> I think you misunderstand what a SIM does with respect to vulnerability
> scans. SIMs import scans from vulnerability scanners that you have
> deployed. For example from Nessus. I think I remember that there is one
> product (not even sure if it is a SIM) that does ad-hoc scans for events
> it gets. That's just not a good idea, introduces a lot of latency (so
> doesn't scale) and has the problems you outline. Again. In general, SIMs
> import vuln-scans, they don't scan themselves.
Hi Marty,
In general, I believe you're right and that most don't. Netforensics was
this way I believe. But as a user of a "SIM" that has an integrated
Nessus scanner, it obviously isn't a rule that a SIM can't do it's "own"
scanning. It isn't necessarily adhoc either...that was a little
misleading. I simply have no idea how this is implemented by CSMARS
because they don't document it.
I believe Cisco actually has 2 "SIM" products that do this (CiscoWorks VMS
and CSMARS) and I would never use this functionality in either of them.
Matt
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Received on Jan 09 2006
Intro
