Re: ISS and Snort logs

[<schwing () tenablesecurity com>]

In-Reply-To: <000001c30cc6$3bad0ac0$0c0a0a0a () SecurityConscious com>

You should add Tenable's Lightning Console to the list. It correlates 
Snort and ISS without the use of a SQL database.  The console integrates 
vulnerability correlation at the same time.  It also provides a workflow 
process for the remediation of vulnerabilities.


Stephen Schwing
Tenable Network Security
www.tenablesecurity.com



> From: "Chris Petersen" <chris () security-conscious com>
> To: "'Brian'" <bmc () snort org>, <focus-ids () securityfocus com>
> Subject: RE: ISS and Snort logs
> Date: Sun, 27 Apr 2003 10:06:42 -0400
> Message-ID: <000001c30cc6$3bad0ac0$0c0a0a0a () SecurityConscious com>
> Brian's suggestion is probably a more feasible approach than what I
> suggested.  Integrating through their HIDS should take care of meta-data
> mappings and shouldn't introduce support issues.  My approach has some
> advantages but will require considerable reverse engineering.
>
> I agree with Brian in that you may want to consider an ESM type product.
> We are developing a product that would provide what you are after but
> it's not available yet.  Current products on the market include:
>
> - Arcsight
> - NetForensics
> - Intellitactics
> - eSecurity
> - NetworkIntelligence/OpenSystems
> - NetIQ
> - GuardedNet
>
> Good luck
>
> Chris Petersen
> Security Conscious, Inc.
> www.security-conscious.com
>
> > -----Original Message-----
> > From: Brian [mailto:bmc () snort org] 
> > Sent: Friday, April 25, 2003 9:20 AM
> > To: focus-ids () securityfocus com
> > Subject: Re: ISS and Snort logs
> >
> >
> > On Fri, Apr 18, 2003 at 03:24:58PM -0400, Security Conscious wrote:
> > > Another option would be to use Snorts SQL Server output module and 
> > > sends alerts directly the ISS SQL Server.  On the ISS SQL 
> > Server you 
> > > would create another database (Snort DB) with the Snort 
> > schema.  Snort 
> > > would alert/log to the Snort DB.  You could then create 
> > triggers to do 
> > > a select from (Snort DB) insert into (ISS DB) for each 
> > event added to 
> > > the Snort DB.
> >
> > A cheaper/uglier option is to have snort log via syslog and use ISS's 
> > HIDS component and add signatures in the HIDS for each snort 
> > rule you enable.  Since you wouldn't be mucking with the 
> > underpinnings of ISS's database, you will not get into 
> > support/licensing issues.  You know the 
> > type:
> >
> >    "Oh, you did what to the database?  OK, first thing.  Reinstall."
> >
> > You are running an IDS on NT, so you should be used to this 
> > already. ;P
> >
> > Anyway, using the syslog method would This would be easier to setup 
> > initially but would require more maintenance as when new 
> > rules are added to
> > snort, you will need to add rules to your HIDS.   But at least you
> > won't have to pay your DBA more than you already do.
> >
> > That, or you could look at getting an ESM type product that actually 
> > handles all of this foo for you.  There are dozens of products that 
> > attempt to accomplish your specific problem.
> >
> > -brian

-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, 
relevancy, direction, impact and analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------