Hi all. This letter is addressed basically to ISS specialists who can influence on XPU development, but any other feedback will be welcome. Here are some improvements that, I think, will be very useful.
1. RSSFM (Security fusion module). The main problem with this component is that administrator almost has no opportunity to affect the process of events correlation. It is desirable for SFM to have means (scripting language, etc.) of creation custom correlation rules as it is in OSSIM ( http://www.ossim.net). Now there is no any documentation about how SFM works, how correlation is performed (I mean technical documentation, not FAQ, etc). 2. Enterprise Dashboard in SiteProtector console (ED). It has no filters. Here is an example: I perform scheduled scans by IS 7.0 on Monday every week, so on Monday amount of events from ServerSensors is very big, because ServerSensor does not support filters as well! When I build dashed report it looks like someone attack us every Monday. So, for ED it is desirable filters for events. I think, that without filters usage of ED is matterless. 3. For ServerSensor it is desirable to support filters like that in NetworkSensor. 4. For TRONS signatures also desirable filters to filter, for example, for legitimated scans. Also there is no ability to change severity of TRONS events, but it is needed. For example, informational TRONS events, with High severity can abate reliability of all ED report. 5. In NetworkSensor there is no ability to create filters by MAC address. It is may be needed when events like IP_Duplicate are configured. I can explain in details why it is needed if it is interesting for someone. Generally, MAC-address filters are desirable. 6. I didn?t find product from ISS, that capable to store all servers? logs in RealSecureDB and correlate them with IDS events. For UNIXs it is normal to store logs from all servers on one machine, so, something like third party module (TPM) is desirable to be installed on that dedicated machine to store all server?s syslog data in RealSecureSB. The same is needed for Windows boxes. Now I store all unix?s logs on dedicated machine with ServerSensor installed, so some of these syslog events a stored in RealSecureDB, but it seems SFM does not correlate these events with NetworkSensors data (How to force SFM to correlate these events??). The solution that is in installation of ServerSensors on all servers in LAN is too expensive. Thanks to all. Good luck. --- Best regards, Sergey V. Soldatov. tel/fax +7 095 745 89 50 (2663) _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
