Focus on IDS
Re: Snort with an expert system Jun 25 2009 01:46PM
Stefano Zanero (s zanero securenetwork it) (1 replies)
Re: Snort with an expert system Jun 25 2009 02:04PM
Tomas Olsson (tol sics se) (1 replies)
Re: Snort with an expert system Jun 25 2009 06:08PM
Joel Esler (eslerj gmail com) (1 replies)
Re: Snort with an expert system Jun 25 2009 06:55PM
Greg Shipley (gshipley neohapsis com) (3 replies)
Re: Snort with an expert system Jun 26 2009 12:26AM
Gary Halleen (ghalleen cisco com)
Re: Snort with an expert system Jun 25 2009 09:12PM
Richard Bejtlich (taosecurity gmail com) (1 replies)
Re: Snort with an expert system Jun 26 2009 02:17PM
Martin Roesch (roesch sourcefire com)
Re: Snort with an expert system Jun 25 2009 08:29PM
Martin Roesch (roesch sourcefire com) (1 replies)
Re: Snort with an expert system Jun 26 2009 12:28AM
Gary Halleen (ghalleen cisco com) (1 replies)
Re: Snort with an expert system Jun 26 2009 08:14PM
Stefano Zanero (s zanero securenetwork it) (2 replies)
Re: Snort with an expert system Jun 29 2009 01:46AM
Martin Roesch (roesch sourcefire com) (1 replies)
On Fri, Jun 26, 2009 at 4:14 PM, Stefano
Zanero<s.zanero (at) securenetwork (dot) it [email concealed]> wrote:
>>> Not for nothing but #2 is exactly what Sourcefire's been doing since
>>> 2004.  Sorry for the commercial but I think I've been pretty outspoken
>>> on this topic since 2000 or so...
>
>> Well, I guess I have to pipe in also, then.  Cisco is doing the same.  Read
>> my book "Security Monitoring with CS-MARS" for more info.
>
> Sorry Marty, sorry Gary, I love both products, but they are not even
> close to realizing what Greg asked for :)

They may not even be close to being able to detect if an attack was
actually successful but they're tremendously better than the status
quo. It's pretty easy to look at the Verizon data and see that:

a) People can't tune their sensors.

b) People can't do even basic analysis of the event loads that result.

c) People don't know what's on their networks and how its configured
or how its changing which makes a) virtually impossible.

Automated tuning reduces the data loads up front and also makes the
sensors harder to evade when done properly. Back-end impact analysis
tremendously improves the signal to noise ratio which in turn makes
the event loads something that humans can deal with.

> Of course, they do reduce "false positives/noncontextual
> alerts/whatevers", and so they are to be commended, but knowing "if the
> attack has been successful" is actually way beyond anybody's capability,
> short of a crystal sphere :)

Exactly, but then again perfect is the enemy of good enough. I prefer
to give people solutions that make their quality of life better today
than do nothing because it's not perfect.

Marty

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]
Re: Snort with an expert system Jun 30 2009 01:23PM
Tomas Olsson (tol sics se) (1 replies)
Re: Snort with an expert system Jun 30 2009 01:30PM
Stefano Zanero (s zanero securenetwork it)
Re: Snort with an expert system Jun 26 2009 10:00PM
mhellman taxandfinance com


 

Privacy Statement
Copyright 2010, SecurityFocus