IDS mailing list archives

Re: Correlation software

From: David Chapdelaine <dchapdelaine () xennetworks net>
Date: Wed, 24 Mar 2004 14:02:37 -0500

Hi Joe & list,

Have a look at SEC (Simple Event Correlator). They have Snort &horizontal port scan examples on their website.

http://simple-evcorr.sourceforge.net/

David


Joe Luna wrote:

Is anyone aware of any open source (free..) event correlation packages,
or an initiative to develop such a beast?

When looking at commercial solutions I was able to work with ArcSight
and found their solution impressive.

-Joe

-----Original Message-----

From: Chris Kirschke [mailto:durnie () hushmail com]Sent: Friday, March 19, 2004 4:23 PM

To: sam () neuroflux com; focus-ids () securityfocus com; phollows () open com
Subject: RE: Correlation software

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Check out www.guarded.net, their NeuSecure app is what we use at our
bank and we've enjoyed it the entire way...

durnie

On Fri, 19 Mar 2004 02:56:53 -0800 Phil Hollows <phollows () open com>
wrote:

        [Fair Warning: I work for a security management and correlation
company]



        Hi Sam & list:

        Security Threat Manager (STM) from Open (www.open.com

<http://www.open.com>

) does what you're looking for, providing real-time correlation,
analysis and triage of FW, IDS, IPS, AV, VA and network events using
a variety of techniques.  It links multiple (tens or hundreds or
for worms thousands) of raw events from your devices into a few timely,

actionable and relevant alerts - in other words, significant false
positive reduction.  It links events to asset values and vulnerability
scans and recent event history and attack source.  It also provides
extensive reporting and analysis capabilities into attacks, correlated
threats and operations performance.  We've a couple of case studies
(no registration required) on how the product works and the benefits
it can bring at http://www.open.com/pdf/STM_Case_Study_Legal_ROI.pdf
<http://www.open.com/pdf/STM_Case_Study_Legal_ROI.pdf>  and

http://www.open.com/pdf/STM_Case_Study_Finance_Firewall.pdf

<http://www.open.com/pdf/STM_Case_Study_Finance_Firewall.pdf>  if
you're interested.



        STM features a nightly update service that updates its internal
database of exploit and vulnerability signatures, so instead of writing
rules for your correlation engine for each new potential attack vector
and spending time managing it, you are free to focus on improving
policies, testing and verifying patches, ensuring that your IDS are
up to date, and otherwise working on proactive defense.  It all runs
on standard hardware too, and because it uses a "no rules" approach
to correlation, it's fast to install, baseline and tune.



        Enough of the product info - I'm more than happy to continue the
conversation off-list for Sam and anyone else who's interested in
product or implementation-specific detail.



        Thanks



        Phil Hollows

        VP

        OpenService Inc (www.open.com <http://www.open.com> )



        -----Original Message-----
        From: sam () neuroflux com [mailto:sam () neuroflux com]
        Sent: Thu 3/18/2004 11:07 AM
        To: focus-ids () securityfocus com
        Cc:
        Subject: Correlation software



        Hello..  Thank you all for your responses to my Entercept email,
they have
        all been fantastic!

        I am also looking to find out if there are any commercial Log

Correlation

        packages available?  I'm looking for something that can

correlate

Firewall
        + IDS + HIDS type of logs and create a logical flow of events..

        Can anyone recommend, or point me in the right direction?

        Thanks!
        -Sam


        ---------------------------------------------------------------
------------
        Test your IDS

        Is your IDS deployed correctly?
        Find out by easily testing it with real-world attacks from CORE
IMPACT.

        Visit:
        www.coresecurity.com/promos/sf_eids1 to learn more.
        ---------------------------------------------------------------
------------


life is meant to be lived. hear me? didn't think so...
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAkBbjvoACgkQ3UH5NRolsbaq5ACguxPk1PrBNmlr6baOVVJT1SMgqxYA
njlR/REuYZd8T4sHxv29c2oahqfG
=gQ8z
-----END PGP SIGNATURE-----


------------------------------------------------------------------------
---
Test your IDS

Is your IDS deployed correctly?
Find out by easily testing it with real-world attacks from CORE IMPACT.

Visit:www.coresecurity.com/promos/sf_eids1 to learn more.

------------------------------------------------------------------------
---


---------------------------------------------------------------------------

---------------------------------------------------------------------------



---------------------------------------------------------------------------

---------------------------------------------------------------------------

Current thread:

RE: Correlation software, (continued)
- - RE: Correlation software Tadeo Cwierz (Mar 25)
- Re: Correlation software Rainer Duffner (Mar 23)
- Re: Correlation software Johann_van_Duyn (Mar 19)
- RE: Correlation software Phil Hollows (Mar 19)
- RE: Correlation software Chris Kirschke (Mar 19)
  - Re: Correlation software Raffael Marty (Mar 22)
  - RE: Correlation software Alberto Gonzalez (Mar 22)
- RE: Correlation software Mariusz Burdach (Mar 22)
- RE: Correlation software Joe Luna (Mar 22)
  - RE: Correlation software AJ Butcher, Information Systems and Computing (Mar 25)
  - Re: Correlation software David Chapdelaine (Mar 25)
- RE: Correlation software DeGennaro, Gregory (Mar 23)
- RE: Correlation software Phil Hollows (Mar 23)