RE: IDS Correlation

From: Kohlenberg, Toby (toby.kohlenberg@intel.com)
Date: 03/22/02 

From: "Kohlenberg, Toby" <toby.kohlenberg@intel.com>
To: "'??'" <huili@sei.xjtu.edu.cn>, "'focus-ids@securityfocus.com'" <focus-ids@securityfocus.com>
Date: Thu, 21 Mar 2002 20:59:38 -0800

1. Yes, correlation, when done well, can absolutely improve the accuracy and
quality of
your data.
2. SecurityFocus has built one of these for the products that are supported
by ARIS.
MountainWave is another company that has a very comprehensive mapping
knowledgebase.
Intellitactics & ArcSight both use a mapping database (each has a separate
one) to better
map alerts from different IDS to the same catagories of attacks where
appropriate. The
answer is- if you want to buy it, you might be able to do so. If you want to
build it, you just
need the time and resources to do so.
3. I'm not sure I understand the question. Use every method you can-
statistics, boolean logic
statements, pattern matches, combinations of all of the above.

All opinions are my own and in no way reflect the views of my employer.

Toby

> -----Original Message-----
> From: huili@sei.xjtu.edu.cn [mailto:huili@sei.xjtu.edu.cn]
> Sent: Tuesday, March 21, 2000 6:50 PM
> To: focus-ids@securityfocus.com
> Subject: IDS Correlation
>
>
> hi,all
> Recently I am focus on IDS correlation,but I am always
> thinking about the questions:
> 1.Can correlation definitely improve the performance such
> as precison?
> 2.Maybe a comprehensive knowledge base about all kinds of
> IDS's alerts is essential to correlation,but how can we acquire it?
> 3.Supposed that we have the knowledge base,which kinds of
> method should we take to do correlation?
> welcome all kinds of comments about correlation.
>
>

Relevant Pages

  • RE: Correlation software
    ... >analysis and triage of FW, IDS, IPS, AV, VA and network events using ... >scans and recent event history and attack source. ... >rules for your correlation engine for each new potential attack vector ... Find out by easily testing it with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: Ossim
    ... I'm an It engineering student co Politecnico di Milano. ... I'm studying ids correlation for my thesis ... the source code, nor a single doc about implementation. ... Test Your IDS ...
    (Focus-IDS)
  • Need help in correlation
    ... E_status column from 'R' to 'C', i have to pick up ids from another ... based upon SourceID table(store procedure selects those id s from ... make only one receive shape as activity true and neither i can make ... ""you must specify at least one already-initialized correlation set ...
    (microsoft.public.biztalk.general)
  • Need help in correlation
    ... E_status column from 'R' to 'C', i have to pick up ids from another ... based upon SourceID table(store procedure selects those id s from ... make only one receive shape as activity true and neither i can make ... ""you must specify at least one already-initialized correlation set ...
    (microsoft.public.biztalk.general)
  • RE: IDS Correlation
    ... Subject: IDS Correlation ... > We do this by centralizing logging and built a front-end to ... How about some front-end that can sort and aggregate on ... I think IDS is supposed to be able to figure this out on his own thusly a need for better spoof detection in IDS. ...
    (Focus-IDS)