IDS mailing list archives
on TASL correlation rules
From: Anton Chuvakin <anton () chuvakin org>
Date: Sun, 4 Dec 2005 19:31:50 -0500
All, I was reading this document the other day (http://www.tenablesecurity.com/images/pdfs/thunder_tasl_scripts.pdf). Great work on correlation rules, one of the most detailed I've seen! What I am wondering about is how much success people had creating such rules for site-specific threats, rather than those that apply to every network (e.g. IRC bot running or compromised machine scanning out).
From my experience, creating sensible and effective correlation rules
is easier than writing good NIDS sigs. I am curious whether it matches the experience of others here? Best, -- Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org http://www.securitywarrior.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- on TASL correlation rules Anton Chuvakin (Dec 05)
- Message not available
- Re: on TASL correlation rules Ron Gula (Dec 10)
- Re: on TASL correlation rules Anton Chuvakin (Dec 27)
- Re: on TASL correlation rules Augusto Paes de Barros (Dec 28)
- Re: on TASL correlation rules Ron Gula (Dec 10)
- Message not available
- <Possible follow-ups>
- Re: on TASL correlation rules rgula () tenablesecurity com (Dec 28)