Snort mailing list archives

Re: Event correlation engine?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Mon, 25 Aug 2003 17:24:28 +1200

On Sun, Aug 24, 2003 at 09:22:47AM -0600, Rich Adamson wrote:

Is anyone using some sort of event correlation engine that would analyze
events from multiple sources (including snort, firewalls, etc), and generate
a notification event in something close to real time?

Looking for something that could handle this type of an example:
  a) firewall reports multiple blockages (assume port scan),
  b) snort on inside of firewall reports web unicode attack, and,
  c) IIS web server reports https page access from same source IP
 If these sequential events occur within some predetermined amount of time,
 generate a pager warning message (or something like that).


We're doing that here. You do have to have everything logging in one
network-enabled format so that you can centralize. And some things such as
IIS web logs really aren't appropriate due to their volume. 

i.e. you need syslog

For all the knocking it gets, syslog is still 'Da Man! :-)

We have all our routers, firewalls, switches, PRINTERS ;-), Unix and Windows
boxes logging via syslog to central syslog-ng servers, and use swatch to
trigger real-time alerts. I wrote a generalized alert interface in PHP with
which we manage what we want to trigger alerts on, and a "pager" app which
sends alerts via e-mail/TAP/SMS. Oh yeah - and it's timezone aware too, and
you can understands concepts such as "work time" [9-5 weekdays], "awake
time" [7-10 any day], "other time" [anything not already matched]. This
allows us to do follow-the-sun alerting over our world-wide network...

All doable :-)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Event correlation engine? Rich Adamson (Aug 24)
- Re: Event correlation engine? Jason Haar (Aug 25)
  - Re: Event correlation engine? Rich Adamson (Aug 26)
- <Possible follow-ups>
- RE: Event correlation engine? Huober, Joachim (Aug 25)
- Re: Event correlation engine? JP Vossen (Aug 26)