IDS mailing list archives
RE: alert messages
From: "Phil Hollows" <phil () open com>
Date: Tue, 9 Mar 2004 11:07:06 -0500
[Disclosure: I work for a security management / log analysis vendor] Security event management and correlation products, such as Open's Security Threat Manager (see http://www.open.com), also do what you are looking for. They monitor firewall, IDS, anti-virus and other sentry systems in real-time, and alert you based on parameters that you set. You should look for the ability to correlate across different vendors (e.g. Cisco PIX and Checkpoint FW-NG), device classes and vendors (e.g. relate IDS events from ISS with anti-virus data from Symantec). The most powerful systems will also correlate an IDS alert with whether or not the target system appears to be vulnerable to the attack, and relate all these events to the asset's value or importance to your organizations. My company's product also takes into account where the attack was launched from (e.g. inside the organization or outside). The benefit is that the number of alerts you see is significantly reduced, as the products take care of consolidating and aggregating alarms into the few that you require. What you get is real-time analysis and triage on inbound attacks which you can then action, in effect pulling the signal from the noise. Thank you, Sincerely, Phil Hollows VP Marketing OpenService, Inc. 110 Turnpike Road, Suite 308 Westborough, MA 01581 www.open.com -----Original Message----- From: SecurIT Informatique Inc. [mailto:securit () iquebec com] Sent: Thursday, March 04, 2004 3:32 PM To: Rodrigo B. Ramos Cc: focus-ids () securityfocus com Subject: Re: alert messages Hello. I don't think there's any simple "math" to adequately answer your request, especially with so little specifics info about the kind of alerts your sensor deals with. Anyway, that's not the point. I have made a tool called LogAgent Pro 5.2 that was created partly in order to help solve this kind of problem. LogAgent is a log file monitoring and analyzing program, which will monitor in real-time any ASCII log file and the Event Viewer and apply rules you have defined related to the appropriate fields for each log. Data can be gathered together in simple reports, which you can send when a certain number of alerts is reached and/or when a specified amount of time is elapsed. So, if you're receiving 65000 alerts from a noisy port scan, you can easily gather them into reports of 1000 events each, which would generate only 65 messages, while still catching less noisy scans by still sending a report when a time-limit is reached without waiting to have collected 1000 events. You can also use this to get notified on Priorities 1 alerts only, etc... One of the rules you can use with LogAgent allows you to call external programs (like a SMS messaging program or a pager system), and pass log data as parameters so you can customize your alert messages more than just "You have received 1000 alerts." It's true that you could achieve mostly the same results with some scripting, but if you're looking for an already built solution, here it is. You can get an eval copy of the software at http://securit.iquebec.com/. Hope this helps. Adam Richard SécurIT Informatique Inc. At 01:52 PM 03/03/2004, Rodrigo B. Ramos wrote:
Hi! Can anyone help me in the following job? The X Company has more than 1000 machines (desktop and servers) on their WAN. They installed snort as an IDS, they are logging remotely and sending alerts by email and by sms to mobiles. What are the best steps to customize the alerts? The phone company thought that the servers were doing some spam jobs. They send many, many alerts and probably almost flood the phone phone company network. What is the best way to tell the system to send alerts? Which math should I use? I know I can know have to disable some types of rules that just can't affect the ambient, I know I can count packets by priorities, by type of alerts, by packets, ... But what math can I use to send the alerts without flooding mail boxes and mobiles? Best Regards, -- Rodrigo Buarque Ramos GPG KEY ID: 0x71CFE098 --> http://pgp.mit.edu Key fingerprint = F381 366D D233 22B4 7E72 A21D DE9B 2FF3 71CF E098 55 81 88513524 55 81 3463.1593 http://www.triforsec.com.br http://www.defenselayer.com --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost
of
ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301 --------------------------------------------------------------------------- _____________________________________________________________________ Un mot doux à envoyer? Une sortie ciné à organiser? Faites le en temps réel avec MSN Messenger! C'est gratuit! http://ifrance.com/_reloc/m
--------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301 ---------------------------------------------------------------------------
Current thread:
- alert messages Rodrigo B. Ramos (Mar 03)
- RE: alert messages Aditya, ALD [Aditya Lalit Deshmukh] (Mar 04)
- Re: alert messages SecurIT Informatique Inc. (Mar 08)
- RE: alert messages Phil Hollows (Mar 12)
- Re: alert messages Thomas (Mar 12)