IDS mailing list archives
on TASL correlation rules
From: Anton Chuvakin <anton () chuvakin org>
Date: Sun, 4 Dec 2005 19:31:50 -0500
All, I was reading this document the other day (http://www.tenablesecurity.com/images/pdfs/thunder_tasl_scripts.pdf). Great work on correlation rules, one of the most detailed I've seen! What I am wondering about is how much success people had creating such rules for site-specific threats, rather than those that apply to every network (e.g. IRC bot running or compromised machine scanning out).
From my experience, creating sensible and effective correlation rules
is easier than writing good NIDS sigs. I am curious whether it matches
the experience of others here?
Best,
--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
http://www.chuvakin.org
http://www.securitywarrior.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Current thread:
- on TASL correlation rules Anton Chuvakin (Dec 05)
- Message not available
- Re: on TASL correlation rules Ron Gula (Dec 10)
- Re: on TASL correlation rules Anton Chuvakin (Dec 27)
- Re: on TASL correlation rules Augusto Paes de Barros (Dec 28)
- Re: on TASL correlation rules Ron Gula (Dec 10)
- Message not available
- <Possible follow-ups>
- Re: on TASL correlation rules rgula () tenablesecurity com (Dec 28)