headers
Andre Derek Protas | 1 May 2005 18:32
Picon

Re: SNORT + Win32

you check out ACID?

::dre::

just1coder wrote:

> Hi, I'm using SNORT and Win32 - so far so good. Are there any tools 
> available commercial or otherwise for monitoring the logs and building 
> reports?
>
> Thanks
>
> -------------------------------------------------------------------------- 
>
> Stop hurting your network!
>
> The NeVO passive vulnerability sensor continuously finds 
> vulnerabilities, applications and new hosts without the need for 
> network scanning. It also finds compromised systems with 
> application-based intrusion detection. Go to 
> http://www.tenablesecurity.com/products/nevo.shtml to learn more.
> -------------------------------------------------------------------------- 
>
>
>

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
(Continue reading)

Permalink | Reply | 0 comments |
headers
Yoanne LE MERCIER | 1 May 2005 19:18
Picon

Re: SNORT + Win32

Hi.

Take a look at the download/contrib/data_analysis section of Snort
official homepage.
(http://www.snort.org/dl/contrib/data_analysis/)
The most famous reporting tools are ACID and SnortSnarf.

Hope it helps.

On 4/29/05, just1coder <just1coder <at> yahoo.ca> wrote:
> Hi, I'm using SNORT and Win32 - so far so good. Are there any tools
> available commercial or otherwise for monitoring the logs and building
> reports?
> 
> Thanks
> 
> --------------------------------------------------------------------------
> Stop hurting your network!
> 
> The NeVO passive vulnerability sensor continuously finds vulnerabilities,
> applications and new hosts without the need for network scanning.
> It also finds compromised systems with application-based intrusion detection.
> Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
> --------------------------------------------------------------------------
> 
>

--------------------------------------------------------------------------
Test Your IDS
(Continue reading)

Permalink | Reply | 0 comments |
headers
Kevin Johnson | 2 May 2005 12:45

BASE development list public

Everyone,

With the recent of release of BASE version 1.1.2, we've received a lot
of helpful suggestions and modifications that people would like to make.
(We enjoy ideas, we like it even better when people provide the code :)
So, in the theory and following the model of Open Source Software, we
have made the developers list for BASE public.

We'd like everyone who has adodb, PEAR Graph, php coding skills or just wants to 
help out to feel welcome to sign up on our webpage at:
http://lists.sourceforge.net/lists/listinfo/secureideas-base-devel

If you have ideas, we'd love to hear them!!  Thanks everyone!
Kevin Johnson and Joel Esler
-------------------
BASE Project Leads
http://sourceforge.net/projects/secureideas
http://base.secureideas.net
The next step in IDS analysis!
Permalink | Reply | 0 comments |
headers
Harper, Patrick | 2 May 2005 15:04
Favicon

RE: SNORT + Win32

For monitoring I use BASE  http://secureideas.sourceforge.net/  it is
based on the ACID code but is so much nice and faster



-----Original Message-----
From: just1coder [mailto:just1coder <at> yahoo.ca] 
Sent: Friday, April 29, 2005 10:17 AM
To: focus-ids <at> securityfocus.com
Subject: SNORT + Win32

Hi, I'm using SNORT and Win32 - so far so good. Are there any tools 
available commercial or otherwise for monitoring the logs and building 
reports?

Thanks

------------------------------------------------------------------------
--
Stop hurting your network!
 
The NeVO passive vulnerability sensor continuously finds
vulnerabilities, 
applications and new hosts without the need for network scanning. 
It also finds compromised systems with application-based intrusion
detection. 
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
------------------------------------------------------------------------
--
(Continue reading)

Permalink | Reply | 501 comments |
headers
Martin Roesch | 3 May 2005 04:08

Re: SNORT + Win32

I second that, if you're going to use web-based analysis tools please  
don't use ACID any more, BASE is under active development and is a fork  
from the original ACID codebase.  It appears that ACID is not under  
active development any longer...

      -Marty

On May 2, 2005, at 9:04 AM, Harper, Patrick wrote:

> For monitoring I use BASE  http://secureideas.sourceforge.net/  it is
> based on the ACID code but is so much nice and faster
>
>
>
> -----Original Message-----
> From: just1coder [mailto:just1coder <at> yahoo.ca]
> Sent: Friday, April 29, 2005 10:17 AM
> To: focus-ids <at> securityfocus.com
> Subject: SNORT + Win32
>
> Hi, I'm using SNORT and Win32 - so far so good. Are there any tools
> available commercial or otherwise for monitoring the logs and building
> reports?
>
> Thanks
>
> ----------------------------------------------------------------------- 
> -
> --
> Stop hurting your network!
(Continue reading)

Permalink | Reply | 501 comments |
headers
Jason Patel | 3 May 2005 20:15
Picon
Favicon

Value of IDS, ROI


I was wondering how big companies CIO show their executives Return of investment on IDS. What is the
monitoring strategy for IDS alerts. I am trying to figure monitoring strategy and how to show my executive
that how important job this is, but cant come up with a convincing solution. Anyhelp is highly
appreciated. 

