Snort mailing list archives
RE: Event-Correlation& avoiding false positives
From: "Eric Hines" <eric.hines () appliedwatch com>
Date: Mon, 7 Jun 2004 12:07:41 -0500
Yeah, I'd agree with Chad. You can probably do some pretty fancy stuff when combining a bunch of open source software together with a backend database. Another option that I've seen our customers do is take individual Snort sensors and configure only the rulesets that are applicable to the systems behind them; commenting out all the rest. For example, putting a Snort sensor in front of MSSQL servers and only turning on the Windows and SQL rulesets for those machines. This could also be taken a lot further as Chad mentioned. It really depends on your network architecture as well. There are also commercial tools available that correlates Nessus vulnerability scanning with IDS events. Best Regards, Eric Hines, GCIA CEO, President Applied Watch Technologies, Inc. 4204 Commercial Way Glenview, IL 60025 Direct: (877) 262-7593 x327 Fax: (877) 262-7593 http://www.appliedwatch.com -----Original Message----- From: Kreimendahl, Chad J [mailto:Chad.Kreimendahl () umb com] Sent: Monday, June 07, 2004 11:15 AM To: Maetzky, Steffen (Extern); snort-users () lists sourceforge net Subject: RE: [Snort-users] Event-Correlation& avoiding false positives The best thing that can be done is to create some sort of database that matches vulnerable versions of software to rules, and then maps those to systems/subnets/etc... Then... Let snort alert on anything that may matter to you, and use your database to filter out falses. Not sure vulnerability scans would be as valuable as mapping rules to application versions... Problem is, not many people are doing this well out there. And with the number of rules that roll in, a centralized effort with some sort of standardized naming/versioning is about the only way to do it without going bald and having a stroke. -----Original Message----- From: Maetzky, Steffen (Extern) [mailto:Steffen.Maetzky () gedas de] Sent: Monday, June 07, 2004 3:32 AM To: 'Snort-User (snort-users () lists sourceforge net)' Subject: [Snort-users] Event-Correlation& avoiding false positives Hi, Does anyone know a possibility to make a kind of automated event correlation? I'm searching for a possibility that allows me to make something like that: 1. make vulnerability scans in a specified period 2. comparrison to events 3. delete actions/events for which our network isn't vulnerable Thanks in advance, Steffen ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Event-Correlation& avoiding false positives Maetzky, Steffen (Extern) (Jun 07)
- <Possible follow-ups>
- RE: Event-Correlation& avoiding false positives Kreimendahl, Chad J (Jun 07)
- RE: Event-Correlation& avoiding false positives Eric Hines (Jun 07)
- Re: Event-Correlation& avoiding false positives Brian (Jun 07)
- RE: Event-Correlation& avoiding false positives Eric Hines (Jun 07)
- RE: Event-Correlation& avoiding false positives hugh_fraser (Jun 08)
- Re: Event-Correlation& avoiding false positives DK (Jun 08)