Re: Ability for SIM to perform tcp stream reassembly

[jimmy.alderson () gmail com]

Typically, this level of detection is performed by devices specific to network monitoring.  Products in the SIM space 
typically do not perform actual detection at the network or host layer.  Instead, they aggregate, normalize, and 
correlate detections from other products such as IDS, Firewalls, Logs, etc.

The reason why you are finding that vendors don't understand what you mean by TCP stream re-assembly is due to the fact 
that they just don't work at that level.  They will talk to you about Correlation Techniques such as Vulnerability 
Correlation to highlight IDS events that will actually have an impact, or Statistical Correlation which will highlight 
assets that are most at risk.  In short, SIMs handle events and correlate those events with the overall state of the 
security posture (if that data is available).

I'd take a look at the link that Ron posted and then either use one of those network specific technologies or, as many 
fine products start out, build your own :-)

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------