Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

focus-ids logo IDS mailing list archives

Re: RE: RE: Tuning false positives - SIM is not the answer
From: brent () solissecurity com
Date: 4 Jan 2006 21:47:03 -0000
Gary,

A couple of points on Cisco CS-MARS 100 that I know from personal experience with it over the last year:

1.  It can process a boatload of data from a lot of devices - very cool.
2.  Reporting needs more flexibility and more speed.  On the flexibility front, if I want to simply grab a device's raw 
output for the last 24 hours and that output is of a significant size (more than a thousand rows), I have to resort to 
dumping raw logs because queries have pre-defined limits and the reporting engine automatically performs summarization, 
which I often don't want.  Both MARS documentation and Cisco TAC confirm this as intentional behavior.  Thus, I can't 
generate non-summarized data on a scheduled basis.

On the speed front, it's not super-quick for grabbing anything of decent size, whether querying or reporting.  There 
aren't a lot of suggestions in the doc for tuning/maintenance (yes, even in the 4.x doc) or indications via the CLI for 
disk space usage, in case the disk is (getting) full.

3.  The MARS OS is a Linux distro but users can't get to the actual OS.  This wouldn't normally be a problem but there 
was a bad MARS build that was published recently, yanked within a day or so, and then required a TAC engineer to 
remotely login to the MARS box to fix it.  This is contrary to every other Cisco device, including Linux-based 42xx 
IDS/IPS, that I've worked with.

Aside from the issues noted above, I think SIMS are great tools for bringing many devices' data together for easier 
analysis and can really help the typically-understaffed security personnel in the right environment.

Brent Stackhouse
VP of Security
Solis Security, Inc.
Austin, Texas
www.solissecurity.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]