RE: IDS Correlation (threat management)

From: Oliver Petruzel (opetruzel@cox.rr.com)
Date: 03/22/02

• Previous message: 李辉: "Re: RE: IDS Correlation"
• In reply to: 李辉: "IDS Correlation"
• Next in thread: Keith T. Morgan: "RE: IDS Correlation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Oliver Petruzel" <opetruzel@cox.rr.com>
To: '李辉' <huili@sei.xjtu.edu.cn>, <focus-ids@securityfocus.com>
Date: Fri, 22 Mar 2002 08:32:36 -0500

What you are really looking for in a correlation SW is a threat
management system similar to what you will find in a SOC. This software
can sometimes be installed inside a NOC within your WAN/LAN, but is
often very expensive.

Threat management systems perform correlation amongst all devices such
as IDS/Firewall/syslog/logmining/etc...

This is a very young industry for SW, but there are some players...
rumor has it that there will be an article featured in an upcoming issue
of Network Computing with side-by-side comparisons of those players.

Examples include NetForensics, Riptech, CyberWolf, NeuSecure...

The key factors: the type of sensors you have deployed, cost per sensor
vs. site licensing (of course), and presentation/filtering of data for
analysts to read through (readability). Some of the newer threat
management systems are VERY intelligent in their correlation. Good luck
to ya.

Oliver p.
Sr. network security engineer
Near DC...

-----Original Message-----
From: 李辉 [mailto:huili@sei.xjtu.edu.cn]
Sent: Tuesday, March 21, 2000 9:50 PM
To: focus-ids@securityfocus.com
Subject: IDS Correlation

hi,all
  Recently I am focus on IDS correlation,but I am always thinking about
the questions:
  1.Can correlation definitely improve the performance such as precison?
  2.Maybe a comprehensive knowledge base about all kinds of IDS's alerts
is essential to correlation,but how can we acquire it?
  3.Supposed that we have the knowledge base,which kinds of method
should we take to do correlation?
 welcome all kinds of comments about correlation.
 

---

• Previous message: 李辉: "Re: RE: IDS Correlation"
• In reply to: 李辉: "IDS Correlation"
• Next in thread: Keith T. Morgan: "RE: IDS Correlation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: RE: IDS Correlation ... I think IDS correlation should be refer to the eveent correlation or threat analysis engine.It is not just simple association of same kinds of IDS alerts,there should be more works than these.I think ... >This is a manual process of configuring rules to act as a higher-level signature. ... (Focus-IDS) IDS Correlation ... Recently I am focus on IDS correlation,but I am always thinking about the questions: ... 1.Can correlation definitely improve the performance such as precison? ... 2.Maybe a comprehensive knowledge base about all kinds of IDS's alerts is essential to correlation,but how can we acquire it? ... 3.Supposed that we have the knowledge base,which kinds of method should we take to do correlation? ... (Focus-IDS)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2002-03