Video Screencast Help

SSIM default rules

Created: 03 Feb 2013 | 1 comment
Vikram Kumar-SAV to SEP's picture
2 Agree
0 Disagree
+2 2 Votes
Login to vote

Would like to see more technology based generic rules in SSIM that would work regargless of any product used.

Like Port Scans and Port Sweeps. BOT Rules needs to be modifed or more IRC ports added.

Also if there can be addition on technology based rules like AV or HIPS/NIPS.

Comments 1 CommentJump to latest comment

JH-Analyst's picture

I definitely agree that with the advent of using technologies in newer ways, those technologies should not be lumped into an already existing framework. A great example is the use of IBM Server Protection for Windows that uses the "ISS SiteProtector" product for its event parsing. In many cases, the direction of "actual" travel is backwards, because the Logging Device can often be the Source/Attacker, which confuses Network-based rule criteria.

Expanding the current default rules, even to separate HIDS and NIDS would be a positive step forward.

+1
Login to vote