Snort mailing list archives
Re: Correlation on Snort Events
From: Jason Brvenik <jasonb () sourcefire com>
Date: Tue, 06 Sep 2005 09:19:48 -0400
Kamal Ahmed wrote:
Hi, What snort can do is (as per my understanding) is to generate events based on rules, or to sniff/snoop network traffic, this is all well and good, but I do not see a person going thru every log message to find out meaningful information, regarding what the packet actually meant to do (in case of any intrusion type attack). Is there a correlation engine , which can have rules like:
That is exactly what intrusion analysts do. Correlation engines do exist for the larger effort. For Open Source you might want to check out ossim.
If message A is received which contains X text, and within N amount of time another message B is received on the wire, containing Y text , generate an log message , and also send an e-mail to (let's say Security Administrator)
You can already achieve this in large part within snort itself by using flowbits. The time constraint is pretty useless for detecting actual attackers and for automated events is generally not needed.
------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Correlation on Snort Events Kamal Ahmed (Sep 05)
- Re: Correlation on Snort Events Jason Brvenik (Sep 06)