IDS mailing list archives
Re: Question on resources needed to manage IDSes
From: Jeff Nathan <jeff () snort org>
Date: Tue, 9 Dec 2003 12:22:00 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Dec 5, 2003, at 3:06 PM, Anton A. Chuvakin wrote: Hi Anton!
The above also implies a certain usage scenario. One "complex alert in 30seconds" implies that the analyst just sits there and stares at theconsole where alerts pop up - which might be neither the most common nor the most effective way. The tools available to analysts would also matter, namely, how much time it will take to collect the context info and to makea decision.
Definitely. As you and I have discussed in the past (offline), 30 seconds is really just a placeholder. Without some form of automated post-processing of IDS alert data, the scalability of sensors is limited by the ability of those to deal with the output.
By post-processing I am referring to the prioritization, classification and summarization of alert data.
Though, if 30 seconds were just some sort of placeholder we could use as some random constant. Given a significantly high alert rate, 30 seconds per alert becomes hours, days and months in aggregate alert qualification time.
I suspect the specific IDS usage details will heavilly affect the "analystto sensor" ratios.
Absolutely, even with automated post processing of data, someone has to qualify some quantity of alert data. The problem is self-perpetuating in that sensors outnumber analysts. I don't think it is practical or possible for analysts alone to qualify IDS data; even well tuned sensors will overwhelm the analyst(s) without the aid of post processing of alert data.
Hasta, - -Jeff
--
Anton A. Chuvakin, Ph.D., GCI*
http://www.chuvakin.org
http://www.info-secure.org
- -- http://cerberus.sourcefire.com/~jeff (gpg/pgp key id 6923D3FD) "Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/1gS+Eqr8+Gkj0/0RAgxIAJ9SBYGdAICYwrkgi9WjA5edCsJKMwCggNiQ xEEQNYcROcWHO422GYc0c2w= =UeD8 -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Question on resources needed to manage IDSes kgeorgiades (Dec 01)
- Re: Question on resources needed to manage IDSes Peter Schawacker (Dec 01)
- Re: Question on resources needed to manage IDSes Andy Cuff [Talisker] (Dec 01)
- Re: Question on resources needed to manage IDSes Jack Whitsitt (jofny) (Dec 02)
- <Possible follow-ups>
- Re: Question on resources needed to manage IDSes simonis (Dec 02)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 02)
- Re: Question on resources needed to manage IDSes Anton A. Chuvakin (Dec 09)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 10)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 02)
- Re: Question on resources needed to manage IDSes Terence Runge (Dec 02)
- RE: Question on resources needed to manage IDSes Kohlenberg, Toby (Dec 03)
- RE: Question on resources needed to manage IDSes Teicher, Mark (Mark) (Dec 03)
- RE: Question on resources needed to manage IDSes Morse, Greg (Dec 03)
- RE: Question on resources needed to manage IDSes Teicher, Mark (Mark) (Dec 10)
- Re: Question on resources needed to manage IDSes Jimi Thompson (Dec 15)
- Re: Dream IDS was Q on resources needed to manage IDSes Andy Cuff [Talisker] (Dec 16)
- Re: Question on resources needed to manage IDSes Jimi Thompson (Dec 15)
- RE: Question on resources needed to manage IDSes Mike Disley (Dec 10)