> I think you misunderstand what a SIM does with respect to vulnerability > scans. SIMs import scans from vulnerability scanners that you have > deployed. For example from Nessus. I think I remember that there is one > product (not even sure if it is a SIM) that does ad-hoc scans for events > it gets. That's just not a good idea, introduces a lot of latency (so > doesn't scale) and has the problems you outline. Again. In general, SIMs > import vuln-scans, they don't scan themselves.
Hi Marty, In general, I believe you're right and that most don't. Netforensics was this way I believe. But as a user of a "SIM" that has an integrated Nessus scanner, it obviously isn't a rule that a SIM can't do it's "own" scanning. It isn't necessarily adhoc either...that was a little misleading. I simply have no idea how this is implemented by CSMARS because they don't document it. I believe Cisco actually has 2 "SIM" products that do this (CiscoWorks VMS and CSMARS) and I would never use this functionality in either of them. Matt ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
