IDS mailing list archives
RE: Host based IDS Reports
From: "Teicher, Mark (Mark)" <teicher () avaya com>
Date: Tue, 23 Dec 2003 06:56:11 -0700
If an enterprise spends from $15,000 to upwards of a $400,000 for a host based enterprise IDS solution. Providing useful reporting tools or useful reports is a given. As I have discovered as you stated, as long the data is retrievable via some method of either SQL query or some other method, building one's own reports is nice thing to do. But the issue there, if the person or team who crafted the reports goes away (i.e gets a better job, retires, suffers a massive heart attack after reading the money they spend on the vendor's software and it doesn't do what management wants). Many vendor shy away from report tools and report formatting. Just letting an admin modify the graphic on the report seems to a major issue. Some other vendor products make it so easy to create a custom report that one does not need to have any SQL skills at all. Ensuring that data is useful is another issue. Some vendors don't capture enough information to provide an executive level report except a nice pretty pie graph with some percentages. What does it all mean to the administrator. Time is another issue in the data, what timestamp do the logs use, the server or the end point's ?? Does it normalize the timestamp based on GMT location ?? /mark -----Original Message----- From: Mike Lyman [mailto:mlyman-security () comcast net] Sent: Monday, December 22, 2003 9:59 PM To: focus-ids () securityfocus com Subject: Re: Host based IDS Reports On Sat, 2003-12-20 at 14:05, Teicher, Mark (Mark) wrote:
Thoughts, comments, rants, raves, suggestions for a geek who preaches from the corner soapbox.. :)
My old boss and I used to drive vendors nuts when they'd ask us how we liked their reporting features and we'd tell them we didn't use them. As long as the data was being reported to a database, we'd generate our own reports, import to Excel and pretty them up from there. None of the built in reports met our constantly changing needs so we relied on the database. We also stress SQL skills as one of our main requirements for new members of the team. We had so much data available that everybody had to be able to write ad-hoc queries in their sleep. It may takes some skill to pretty them up but nothing beats being able to generate exactly the info you need instead of relying on what somebody else thinks you probably need. -- Mike Lyman <mlyman-security () comcast net> ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Host based IDS Reports Teicher, Mark (Mark) (Dec 22)
- Re: Host based IDS Reports Mike Lyman (Dec 22)
- <Possible follow-ups>
- RE: Host based IDS Reports Teicher, Mark (Mark) (Dec 23)
- RE: Host based IDS Reports Bohling James CONT JBC (Dec 29)