Snort mailing list archives
Security Metrics and Snort
From: Wynn Fenwick <wfenwick () FHLSim com>
Date: Mon, 18 Mar 2002 21:19:21 -0500
We're running Snort for quite awhile and I came up with a pretty decent set of objectives and metrics to support it for security management to see the value that Snort is providing us. Currently we report the following: - num alerts per week - num and severity of incidents - based on NSW/Northcutt's Criticality+Lethality-(Network+System countermeasures) - num lines in the analyst diary txt file (I know, I know but it's better than saying "yep, the IDS DA spent 8 hours today doing monitoring...:) - Our 1.5 analysts keep interesting stuff in a diary like the duty handler they used to do at incidents.org. This is some measure on level of effort for analysis other than "hours" which is artificially constant. What statistical reports/metrics do you present to your management to justify an IDS program and specifically a Snort deployment? Has anyone ever done a dreaded total cost of ownership analysis on a Snort IDS vs [insert commercial products here] I am always being asked "but yeah it costs more to maintain because you need to know Unix, Perl, AND Apache". My answer is usually - the IDS analyst needs to know that anyway to be an effective analyst so it's a moot point. W _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Security Metrics and Snort Wynn Fenwick (Mar 21)