RE: Event correlation engine?

["Huober, Joachim" <joachim () sony de>]

Sounds interesting.

Maybe try you define a 'language' to describe: source events -> tap 
like:
        event E_A {
                source sensor S_1;
                src_address_range 10.5.0.0/16;
                dest_addess_range any;
        }
        event E_A1 {
                event E_A;
                repeat 5/min;
        }
        ...     
        alert A_B {
                event E_A;
        }
        alert A_B1 {
                event E_A1 and event E_B;
                event E_A1 and event E_B1 and event E_B2; # implicit or?
        } 
        > 

So please take same time and make some suggestions.  If it's clear what is
needed then it should
be a "no brainer" to implement this. 
Maybe the rete algorithms is something for this.  Has any an idea if there
is a open source/free rete engine?

- Joachim Huober

-----Original Message-----
> From: Rich Adamson [mailto:radamson () routers com]
> Sent: Sonntag, 24. August 2003 17:23
> To: Snort Users Postings
> Subject: [Snort-users] Event correlation engine?
>
>
> Slightly off topic, but somewhat related....
>
> Is anyone using some sort of event correlation engine that 
> would analyze
> events from multiple sources (including snort, firewalls, 
> etc), and generate
> a notification event in something close to real time?
>
> Looking for something that could handle this type of an example:
>   a) firewall reports multiple blockages (assume port scan),
>   b) snort on inside of firewall reports web unicode attack, and,
>   c) IIS web server reports https page access from same source IP
>  If these sequential events occur within some predetermined 
> amount of time,
>  generate a pager warning message (or something like that).
>
> I'm not looking for a perl script that runs every five 
> minutes; rather,
> something that accepts alerts from commonly implemented devices and
> analyzes the sequence of events to generate near real-time alerts.
>
> Thoughts anyone? (Off list is fine if you want.)
>
> Rich
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a 
> single machine.
> WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
> at the same time. Free trial click 
> here:http://www.vmware.com/wl/offer/358/0
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users