|
IDS
mailing list archives
Re: Tuning false positives
From: mhellman () taxandfinance com
Date: Thu, 5 Jan 2006 15:46:47 -0600 (CST)
I think you misunderstand what a SIM does with respect to vulnerability
scans. SIMs import scans from vulnerability scanners that you have
deployed. For example from Nessus. I think I remember that there is one
product (not even sure if it is a SIM) that does ad-hoc scans for events
it gets. That's just not a good idea, introduces a lot of latency (so
doesn't scale) and has the problems you outline. Again. In general, SIMs
import vuln-scans, they don't scan themselves.
Hi Marty,
In general, I believe you're right and that most don't. Netforensics was
this way I believe. But as a user of a "SIM" that has an integrated
Nessus scanner, it obviously isn't a rule that a SIM can't do it's "own"
scanning. It isn't necessarily adhoc either...that was a little
misleading. I simply have no idea how this is implemented by CSMARS
because they don't document it.
I believe Cisco actually has 2 "SIM" products that do this (CiscoWorks VMS
and CSMARS) and I would never use this functionality in either of them.
Matt
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
| 
Intro
