RE: Views and Correlation in Intrusion Detection

[Jeff Nathan <jeff () snort org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Thursday, June 26, 2003 12:42 -0400 David Markle 
<davidmarkle () comcast net> wrote:

[...]

> I agree with your vendor standardization comments.  They are generally NOT
> willing to spend the development $$ on something that does not produce
> revenue first (no offense vendors, but its a revenue based world ;)  ).
> Therefore, as we are seeing with the several products out there (Arc-site,
> etc....), log agent listeners are developed just for this "vendor"
> specific purpose (aggregation and normalization).

Your assessment is pretty accurate.  How seriously can you take a vendor 
that uses a highly abstracted programmatic interface to talk to their 
database when one of the primary requirements of the system is to operate 
at high speed?  How seriously can you take the same vendor if the code 
utilizing the abstracted database interface for database operations is 
itself low performance?  Inserting IDS or firewall records into a database 
using components that are not built with performance as a primary concern 
becomes a pointless exercise at a large scale.  Ostensibly, the 
implementation should be taken as a statement of intent by the vendor.  If 
the vendor intended to drive the database operations with Java using JDBC, 
we must assume their intent was to limit the scalability of their 
management product.

> There are a whole lot of smart people out there and the problems can be
> resolved.  The scalability issue can be resolved via the hierarchical
> tiered approach, add levels of duplicate alert suppression, bandwidth
> throttling, and queuing and the issue is pretty much resolved.  (remember
> ...we're being idealistic here ...)

Not sure if anyone's pointed this out before, but NitroEDB is about the 
only building block I've seen that comes close to being able to provide the 
pony power necessary for building a centralized system of this magnitude. 
http://www.nitrodata.com

[...]

> as always, my $.02
>
> David Markle


- -Jeff


- --
http://cerberus.sourcefire.com/~jeff       (gpg key available)
Great spirits have always encountered violent opposition from mediocre
minds.
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+/NbLEqr8+Gkj0/0RAj4KAJ9B62yMSGpLWa/SZ5jJMUn1YY4MGwCeNR3c
R1W/wCPZBYuJkDzy5BgBO9E=
=LONY
-----END PGP SIGNATURE-----


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------