IDS mailing list archives
RE: Correlation software
From: "Mariusz Burdach" <M_Burdach () compfort pl>
Date: Fri, 19 Mar 2004 10:29:20 +0100
Hello, If you are looking for any commercial tools, please have a look at Symantec website. They offer the Incident Manger product which can correlate events from several security tools such firewalls, antiviruses or IDSes and after that it creates incidents which meet defined criteria. This product allows to create own patterns of attacks. Additionally, you need event collectors to collect events from 3rd part products such a Snort or RealSecure. Of course, you can collect events from not yet supported tools. For example: using Symantec HIDS you can collect logs from Honeyd or Squid. The other possibility is to use the Syslog collector, but then you have to write roles to transform logs to a normalized form. I have to mention that after normalization all events are saved in a DB2 database. The DB2 database is the component of Symantec Enterprise Security Architecture. The Incident Manager takes events from that database and looks for patterns of attacks. Below I am putting an example of simple pattern of attack. When three types of normalized events happen and the destination IP address is the same for three of them, the Incident Manager will generate an incident. (First event comes from firewall or ids, second and third ones come from the host-based ids or the syslog event collector) Best regards, Mariusz Burdach -------------------------------------------pattern of attack------------------------------------------- Execute Assign CriteriaOne "CONNECT-SCAN"; Assign TypeOne "SubCategory"; Assign CountOne 1; Assign CriteriaTwo "AUTHV_OS_Login_User"; Assign TypeTwo "GenericAlert"; Assign CountTwo 1; Assign CriteriaThree "AUTHS_OS_Login"; Assign TypeThree "GenericAlert"; Assign CountThree 1; Assign CriteriaOrder "Strict"; Assign Timeout 3600; Assign IncidentSeverity 5; BuildString IncidentDescription "Pattern Attack Detected"; Assign ContinueProcessing False; Assign IncidentCode "TargetPattern"; Assign IncidentCategory "User"; Assign StateTableSize 1000; UseRuleSet TargetPattern; EndExecute -------------------------------------------eof------------------------------------------- -----Original Message----- From: sam () neuroflux com [mailto:sam () neuroflux com] Sent: Thursday, March 18, 2004 5:07 PM To: focus-ids () securityfocus com Subject: Correlation software Hello.. Thank you all for your responses to my Entercept email, they have all been fantastic! I am also looking to find out if there are any commercial Log Correlation packages available? I'm looking for something that can correlate Firewall + IDS + HIDS type of logs and create a logical flow of events.. Can anyone recommend, or point me in the right direction? Thanks! -Sam --------------------------------------------------------------------------- Test your IDS Is your IDS deployed correctly? Find out by easily testing it with real-world attacks from CORE IMPACT. Visit: www.coresecurity.com/promos/sf_eids1 to learn more. --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: Correlation software, (continued)
- RE: Correlation software Mark Titley (Mar 19)
- Re: Correlation software Mike Lyman (Mar 22)
- RE: Correlation software Chris Petersen (Mar 23)
- RE: Correlation software Tadeo Cwierz (Mar 25)
- Re: Correlation software Rainer Duffner (Mar 23)
- Re: Correlation software Johann_van_Duyn (Mar 19)
- RE: Correlation software Phil Hollows (Mar 19)
- RE: Correlation software Chris Kirschke (Mar 19)
- Re: Correlation software Raffael Marty (Mar 22)
- RE: Correlation software Alberto Gonzalez (Mar 22)
- RE: Correlation software Mariusz Burdach (Mar 22)
- RE: Correlation software Joe Luna (Mar 22)
- RE: Correlation software AJ Butcher, Information Systems and Computing (Mar 25)
- Re: Correlation software David Chapdelaine (Mar 25)
- RE: Correlation software DeGennaro, Gregory (Mar 23)
- RE: Correlation software Phil Hollows (Mar 23)