Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Event Correlation or Incident Management for Snort Database?

From: "McCash, John" <John.McCash () andrew com>
Date: Fri, 19 Mar 2004 12:44:14 -0600
Everyone,
        It seems that the newest trend in commercial IDSs, is to provide some sort of event correlation or incident 
management capabilities. Those I've seen so far (and I'm still evaluating) only provide canned correlation rules, and 
don't necessarily tell you why a given set of events was correlated. Nonetheless, this seems like it would be useful 
functionality. For example, yesterday there was a thread on this list talking about a specific sequence of SHELLCODE 
x86 NOOP events, followed by a WEBDAV SEARCH being associated with a nachi.B infection. Wouldn't it be great to be able 
to run some sort of rule-based correlator against the last N minutes worth of data in your snort database to pull out 
sequences of events like this?

        Is anyone working on features like this? They would seem to be logical extensions to the capabilities already 
provided by ACID
                John McCash
------------------------------------------------------------------------------------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.
------------------------------------------------------------------------------------------------
[mf2]


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: