Security Basics mailing list archives
RE: FW/IPS log correlation software
From: "Nathan Sherlock" <nathans () cyberklix com>
Date: Tue, 15 Apr 2008 11:22:14 -0400
As part of our Managed Security Services, we manage multiple enVision platforms and have successfully written alerts that correlate IPS/FW logs. Once you adopt an alert rule creation methodology possible within enVision and research the relevant message ID's, half the battle is done - also, testing various scenarios and thresholds is key. Regards, Nathan -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Albert Gonzalez Sent: Saturday, April 12, 2008 11:54 PM To: bart knippenberg; Raimar Melchior Cc: security-basics () securityfocus com Subject: Re: FW/IPS log correlation software Bart, ArcSight does not do correlation before events are sent to the manager. Several operations are available at the SmartConnector (agent) level, including: - Parsing - Filtering - Aggregation and/or BATCH operations. - RAW event Since ArcSight uses a different connector for different data source it would be hard to do correlation when the SmartConnector is only parsing/forwarding checkpoint logs, etc... Without the ability of seeing the other data sources being collected it cannot correlate against those events. Thanks, -- Albert Gonzalez, ACSA http://www.cerveau.us/ || http://distributed.honeynets.org "Success comes to the person who does today, what you are thinking of doing tomorrow." On 4/4/08 2:24 AM, "bart knippenberg" <bartknippenberg () gmail com> wrote:
Hello Raimar, Maybe you can take a look at RSA envision? This is at the moment number one for Gartner. From technical point of view is this produkt much better as Cisco Mars or Arcsight. Envision can correlate a hugh amount of logs, has collectors for a lot of produkts, has a decent Gui. Logs are not prefiltered when they are stored. (Arcsight does a correlation before logs are send form agents or stored in database). Best regards Bart Knippenberg 2008/4/3 Raimar Melchior <raimar.melchior () crocodial de>:Hello list, we want a central log station where logs from firewalls, ips and other security devices are sent to. All of our components support the syslog protocol. The challange is to filter and correlate this huge amount of logs. We also want to create filtering and reports (graphical). The server should have a graphical frontend (gui). We tried the kiwi syslog server but it doesn't meet our requirements. Any good enterprise software out there ? Any suggestions would be very appreciated. Many Thanks, Raimar Security Consultant CROCODIAL IT Security GmbH Niederlassung Köln Von-der-Wettern-Str. 25 51149 Köln office: +492203-69923-16 mobile: +49170-2265680 eMail: rm () crocodial de http://www.crocodial.de/ Sitz der Gesellschaft: Hamburg Eingetragen: Amtsgericht Hamburg Nr. HRB 83456 Geschäftsführung: Wolfgang Dierke, Helmut Hansen, Lutz Klöber ---------------------------------------------------------------------- CROCODIAL SecurityDays 2008: ---------------------------------------------------------------------- Berlin: 16.04.2008 Hamburg: 22.02.2008 26.09.2008 05.09.2008 Bremen: 04.04.2008 Hannover: 18.04.2008 12.09.2008 19.09.2008 Dortmund: 23.10.2008 Köln: 05.06.2008 Düsseldorf: 10.04.2008
Notice of Confidentiality: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review re-transmission dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error please contact the sender immediately by return electronic transmission and then immediately delete this transmission including all attachments without copying distributing or disclosing same. Avis de confidentialité: L´information transmise est strictement réservée à la personne ou à l´organisme auquel elle est adressée et peut être de nature confidentielle. Toute lecture retransmission divulgation ou autre utilisation de cette information ou toute action prise sur la foi de cette information par des personnes ou organismes autres que son destinataire est interdite. Si vous avez reçu cette information par erreur veuillez contacter son expéditeur immédiatement par retour du courrier électronique puis supprimer cette information y compris toutes pièces jointes sans en avoir copié divulgué ou diffusé le contenu.
Current thread:
- FW/IPS log correlation software Raimar Melchior (Apr 03)
- RE: (SCL: 1) FW/IPS log correlation software David Prince (Apr 03)
- RE: FW/IPS log correlation software Brandon Louder (Apr 03)
- Re: FW/IPS log correlation software Jay (Apr 04)
- RE: FW/IPS log correlation software Wong Yu Liang (Apr 04)
- Re: FW/IPS log correlation software Udo Sprotte (Apr 04)
- Re: FW/IPS log correlation software bart knippenberg (Apr 04)
- RE: FW/IPS log correlation software Alfredo Cedeño (Apr 04)
- Re: FW/IPS log correlation software Albert Gonzalez (Apr 13)
- RE: FW/IPS log correlation software Nathan Sherlock (Apr 15)
- RE: FW/IPS log correlation software Loupe, Jeffrey J (Apr 04)
- Re: FW/IPS log correlation software TT-SEC (Apr 04)
- RE: FW/IPS log correlation software Kevin Ortloff (Apr 04)
- <Possible follow-ups>
- Re: FW/IPS log correlation software mgk . mailing (Apr 04)
- Re: FW/IPS log correlation software Gleb Paharenko (Apr 07)
- Re: FW/IPS log correlation software Ronald van der Westen (Apr 10)
- Re: FW/IPS log correlation software Gleb Paharenko (Apr 07)
- Re: FW/IPS log correlation software Olmstead, Frank M. - OTR (Apr 04)