Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Day 6 - Network-based Intrusion Detection Systems - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Day 6 - Network-based Intrusion Detection Systems

One of the sources we use to identify incidents is the network-based intrusion detection system (NIDS) that most of our enterprises have, at least at the border, at our known internet connections.  The NIDS, however, can be pretty noisy, how do we turn the noise into actionable data?  How much access does the incident handler have to the raw NIDS data?  As Steve pointed out yesterday, the alerts from the NIDS are just events, they don't become an incident (usually) until these events have been correlated with other data.  How do you use NIDS data to indentify incidents requiring activation of your IH process?  Let us know via the contact page and this story will be updated throughout the day.

Jim

399 Posts
ISC Handler
I just loaded SNORT onto a box, and it is inundating me with alerts. I see some ways on here to reduce the false positives, but I really don't have that time.

I've been reading into some products that supposedly help reduce them. Would something like Sourcefire or TippingPoint be good options.

This is what I'm looking at: http://www.sourcefire.com/products/3D/ids
Anonymous
Posts

Sign Up for Free or Log In to start participating in the conversation!