Focus on IDS
Re: Snort with an expert system Jun 25 2009 01:46PM
Stefano Zanero (s zanero securenetwork it) (1 replies)
Re: Snort with an expert system Jun 25 2009 02:04PM
Tomas Olsson (tol sics se) (1 replies)
Re: Snort with an expert system Jun 25 2009 06:08PM
Joel Esler (eslerj gmail com) (1 replies)
Re: Snort with an expert system Jun 25 2009 06:55PM
Greg Shipley (gshipley neohapsis com) (3 replies)
Re: Snort with an expert system Jun 26 2009 12:26AM
Gary Halleen (ghalleen cisco com)
You're not being a jerk, Greg.

To the security or network operations people, all noise is a false positive.
They want the noise to go away. Marty's discussions on target-based IDS are
dead on.

This is an area where IDS/IPS products are evolving, and so are the
monitoring consoles.

You reduce the noise by:
1. Gain information about the target. Is it potentially vulnerable to an
attack based on its operating system and software installed on it? How
valuable is the asset?

2. Gain information about the attacker. Does it have a reputation of
attacking other systems, hosting malware, etc?

3. Correlate information on the monitoring console. Did an attack actually
reach the destination? Did it cause any damage? Did other devices between
the attacker and victim also see the attack? Did anything stop it?

Gary

On 6/25/09 11:55 AM, "Greg Shipley" <gshipley (at) neohapsis (dot) com [email concealed]> wrote:

>
> I respect the spirited and intelligent conversation here, but at the
> risk of sounding like a) an old guy that's been following this stuff
> for too long and b) a complete jerk:
>
> 1. IDS vendor / IDS software engineer / uber-geek view: "it's not
> technically a false-positive because if signature/ rule /
> pattern-match/ neugent/ whatever fired on x and it was programmed
> to identify q but you have to factor in y, and z, and..."
>
> <bang head here -----> X
>
> 2. Infosec operational person trying to do his job: "Was I attacked
> and was the attack successful? Yes or NO will suffice, thank you."
>
> I submit that for the vast majority of consumers of IDS technology we
> really only give a crap about #2. So if the device can give us a
> reasonably accurate answers to #2 we are happy. And if it can't we
> are unhappy.
>
> I think the fact we've been discussing these topics for close to
> twenty years now suggests that we aren't happy, but maybe I'm too old
> and being a jerk. :)
>
> My .01,
>
> -Greg

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]
Re: Snort with an expert system Jun 25 2009 09:12PM
Richard Bejtlich (taosecurity gmail com) (1 replies)
Re: Snort with an expert system Jun 26 2009 02:17PM
Martin Roesch (roesch sourcefire com)
Re: Snort with an expert system Jun 25 2009 08:29PM
Martin Roesch (roesch sourcefire com) (1 replies)
Re: Snort with an expert system Jun 26 2009 12:28AM
Gary Halleen (ghalleen cisco com) (1 replies)
Re: Snort with an expert system Jun 26 2009 08:14PM
Stefano Zanero (s zanero securenetwork it) (2 replies)
Re: Snort with an expert system Jun 29 2009 01:46AM
Martin Roesch (roesch sourcefire com) (1 replies)
Re: Snort with an expert system Jun 30 2009 01:23PM
Tomas Olsson (tol sics se) (1 replies)
Re: Snort with an expert system Jun 30 2009 01:30PM
Stefano Zanero (s zanero securenetwork it)
Re: Snort with an expert system Jun 26 2009 10:00PM
mhellman taxandfinance com


 

Privacy Statement
Copyright 2010, SecurityFocus