Dailydave mailing list archives
Re: SIM and stuff
From: Anton Chuvakin <anton () chuvakin org>
Date: Thu, 22 Dec 2005 17:33:20 -0500
All, Dave - sorry for cluttering your list, but this is fun :-)
For most correlation tasks, you can only use the pieces of one log format that are present in other log formats. Take the example of a firewall log entry and an IDS log entry. You extract 6 pieces of information from the IDS event (timestamp, source addr, source port, dest addr, dest port, protocol) and 7 pieces of data from the firewall log (the same 6 as the IDS event plus whether the firewall logged a permit or a deny for that event) and perform a 1-to-1 match. The 6 values are numeric, easy to search for, sort, and match. Even time offset sloughing is easy to do at this level (hint to SIM vendors: pay attention, most of you don't do this but should). That's one bucketing expression for the IDS logs, one bucketing expression for the firewall logs, and one more expression to parse the firewall log for allow/deny. This should be a very small amount of code.
"one bucketing expression for the firewall logs" OMG, this is so naive :-) Admittedly, a connection denied/allowed might for some firewalls, given some luck and planet alignment, be covered by one regex. But how about all hundreds of other messages, such as 'failover failed', 'memory overflowed', 'VPN connection established', etc. They do not even have the above "6 magic fields." Some firewalls count up to 1100 distinct messages...
OSSIM seems stagnant; I haven't seem any new features for quite some time.And, just asmentioned by Dave Aitel, device support is a big issue for adoption. Ifyou read the PIX 6.1logs just fine, there is nothing that tell you that you will deal with PIX6.2 logs just asfine... Thus, there is a good reason that many SIM softwares cost a bitmore than the abovenumber :-)I agree that there's a lot of work to be done in terms of device support before a SIM can pick up market share, but this is one specific thing that an open source project should be able to make huge advances at. What's required is modular parsers, perhaps based on Perl regex or awk (or something standard and easy to learn). Then people can write their own and contribute them back to the project. Some commercial products offer this already.
Well, supposedly a majority of Snort sigs and Nessus checks (given two major open source [well, not quite, in case of Nessus] security projects) are supposeduly written by a relatively small group of people. It is actually kinda fun to do it! But, writing regex parsers for an ever increasing number of log messages is not nearly as much fun - if it were fun, it would be done by now :-) Thus, I doubt that community would do a lot here...
Where the large SIM vendors will continue to succeed in justifying big price tags, and where open source SIM projects are likely to fail, are in the large lexicons of expressions necessary to perform event categorization and threat analysis. It's easy to extract the information necessary to match logs from different sources. To take that information and determine its relevance is a very different, highly subjective undertaking.
Agreed on the categorization side. What the world really needs :-) is a standard event classification that commercial and free products can use... Yeah, I know, wishful thinking :-) And, no, its not always easy to even extract the info; see this discussion, for example: http://lists.shmoo.com/pipermail/loganalysis/2005-December/002906.html BTW, this discussion actually belongs on the loganalysis list (http://lists.shmoo.com/mailman/listinfo/loganalysis) Best, -- Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org http://www.securitywarrior.com
Current thread:
- Re: SIM and stuff Anton Chuvakin (Dec 22)
- RE: SIM and stuff Paul Melson (Dec 23)