IDS mailing list archives
Re: Correlation software
From: David Chapdelaine <dchapdelaine () xennetworks net>
Date: Wed, 24 Mar 2004 14:02:37 -0500
Hi Joe & list,Have a look at SEC (Simple Event Correlator). They have Snort & horizontal port scan examples on their website.
http://simple-evcorr.sourceforge.net/ David Joe Luna wrote:
Is anyone aware of any open source (free..) event correlation packages, or an initiative to develop such a beast? When looking at commercial solutions I was able to work with ArcSight and found their solution impressive. -Joe -----Original Message-----From: Chris Kirschke [mailto:durnie () hushmail com] Sent: Friday, March 19, 2004 4:23 PMTo: sam () neuroflux com; focus-ids () securityfocus com; phollows () open com Subject: RE: Correlation software -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Check out www.guarded.net, their NeuSecure app is what we use at our bank and we've enjoyed it the entire way... durnie On Fri, 19 Mar 2004 02:56:53 -0800 Phil Hollows <phollows () open com> wrote:[Fair Warning: I work for a security management and correlation company] Hi Sam & list:Security Threat Manager (STM) from Open (www.open.com<http://www.open.com>) does what you're looking for, providing real-time correlation, analysis and triage of FW, IDS, IPS, AV, VA and network events using a variety of techniques. It links multiple (tens or hundreds or for worms thousands) of raw events from your devices into a few timely,actionable and relevant alerts - in other words, significant false positive reduction. It links events to asset values and vulnerability scans and recent event history and attack source. It also provides extensive reporting and analysis capabilities into attacks, correlated threats and operations performance. We've a couple of case studies (no registration required) on how the product works and the benefits it can bring at http://www.open.com/pdf/STM_Case_Study_Legal_ROI.pdf <http://www.open.com/pdf/STM_Case_Study_Legal_ROI.pdf> andhttp://www.open.com/pdf/STM_Case_Study_Finance_Firewall.pdf<http://www.open.com/pdf/STM_Case_Study_Finance_Firewall.pdf> if you're interested. STM features a nightly update service that updates its internal database of exploit and vulnerability signatures, so instead of writing rules for your correlation engine for each new potential attack vector and spending time managing it, you are free to focus on improving policies, testing and verifying patches, ensuring that your IDS are up to date, and otherwise working on proactive defense. It all runs on standard hardware too, and because it uses a "no rules" approach to correlation, it's fast to install, baseline and tune. Enough of the product info - I'm more than happy to continue the conversation off-list for Sam and anyone else who's interested in product or implementation-specific detail. Thanks Phil Hollows VP OpenService Inc (www.open.com <http://www.open.com> ) -----Original Message----- From: sam () neuroflux com [mailto:sam () neuroflux com] Sent: Thu 3/18/2004 11:07 AM To: focus-ids () securityfocus com Cc: Subject: Correlation software Hello.. Thank you all for your responses to my Entercept email, they have all been fantastic! I am also looking to find out if there are any commercial LogCorrelationpackages available? I'm looking for something that cancorrelateFirewall + IDS + HIDS type of logs and create a logical flow of events.. Can anyone recommend, or point me in the right direction? Thanks! -Sam --------------------------------------------------------------- ------------ Test your IDS Is your IDS deployed correctly? Find out by easily testing it with real-world attacks from CORE IMPACT. Visit: www.coresecurity.com/promos/sf_eids1 to learn more. --------------------------------------------------------------- ------------life is meant to be lived. hear me? didn't think so... -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAkBbjvoACgkQ3UH5NRolsbaq5ACguxPk1PrBNmlr6baOVVJT1SMgqxYA njlR/REuYZd8T4sHxv29c2oahqfG =gQ8z -----END PGP SIGNATURE----- ------------------------------------------------------------------------ --- Test your IDS Is your IDS deployed correctly? Find out by easily testing it with real-world attacks from CORE IMPACT.Visit: www.coresecurity.com/promos/sf_eids1 to learn more.------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: Correlation software, (continued)
- RE: Correlation software Tadeo Cwierz (Mar 25)
- Re: Correlation software Rainer Duffner (Mar 23)
- Re: Correlation software Johann_van_Duyn (Mar 19)
- RE: Correlation software Phil Hollows (Mar 19)
- RE: Correlation software Chris Kirschke (Mar 19)
- Re: Correlation software Raffael Marty (Mar 22)
- RE: Correlation software Alberto Gonzalez (Mar 22)
- RE: Correlation software Mariusz Burdach (Mar 22)
- RE: Correlation software Joe Luna (Mar 22)
- RE: Correlation software AJ Butcher, Information Systems and Computing (Mar 25)
- Re: Correlation software David Chapdelaine (Mar 25)
- RE: Correlation software DeGennaro, Gregory (Mar 23)
- RE: Correlation software Phil Hollows (Mar 23)