RE: alert messages

["Phil Hollows" <phil () open com>]

[Disclosure: I work for a security management / log analysis vendor]

Security event management and correlation products, such as Open's Security
Threat Manager (see http://www.open.com), also do what you are looking for.
They monitor firewall, IDS, anti-virus and other sentry systems in
real-time, and alert you based on parameters that you set.  You should look
for the ability to correlate across different vendors (e.g. Cisco PIX and
Checkpoint FW-NG), device classes and vendors (e.g. relate IDS events from
ISS with anti-virus data from Symantec).  The most powerful systems will
also correlate an IDS alert with whether or not the target system appears to
be vulnerable to the attack, and relate all these events to the asset's
value or importance to your organizations.  My company's product also takes
into account where the attack was launched from (e.g. inside the
organization or outside).

The benefit is that the number of alerts you see is significantly reduced,
as the products take care of consolidating and aggregating alarms into the
few that you require.  What you get is real-time analysis and triage on
inbound attacks which you can then action, in effect pulling the signal from
the noise.

Thank you,

Sincerely,

Phil Hollows 
VP Marketing 
OpenService, Inc.
110 Turnpike Road, Suite 308 
Westborough, MA 01581 
www.open.com



-----Original Message-----
From: SecurIT Informatique Inc. [mailto:securit () iquebec com] 
Sent: Thursday, March 04, 2004 3:32 PM
To: Rodrigo B. Ramos
Cc: focus-ids () securityfocus com
Subject: Re: alert messages

Hello.

I don't think there's any simple "math" to adequately answer your request, 
especially with so little specifics info about the kind of alerts your 
sensor deals with.  Anyway, that's not the point.

I have made a tool called LogAgent Pro 5.2 that was created partly in order 
to help solve this kind of problem.  LogAgent is a log file monitoring and 
analyzing program, which will monitor in real-time any ASCII log file and 
the Event Viewer and apply rules you have defined related to the 
appropriate fields for each log.  Data can be gathered together in simple 
reports, which you can send when a certain number of alerts is reached 
and/or when a specified amount of time is elapsed.  So, if you're receiving 
65000 alerts from a noisy port scan, you can easily gather them into 
reports of 1000 events each, which would generate only 65 messages, while 
still catching less noisy scans by still sending a report when a time-limit 
is reached without waiting to have collected 1000 events.  You can also use 
this to get notified on Priorities 1 alerts only, etc...

One of the rules you can use with LogAgent allows you to call external 
programs (like a SMS messaging program or a pager system), and pass log 
data as parameters so you can customize your alert messages more than just 
"You have received 1000 alerts."

It's true that you could achieve mostly the same results with some 
scripting, but if you're looking for an already built solution, here it is.

You can get an eval copy of the software at http://securit.iquebec.com/.

Hope this helps.

Adam Richard
SécurIT Informatique Inc.

At 01:52 PM 03/03/2004, Rodrigo B. Ramos wrote:

> Hi!
>
> Can anyone help me in the following job?
>
> The X Company has more than 1000 machines (desktop and servers) on their
> WAN. They installed snort as an IDS, they are logging remotely and
> sending alerts by email and by sms to mobiles.
>
> What are the best steps to customize the alerts? The phone company
> thought that the servers were doing some spam jobs. They send many, many
> alerts and probably almost flood the phone phone company network.
>
> What is the best way to tell the system to send alerts? Which math
> should I use?
>
> I know I can know have to disable some types of rules that just can't
> affect the ambient, I know I can count packets by priorities, by type of
> alerts, by packets, ... But what math can I use to send the alerts
> without flooding mail boxes and mobiles?
>
>
> Best Regards,
> --
> Rodrigo Buarque Ramos
> GPG KEY ID: 0x71CFE098 --> http://pgp.mit.edu
> Key fingerprint = F381 366D D233 22B4 7E72  A21D DE9B 2FF3 71CF E098
> 55 81 88513524
> 55 81 3463.1593
> http://www.triforsec.com.br
> http://www.defenselayer.com
>
>
> ---------------------------------------------------------------------------
> Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
> wireless security
>
> Protect your network against hackers, viruses, spam and other risks with 
> Astaro
> Security Linux, the comprehensive security solution that combines six
> applications in one software solution for ease of use and lower total cost
of
> ownership.
>
> Download your free trial at
> http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
> ---------------------------------------------------------------------------
>
> _____________________________________________________________________
> Un mot doux à envoyer? Une sortie ciné à organiser? Faites le en temps
> réel avec MSN Messenger! C'est gratuit!   http://ifrance.com/_reloc/m



---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
---------------------------------------------------------------------------