Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

focus-ids logo IDS mailing list archives

Re: Question on resources needed to manage IDSes
From: "Anton A. Chuvakin" <anton () chuvakin org>
Date: Fri, 5 Dec 2003 15:06:48 -0500 (EST)
1-5 IDS sensors - 1 Analyst
5-15 IDS sensors -2 Analysts



being.  It would be generous to assume a human could qualify a
reasonably complex alert in 30 seconds.  After that, it's simply a

The above also implies a certain usage scenario. One "complex alert in 30
seconds" implies that the analyst just sits there and stares at the
console where alerts pop up - which might be neither the most common nor
the most effective way. The tools available to analysts would also matter,
namely, how much time it will take to collect the context info and to make
a decision.

I suspect the specific IDS usage details will heavilly affect the "analyst
to sensor" ratios.

-- 
  Anton A. Chuvakin, Ph.D., GCI*
     http://www.chuvakin.org
   http://www.info-secure.org


---------------------------------------------------------------------------
---------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]