IDS mailing list archives
Re: on TASL correlation rules
From: Ron Gula <rgula () tenablesecurity com>
Date: Wed, 07 Dec 2005 12:17:46 -0500
I'm glad the paper was well received. I did receive a bunch of email from folks asking about TASL though. TASL is an event scripting language similar to the Nessus Attack Scripting Language. It's event driven, so if you have a TASL script looking for Snort Port Sweeps it won't be invoked when you get NetFlow TCP sessions of Windows Login Failure events. TASL is part of Tenable's Thunder product. In general though, the issue we've found while writing these types of rules is that whatever the algorithm, there is always a trade off between being exact and being general. For example, how many password failures does it take to constitute brute force password guessing? Is it the rate of failures? What about a slow set of login attempts over time? Site-specific rules can get much more interesting. For example, writing a rule that can alert on any "SSH login failure" not coming from the SOC is very simple, but you have to know about the DNS server, the SOC and the trust relationship between them before hand. If you don't know this type of stuff you can rely on some sort of anomaly engine (we have one of these in our Thunder product as well) to complement specific correlation rules. Ron Gula, CTO Tenable Network Security http://www.tenablesecurity.com At 07:31 PM 12/4/2005, Anton Chuvakin wrote:
All, I was reading this document the other day (http://www.tenablesecurity.com/images/pdfs/thunder_tasl_scripts.pdf). Great work on correlation rules, one of the most detailed I've seen! What I am wondering about is how much success people had creating such rules for site-specific threats, rather than those that apply to every network (e.g. IRC bot running or compromised machine scanning out). From my experience, creating sensible and effective correlation rules is easier than writing good NIDS sigs. I am curious whether it matches the experience of others here? Best, -- Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org http://www.securitywarrior.com
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- on TASL correlation rules Anton Chuvakin (Dec 05)
- Message not available
- Re: on TASL correlation rules Ron Gula (Dec 10)
- Re: on TASL correlation rules Anton Chuvakin (Dec 27)
- Re: on TASL correlation rules Augusto Paes de Barros (Dec 28)
- Re: on TASL correlation rules Ron Gula (Dec 10)
- Message not available
- <Possible follow-ups>
- Re: on TASL correlation rules rgula () tenablesecurity com (Dec 28)