|
IDS
mailing list archives
Re: RE: Cisco CTR
From: liranil () optonline net
Date: Fri, 28 Nov 2003 10:01:51 -0500
Mark,
Thanks for your input.
I have heard about Intellitactics a lot....
I still have some really hard time understanding the value of using such a product , which I preceive as a log
aggregator, to add real value to my security posture managment.
The SIM providers has no security knowledge or "smart engines" to correlate based on substantial security knowledge and
experience.
BTW, The have great ways to present their results....
I am not talking on Intellitactics soley , I am talking on all of this SIM market ; Archside, guardednet , etc.
Mark , What do you think about it?
----- Original Message -----
From: "Teicher, Mark (Mark)" <teicher () avaya com>
Date: Wednesday, November 26, 2003 12:47 pm
Subject: RE: Cisco CTR
IMHO, Intellitactics is in a different class of products. I have used
the rule correlation engine for mapping events in syslog to Windows
Event viewer. Kiwi Syslog for Windows can help one in a pinch or
who has
limited IT budget, but again a different product and not a NIDS, HIDS,
NIPS, NIDS, etc
/m
-----Original Message-----
From: Bohling James CONT JBC [james.bohling () JBC JFCOM MIL]
Sent: Wednesday, November 26, 2003 7:08 AM
To: John Petropoulos; Rob Shein; Gary Flynn
Cc: Liran Chen; focus-ids () securityfocus com
Subject: RE: Cisco CTR
Intellitactics may help and may not. The Intellitactics is only
as good
as your sensors (IDS, FW, Syslog, Host based systems, etc). It is a
manager or correlator of disparate network and host based sensors it
does nothing on the active side unless you install the Incident
manager
Thank You,
James T. Bohling, CCNA, Security+, MCP-Win2k
Network Security Engineer - JBC CoE
Joint C4ISR Battle Center (AMSEC)
116 Lake View Parkway
Suffolk, VA 23435
(W) 757-638.4032
Web: www.jbc.jfcom.mil
This email was produced and manufactured in America, and is a
one-of-a-kind original.
-----Original Message-----
From: John Petropoulos [jpetropoulos () jetnet ca]
Sent: Friday, November 07, 2003 11:21 AM
To: 'Rob Shein'; 'Gary Flynn'
Cc: 'Liran Chen'; focus-ids () securityfocus com
Subject: RE: Cisco CTR
Considering the scanner knows what to look for... So at least an
updateon the IDS sensor, scanner, CTR, or whatever is going to be
needed.
The fact is that there are many IDS alarms to go through and you don't
want
to see anything that isn't going to be a waste of your time. I would
recommend any product that helps reduce the amount of IDS alarm
management, but I will also issue this one warning, make sure you
have a
way of knowing that there is an attack in progress even if the IDS
doesn't alert b/c of CTR. Examples that may help achieve this: Net
Forensics and Intellitactics or a conjunction of network & host-based
ids with vulnerability analysis engine or the list just goes on...
-----Original Message-----
From: Rob Shein [shoten () starpower net]
Sent: Thursday, November 06, 2003 5:56 PM
To: 'Gary Flynn'
Cc: 'Liran Chen'; focus-ids () securityfocus com
Subject: RE: Cisco CTR
Yes, but nobody patches it THAT quickly. CTR acts immediately,
not a
half-hour later...it would have started scanning by the time the
hackerat the other end notices that he has a shell...
-----Original Message-----
From: Gary Flynn [flynngn () jmu edu]
Sent: Thursday, November 06, 2003 5:58 PM
To: Rob Shein
Cc: 'Liran Chen'; focus-ids () securityfocus com
Subject: Re: Cisco CTR
Rob Shein wrote:
I think this largely relates to the earlier discussion
about how there
is a difference between a "false positive" and an actual
attack that
fails to succeed. Ask yourself this: are you going to want to
know
about all attacks or just those that have a chance of success?
If
someone throws IIS attacks at your apache web server, do
you want to
know about it...or do you want to wait until they start using
apache-compatible exploits?
There's a good summary of what CTR does here:
http://www.cisco.com/en/US/products/sw/secursw/ps5054/
Another thing to think about - some folks have a habit of
patching the
hole they came in through. Just because a vulnerability scan
shows no
vulnerability it does not mean an attack was unsuccessful.
--
Gary Flynn
Security Engineer - Technical Services
James Madison University
Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe
-------------------------------------------------------------------
-----
---
Network with over 10,000 of the brightest minds in information
securityat the largest, most highly-anticipated industry event of
the year.
Don't miss RSA Conference 2004! Choose from over 200 class
sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
and use priority code SF4.
-------------------------------------------------------------------
-----
---
-------------------------------------------------------------------
-----
---
Network with over 10,000 of the brightest minds in information
securityat the largest, most highly-anticipated industry event of
the year.
Don't miss RSA Conference 2004! Choose from over 200 class
sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
and use priority code SF4.
-------------------------------------------------------------------
-----
---
-------------------------------------------------------------------
-----
---
-------------------------------------------------------------------
-----
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- Re: RE: Cisco CTR liranil (Dec 01)
|
Intro
