Event correlation engine?

[Rich Adamson <radamson () routers com>]

Slightly off topic, but somewhat related....

Is anyone using some sort of event correlation engine that would analyze
events from multiple sources (including snort, firewalls, etc), and generate
a notification event in something close to real time?

Looking for something that could handle this type of an example:
  a) firewall reports multiple blockages (assume port scan),
  b) snort on inside of firewall reports web unicode attack, and,
  c) IIS web server reports https page access from same source IP
 If these sequential events occur within some predetermined amount of time,
 generate a pager warning message (or something like that).

I'm not looking for a perl script that runs every five minutes; rather,
something that accepts alerts from commonly implemented devices and
analyzes the sequence of events to generate near real-time alerts.

Thoughts anyone? (Off list is fine if you want.)

Rich




-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users