event correlation tool for IDS

From: Risto Vaarandi (risto.vaarandi@eyp.ee)
Date: 12/21/01 

Date: 21 Dec 2001 00:06:13 -0000
From: Risto Vaarandi <risto.vaarandi@eyp.ee>
To: focus-ids@securityfocus.com
('binary' encoding is not supported, stored as-is)

hi,

My apologies if this message is not relevant to
this forum.

I have developed a tool for event correlation
recently (called Simple Event Correlator), that's
original intention was network management, but
which could be applied for security management
as well.

The primary goal of event correlation is to reduce
the amount of redundant events or alarms by
filtering out irrelevant information and deriving
new events from existing ones. Event correlation
engines are heavily used in network management
systems, but could also be used in intrusion
detection systems for alarm postprocessing,
because alarm consolidation is very important for
an IDS. So far, I have not seen any freeware
event correlation tool, and therefore decided to
write one myself.

The tool I have developed accepts standard
input, regular file, or named pipe as input, and
uses regular expressions to recognize input
events (in that regard, the tool is rather similar to
swatch or logsurfer).
Input events are then correlated using the rules
found in configuration file(s). The correlation
rules include counting & thresholding of events,
correlating events pairwise, intergrating scripts
with event flow, etc. User can create contexts,
that can be used to turn rules on/off, and also for
storing events (similar to logsurfer). If desired,
several rules can be combined, in order to form
more complex event processing schemes.

The tool can be used to monitor a single logfile
(like swatch or logsurfer), or as a postprocessing
system for an IDS or network management
server. Currently, several companies and people
have been using it with HP OpenView or for
centralized log monitoring.

The tool is distributed under GNU GPL, and can
be downloaded at http://kodu.neti.ee/~risto/sec/

If you are interested, have a look :)

best regards
risto