RE: Correlation software

["Mariusz Burdach" <M_Burdach () compfort pl>]

Hello,

If you are looking for any commercial tools, please have a look at Symantec website.
They offer the Incident Manger product which can correlate events from
several security tools such firewalls, antiviruses or IDSes and after
that it creates incidents which meet defined criteria. This product allows
to create own patterns of attacks. Additionally, you need event
collectors to collect events from 3rd part products such a Snort or
RealSecure. Of course, you can collect events from not yet
supported tools. For example: using Symantec HIDS you can collect logs from
Honeyd or Squid. The other possibility is to use the Syslog collector,
but then you have to write roles to transform logs to a normalized form.
I have to mention that after normalization all events are saved in a DB2
database. The DB2 database is the component of Symantec Enterprise
Security Architecture. The Incident Manager takes events from that
database and looks for patterns of attacks. 

Below I am putting an example of simple pattern of attack. When three types of
normalized events happen and the destination IP address is the
same for three of them, the Incident Manager will generate an incident.
(First event comes from firewall or ids, second and third ones come from the
host-based ids or the syslog event collector)

Best regards,
Mariusz Burdach

-------------------------------------------pattern of attack-------------------------------------------
Execute
        Assign CriteriaOne                              "CONNECT-SCAN";
        Assign TypeOne                          "SubCategory";
        Assign CountOne                         1;

        Assign  CriteriaTwo                             "AUTHV_OS_Login_User";
        Assign  TypeTwo                         "GenericAlert";
        Assign  CountTwo                                1;
        
        Assign  CriteriaThree                           "AUTHS_OS_Login";
        Assign  TypeThree                               "GenericAlert";
        Assign  CountThree                              1;
                
        Assign CriteriaOrder                            "Strict";

        Assign  Timeout                                 3600;
        Assign  IncidentSeverity                                5;
        BuildString     IncidentDescription             "Pattern Attack Detected";
        Assign  ContinueProcessing                      False;
        Assign  IncidentCode                            "TargetPattern";
        Assign IncidentCategory                         "User";
        Assign StateTableSize                   1000;
        
        UseRuleSet TargetPattern;
EndExecute
-------------------------------------------eof-------------------------------------------

-----Original Message-----
From: sam () neuroflux com [mailto:sam () neuroflux com]
Sent: Thursday, March 18, 2004 5:07 PM
To: focus-ids () securityfocus com
Subject: Correlation software


Hello..  Thank you all for your responses to my Entercept email, they have
all been fantastic!

I am also looking to find out if there are any commercial Log Correlation
packages available?  I'm looking for something that can correlate Firewall
+ IDS + HIDS type of logs and create a logical flow of events..

Can anyone recommend, or point me in the right direction?

Thanks!
-Sam


---------------------------------------------------------------------------
Test your IDS

Is your IDS deployed correctly?
Find out by easily testing it with real-world attacks from CORE IMPACT.

Visit: 
www.coresecurity.com/promos/sf_eids1 to learn more.
---------------------------------------------------------------------------


---------------------------------------------------------------------------

---------------------------------------------------------------------------