Re: Correlation on Snort Events

[Jason Brvenik <jasonb () sourcefire com>]

Kamal Ahmed wrote:
> Hi,
>
> What snort can do is (as per my understanding) is to generate events
> based on rules, or to sniff/snoop network traffic, this is all well and
> good, but I do not see a person going thru every log message to find out
> meaningful information, regarding what the packet actually meant to do
> (in case of any intrusion type attack). Is there a correlation engine ,
> which can have rules like:

That is exactly what intrusion analysts do. Correlation engines do exist 
 for the larger effort. For Open Source you might want to check out ossim.

> If message A is received which contains X text, and within N amount of
> time another message B is received on the wire, containing Y text ,
> generate an log message , and also send an e-mail to (let's say Security
> Administrator)

You can already achieve this in large part within snort itself by using 
flowbits. The time constraint is pretty useless for detecting actual 
attackers and for automated events is generally not needed.


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users