be commended, but knowing "if the
> attack has been successful" is actually way beyond anybody's capability,
> short of a crystal sphere

agree 100%.  my impression of these tools is that they mostly reduce the
low-hanging "false positives", hopefully allowing the analyst to focus on
the stuff that can't be pruned by the "expert system". the cross device
correlation can provide nice supporting data (or totally irrelevant in
some cases) but there is usually one event that *might* be
significant...the potential, but probably not, "smoking gun" as it were;-)

Attacks are moving up the stack. They're also targeting clients more. 
Both trends introduce a ton of challenges for getting relevant context. I
can't help but wonder if/how these tools will be able to get the context
they need to keep up with relevant threats.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
on your web server, you can securely collect sensitive information online, and increase business by giving your 
customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194