Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Pauldotcom Digest, Vol 7, Issue 11
From: chris.glanville at gmail.com (Chris Glanville)
Date: Sun, 12 Apr 2009 15:10:23 -0700

I've been using Junipers STRM for about two months now and have been
pretty happy with it so far.  Juniper is actually OEM'ing Q1's QRadar
product so STRM = QRadar.  Juniper has done a good job though and
provided value-add documents etc.  I struggled with Cisco's MARS for
about a year and a half and the STRM is a breath of fresh air
(comparatively).

The STRM product is also big into flow data.  A Juniper guy explained
that Q1 started with a flow product and added the event side to it.
If you're looking for both, STRM integrates them well.

When I was looking at new products I focused on the ability to search
events and incidents.  This was something I struggled with in MARS.
Reporting needs should also be considered.  I'd highly recommend
getting your hands on whatever solutions you're thinking about and not
letting the vendor tell you it'll do X or Y.

No tool is perfect and it will require tuning but providing a central
location for networking and server folks to view events/logs does have
value!



----------------------------------------------------------------------

Date: Fri, 10 Apr 2009 10:32:40 -0400
From: Ron Gula <rgula at tenablesecurity.com>
Subject: Re: [Pauldotcom] SMB Security Event Management Tool
To: PaulDotCom Security Weekly Mailing List
? ? ? ?<pauldotcom at mail.pauldotcom.com>
Message-ID: <49DF5888.2000406 at tenablesecurity.com>
Content-Type: text/plain; charset=ISO-8859-1

When I initially wrote the Dragon IDS, I had a lot of customers tell
me about how much they hated to have to fire up MS-SQL or some other
database that was outside a product they were using, especially if
it was a security product.

For the Tenable Security Center and Log Correlation Engine, there are
no traditional databases involved. Everything is written to the disk
and indexed for performance. If you loose power, you have minimal
corruption and it works real well in a VM type of environment.

Ron Gula
Tenable Network Security



Neils Christoffersen wrote:
Q1 also uses ariel in its QRadar product (not sure about the free version).


On 4/9/09, Dan McGinn-Combs <dgcombs at gmail.com> wrote:
Has anyone tried Juniper's STRM set of products?
I had a pitch by them the other day touting their use of a proprietary
database called Ariel (yeah... under the sea. I know) which solves not only
your alerting, reporting and forensics issues but also world hunger and
peace in the Middle East.

After having used MySQL back ends before, I'm a little less than thrilled by
products that incorporate that as a repository for XXX log items per second.

Dan

On Wed, Apr 8, 2009 at 10:02 PM, airwolf airwolf <airwolf.security at gmail.com
wrote:
I would recommend at looking at: Splunk and Snare. Both tools combined
give
you great flexibility, not audit nirvana but close.

On Tue, Apr 7, 2009 at 8:55 PM, Jim Manley <jmanley at aledobb.com> wrote:

I'm looking for a security event management tool (log correlation,
auditing, etc.) that would be suitable for small/medium size business
environment. ?The environments in which it would be deployed into are
primarily MS Windows with a smattering of Linux.

It doesn't need a lot of bells and whistles and it needs to be fairly
easy to set up and operate (the people doing the work are primarily
physical security types with the average user's knowledge). ?Ideally it
needs to trigger on Windows event manager and security manager codes for
things like failed logins, etc.

--
Dan McGinn-Combs, Security+, GSEC, CISSP, CISA
dgcombs at gmail.com
Grand Central: +1 404 492 7532
Peachtree City, Georgia USA


  By Date           By Thread  

Current thread:
  • Pauldotcom Digest, Vol 7, Issue 11 Chris Glanville (Apr 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]