IDS mailing list archives
Re: RE: Cisco CTR
From: liranil () optonline net
Date: Fri, 28 Nov 2003 10:01:51 -0500
Mark, Thanks for your input. I have heard about Intellitactics a lot.... I still have some really hard time understanding the value of using such a product , which I preceive as a log aggregator, to add real value to my security posture managment. The SIM providers has no security knowledge or "smart engines" to correlate based on substantial security knowledge and experience. BTW, The have great ways to present their results.... I am not talking on Intellitactics soley , I am talking on all of this SIM market ; Archside, guardednet , etc. Mark , What do you think about it? ----- Original Message ----- From: "Teicher, Mark (Mark)" <teicher () avaya com> Date: Wednesday, November 26, 2003 12:47 pm Subject: RE: Cisco CTR
IMHO, Intellitactics is in a different class of products. I have used the rule correlation engine for mapping events in syslog to Windows Event viewer. Kiwi Syslog for Windows can help one in a pinch or who has limited IT budget, but again a different product and not a NIDS, HIDS, NIPS, NIDS, etc /m -----Original Message----- From: Bohling James CONT JBC [james.bohling () JBC JFCOM MIL] Sent: Wednesday, November 26, 2003 7:08 AM To: John Petropoulos; Rob Shein; Gary Flynn Cc: Liran Chen; focus-ids () securityfocus com Subject: RE: Cisco CTR Intellitactics may help and may not. The Intellitactics is only as good as your sensors (IDS, FW, Syslog, Host based systems, etc). It is a manager or correlator of disparate network and host based sensors it does nothing on the active side unless you install the Incident manager Thank You, James T. Bohling, CCNA, Security+, MCP-Win2k Network Security Engineer - JBC CoE Joint C4ISR Battle Center (AMSEC) 116 Lake View Parkway Suffolk, VA 23435 (W) 757-638.4032 Web: www.jbc.jfcom.mil This email was produced and manufactured in America, and is a one-of-a-kind original. -----Original Message----- From: John Petropoulos [jpetropoulos () jetnet ca] Sent: Friday, November 07, 2003 11:21 AM To: 'Rob Shein'; 'Gary Flynn' Cc: 'Liran Chen'; focus-ids () securityfocus com Subject: RE: Cisco CTR Considering the scanner knows what to look for... So at least an updateon the IDS sensor, scanner, CTR, or whatever is going to be needed. The fact is that there are many IDS alarms to go through and you don't want to see anything that isn't going to be a waste of your time. I would recommend any product that helps reduce the amount of IDS alarm management, but I will also issue this one warning, make sure you have a way of knowing that there is an attack in progress even if the IDS doesn't alert b/c of CTR. Examples that may help achieve this: Net Forensics and Intellitactics or a conjunction of network & host-based ids with vulnerability analysis engine or the list just goes on... -----Original Message----- From: Rob Shein [shoten () starpower net] Sent: Thursday, November 06, 2003 5:56 PM To: 'Gary Flynn' Cc: 'Liran Chen'; focus-ids () securityfocus com Subject: RE: Cisco CTR Yes, but nobody patches it THAT quickly. CTR acts immediately, not a half-hour later...it would have started scanning by the time the hackerat the other end notices that he has a shell...-----Original Message----- From: Gary Flynn [flynngn () jmu edu] Sent: Thursday, November 06, 2003 5:58 PM To: Rob Shein Cc: 'Liran Chen'; focus-ids () securityfocus com Subject: Re: Cisco CTR Rob Shein wrote:I think this largely relates to the earlier discussionabout how thereis a difference between a "false positive" and an actualattack thatfails to succeed. Ask yourself this: are you going to want toknowabout all attacks or just those that have a chance of success?Ifsomeone throws IIS attacks at your apache web server, doyou want toknow about it...or do you want to wait until they start using apache-compatible exploits? There's a good summary of what CTR does here: http://www.cisco.com/en/US/products/sw/secursw/ps5054/Another thing to think about - some folks have a habit ofpatching thehole they came in through. Just because a vulnerability scanshows novulnerability it does not mean an attack was unsuccessful. -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe------------------------------------------------------------------- ----- --- Network with over 10,000 of the brightest minds in information securityat the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. ------------------------------------------------------------------- ----- --- ------------------------------------------------------------------- ----- --- Network with over 10,000 of the brightest minds in information securityat the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. ------------------------------------------------------------------- ----- --- ------------------------------------------------------------------- ----- --- ------------------------------------------------------------------- ----- ---
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: RE: Cisco CTR liranil (Dec 01)
- Re: RE: Cisco CTR Anton A. Chuvakin (Dec 05)
- <Possible follow-ups>
- RE: RE: Cisco CTR Teicher, Mark (Mark) (Dec 01)
- Re: Cisco CTR Eric Hacker (Dec 02)
- Re: Cisco CTR Martin Roesch (Dec 02)
- Re: Cisco CTR Martin Roesch (Dec 03)