Thanks,

Jason

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
Permalink | Reply | 6 comments |
headers
Ed Gibbs | 4 May 2005 02:10

RE: Value of IDS, ROI

Jason,

Positioning IDS/IPS to the CxO level if very difficult, because the return
is basically not realized until the product actually proves itself by
preventing or detecting something significant.  Things to bring up include:

*	Capital Cost: sensor(s), management software, additional hardware,
maintenance
*	Operational Cost: installation, policy implementation,
tuning/analysis, software/hardware updates, monitoring, remote management,
personal, etc.
*	Business Benefit
	- Cost of not detecting/preventing attacks (risk)
	- Cost of downtime including manpower and disruption in
business/productivity
	- Attack recovery cost

 Risk, in this case, is defined as a measurement of uncertainty around a
given investment in technology.  Uncertainty is measured from several
perspectives: one is the likelihood that he technoogy will not perform as
expected.  This impacts cost and benefit estimates by potentially reducing
the benefits that will ultimately be achieved as well as increasing the
costs of the investment.  Second, lack of accountability and incentive to
measure the success of the investment, particularly enterprise wide
benefits, will ultimately result in lack of a demonstrated return.  

 I like to use the auto insurance scenario, because it's something that we
don't see any return on unless something happens, then we ultimately need
it.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Bob Huber | 4 May 2005 02:30
Picon
Favicon

Re: Value of IDS, ROI

The easiest approach would be to quantify the cost of
any worm outbreaks, outages, or compromises you have
already had if you have the data handy, or guesstimate
what the cost of an outage of one of your information
assets would be.

The second thing that is compelling is the fact that
most large companies, depending on their industry,
have legal requirements to have some form of IDS.  For
example, healthcare, insurance have HIPAA, financial
institutions have Graham-Leach-Bliley, FDIC, SEC, OCC,
Sarbanes Oxley etc..  Some of these regulations levy a
fine for lack of controls.

As far as a monitoring strategy, that all depends on
the level of risk you are willing to accept and the
value of your assets/information.  Are you processing
customer data, social security numbers, credit card
numbers, bank accounts, or just hosting a static web
site?  There are a million factors here to contend
with, pick up your nearest CISSP cram book.

Supposing you have something worth protecting, at a
minimum, you should at least look for signs of a
compromise, rather than scans, sweeps and information
probes.  While looking at probes, and reconnaissance
is fun for an IDS geek, if you don't have time, and no
dedicated security staff, just worry about the heavy
hitter events and log everything else so when you DO
have a compromise you at least have the data available
(Continue reading)

Permalink | Reply | 1 comment |
headers
Vladimir Vuksan | 4 May 2005 05:08
Picon

Re: Value of IDS, ROI

Jason Patel wrote:

>I was wondering how big companies CIO show their executives Return of investment on IDS. What is the
monitoring strategy for IDS alerts. I am trying to figure monitoring strategy and how to show my executive
that how important job this is, but cant come up with a convincing solution. Anyhelp is highly
appreciated. 
>  
>
I would think this would be an easy argument to make :-). The way I 
would look at it is to figure out how would separate types of incidents 
affect productivity in an organization. For example virus outbreak takes 
down whole network resulting in 100 employees losing 8 hours of 
productivity. If IDS was present there would be only 2 hours lost 
productivity. So with IDS there is 6 hours less lost productivity due to 
early alerting, containment etc. In money terms than you can come with a 
dollar figure e.g. 6 hours times 100 employees = $XXXX. You may be able 
to find what the average number of security incidents for organization 
of your size on the net.

Vladimir

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
(Continue reading)

Permalink | Reply | 0 comments |
headers
Angel L Rivera | 4 May 2005 15:02
Picon
Favicon

RE: Value of IDS, ROI

Adding to Bob's second paragraph - these regulations, require you to monitor
your audit logs for incidents - we know how long it used to take for one
person to review a basic audit log with thousands of entries every hour.
IDS can be used to monitor the logs and only alert on violations or
suspected violations - the savings in manpower to review them would be
pretty high - again do the math - no IDS, 10 people a day to review logs -
IDS 1-2 people to review logs

You can also use IDS, even though there are better tools, to monitor systems
that have not been patched with the latest security patch. New worm comes
out exploiting a new vulnerability, which systems need to be patch, right
away and which can be patched later 

-----Original Message-----
From: Bob Huber [mailto:roberthuberjr <at> yahoo.com] 
Sent: Tuesday, May 03, 2005 8:31 PM
To: focus-ids <at> securityfocus.com
Subject: Re: Value of IDS, ROI

The easiest approach would be to quantify the cost of
any worm outbreaks, outages, or compromises you have
already had if you have the data handy, or guesstimate
what the cost of an outage of one of your information
assets would be.

The second thing that is compelling is the fact that
most large companies, depending on their industry,
have legal requirements to have some form of IDS.  For
example, healthcare, insurance have HIPAA, financial
institutions have Graham-Leach-Bliley, FDIC, SEC, OCC,
(Continue reading)

Permalink | Reply | 0 comments |

Gmane