[Snort-users] Threat Management

Steve Scott sjscott007 at ...741...
Fri Aug 9 07:31:02 EDT 2002


I agree.  Just having the asset database will improve your analysis by
ten fold.  Especially when its that convenient.

The automated scans would work well in environment where the IDS
analysts doesn't control the DMZ.  We have the same problem in our
operation.  Systems are constantly changing and new ones are added. 

I added two new sections: Concerns & Evaluation Criteria.  These new
section should help in evaluating systems and some of the issues
associated with them. 

Regards,

Steve

On Wed, 2002-08-07 at 12:24, Hicks, John wrote:
> An execlent paper indeed. I've been thinking about this concept for a while
> now. My initial thoughts was a simple perl-based system that would correlate
> enteries from Snort with a saved, recent copy of a nessus scan to provide
> more intelligent aleting according to what ports and services are
> registered.
> 
> Despite how you do it, I think that the Asset DB alone would increase IDS
> effectiveness ten-fold. The current issues I see around here don't have to
> do with tuning rulesets to whats on the network, it has to do with the fack
> that idiot contractor #10 brought his system in and it has X services
> running that weren't on my network 24 hours ago.
> 
> cheers,
> John Hicks
> 
> -----Original Message-----
> From: Steve Scott [mailto:sjscott007 at ...741...]
> Sent: Monday, August 05, 2002 9:59 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Threat Management
> 
> 
> I recently finished a paper on the Threat Management space and would
> like to share my findings will others.  We are currently in the process
> of evaluating solutions in this space.  While its not 100 percent
> complete it will provide an understanding of the concept.  As I progress
> with the project I will continue to expand the paper. 
> 
> You can find it here:  http://home.earthlink.net/~sjscott007/
> 
> Regards,
> 
> Steve
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list