Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Event Correlation or Incident Management for Snort Database?

From: <hugh_fraser () dofasco ca>
Date: Fri, 19 Mar 2004 15:55:18 -0500
Have a look at SEC (Simple Event Correlation). I'm using it now for
time-based correlations (ie. tell me if the rate of occurrence of a
particular event is increasing in the last n
seconds/minutes/hours/days). It supports the dependency rules you're
asking about, along with event suppression, etc.. I'm just starting to
do some correlation between sensors to identify footprints of successful
penetrations, and to help with forensics.



-----Original Message-----
From: snort-users-admin () lists sourceforge net 
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
McCash, John
Sent: Friday, March 19, 2004 1:44 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Event Correlation or Incident 
Management for Snort Database?


Everyone,
      It seems that the newest trend in commercial IDSs, is 
to provide some sort of event correlation or incident 
management capabilities. Those I've seen so far (and I'm 
still evaluating) only provide canned correlation rules, and 
don't necessarily tell you why a given set of events was 
correlated. Nonetheless, this seems like it would be useful 
functionality. For example, yesterday there was a thread on 
this list talking about a specific sequence of SHELLCODE x86 
NOOP events, followed by a WEBDAV SEARCH being associated 
with a nachi.B infection. Wouldn't it be great to be able to 
run some sort of rule-based correlator against the last N 
minutes worth of data in your snort database to pull out 
sequences of events like this?

      Is anyone working on features like this? They would 
seem to be logical extensions to the capabilities already 
provided by ACID
              John McCash
--------------------------------------------------------------
----------------------------------
This message is for the designated recipient only and may 
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender 
immediately and delete the original.  Any unauthorized use of 
this email is prohibited.
--------------------------------------------------------------
----------------------------------
[mf2]


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President 
and CEO of GenToo technologies. Learn everything from 
fundamentals to system 
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/s> nort-users

Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: