Re: Correllation resources

[Joel Esler <jesler () sourcefire com>]

On Tue, Oct 16, 2012 at 10:53:01AM -0400, Justin wrote:
> Do you guys have any good web resources for how to correlate and research
> events? As in if one gets an event, and wants to check a write up on it,
> what sites are best to use?
> I've seen google groups, seclist.org and http://www.snortid.com, and while
> sometimes I feel the write ups answer my questions well, I sometimes feel as
> if some sig ID's and events may not be documented as well as one would like.
> Especially the ET sigs.
>
> Is there anywhere that posts in-depth decode analysis of the PCAP files for
> events that are triggered in IDS? 
> Is there anywhere that has maybe a IDS diary (Some nice snorter that has
> documented what they have done to definitively know when to tune and when to
> turn off rules)?
> Are there any sites that post maybe a CVE/bug ID to signature correlation?


Not really in the detail that you are looking for yet.  The best bet, is, if you don't understand an alert, write the 
Snort-sigs list and we'll work with you to explain the situation.  We just require a pcap.  

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!