I'd like to point out that although Cisco ships the Nessus 2 scanner inside the CS-MARS product, we (Tenable) have not licensed any vulnerability checks to them (or CS-MARS customers) so any VA/IDS correlation is very out of date.
Tenable's solution for VA/IDS correlation not only includes the latest vulnerability checks for Nessus, but also host-based UNIX and Windows checks as well as continuous passive monitoring with our NeVO product. Ron Gula, CTO Tenable Network Security ----- Original Message ----- From: "Gary Halleen (ghalleen)" <[EMAIL PROTECTED]> To: "Sam Heshbon" <[EMAIL PROTECTED]> Cc: <[email protected]> Subject: RE: Tuning false positives Date: Tue, 27 Dec 2005 20:38:56 -0800 > Take a look at a good SIM product, like CS-MARS from Cisco > Systems. This correlates IPS/IDS events with firewall and > other network device logs, and also with vulnerability > assessment tools (including NESSUS built-in). This > correlation is again correlated with network topology > information, and automatically tunes your events for you. > > In addition, there is a wealth of reports and query > capabilities, as well as a lot of options for manually > creating rules and doing further tuning. > > Even though it is from Cisco, it works with most IDS/IPS > and firewall products, not just Cisco. > > Gary > > > > -----Original Message----- > From: Sam Heshbon [mailto:[EMAIL PROTECTED] > Sent: Sunday, December 25, 2005 3:21 AM > To: [EMAIL PROTECTED] > Subject: Tuning false positives > > My company is testing a few intrusion detection & > prevention products. On the first few hours/days after > deployment the machines alert on ten of thousands of > events, which is way too much for us to ever go through, > most of which are false alarms. > > The vendor's solution is tuning the systems, which means > shutting down signatures, detection mechanisms, omitting > defragmentation tests and so on. These tunings do reduce > dramatically the number of alerts, but it seems most of > the detection capabilities have been shut off too, so > things are nice and quite but we've no idea what's really > going on in our network apart from catching the trivial > threats such as old worms, which don't get false alarms. > Has anyone encountered this situation? Anyone got a > solution? > > Thanks > > Sam > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection > around http://mail.yahoo.com > > ---------------------------------------------------------- > -------------- Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world > attacks from CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ---------------------------------------------------------- > -------------- > > ---------------------------------------------------------- > -------------- Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ---------------------------------------------------------- > -------------- > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
