Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: RE: Views and Correlation in Intrusion Detection

RE: Views and Correlation in Intrusion Detection

From: Jeff Nathan <jeff_at_snort.org>
Date: Fri, 27 Jun 2003 16:44:11 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --On Thursday, June 26, 2003 12:42 -0400 David Markle
<davidmarkle_at_comcast.net> wrote:

[...]

> I agree with your vendor standardization comments. They are generally NOT
> willing to spend the development $$ on something that does not produce
> revenue first (no offense vendors, but its a revenue based world ;) ).
> Therefore, as we are seeing with the several products out there (Arc-site,
> etc....), log agent listeners are developed just for this "vendor"
> specific purpose (aggregation and normalization).

Your assessment is pretty accurate. How seriously can you take a vendor
that uses a highly abstracted programmatic interface to talk to their
database when one of the primary requirements of the system is to operate
at high speed? How seriously can you take the same vendor if the code
utilizing the abstracted database interface for database operations is
itself low performance? Inserting IDS or firewall records into a database
using components that are not built with performance as a primary concern
becomes a pointless exercise at a large scale. Ostensibly, the
implementation should be taken as a statement of intent by the vendor. If
the vendor intended to drive the database operations with Java using JDBC,
we must assume their intent was to limit the scalability of their
management product.

> There are a whole lot of smart people out there and the problems can be
> resolved. The scalability issue can be resolved via the hierarchical
> tiered approach, add levels of duplicate alert suppression, bandwidth
> throttling, and queuing and the issue is pretty much resolved. (remember
> ...we're being idealistic here ...)

Not sure if anyone's pointed this out before, but NitroEDB is about the
only building block I've seen that comes close to being able to provide the
pony power necessary for building a centralized system of this magnitude.
http://www.nitrodata.com

[...]

> as always, my $.02
>
> David Markle

- -Jeff

- --
http://cerberus.sourcefire.com/~jeff (gpg key available)
Great spirits have always encountered violent opposition from mediocre
minds.
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+/NbLEqr8+Gkj0/0RAj4KAJ9B62yMSGpLWa/SZ5jJMUn1YY4MGwCeNR3c
R1W/wCPZBYuJkDzy5BgBO9E=
=LONY
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------
Received on Jul 02 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]