RE: IDS Correlation

From: Keith T. Morgan (keith.morgan@terradon.com)
Date: 03/22/02 

Date: Fri, 22 Mar 2002 11:46:29 -0500
From: "Keith T. Morgan" <keith.morgan@terradon.com>
To: "Matthew F. Caldwell" <mattc@guarded.net>

>
> Checkpoint FW1 X.X.X.X Z.Z.Z.Z accept
> Enterasys Dragon X.X.X.X Z.Z.Z.Z IISUNICODE
> ISS RealSecure X.X.X.X Z.Z.Z.Z Nimda_Worm

We do this by centralizing logging and built a front-end to view/analyze/search/mine it all.

>
> Cross Organization Correlation
> Managed Service Providers and Intelligence Service Providers
> can do this, (or at least I hope so)

We do.

> Time by Event Correlation
> Statistics Table holds key information about Event counts and
> Time period over hosts. Picks up slow scans and that type of
> thing if you have lots of memory :>

Again, centralized logging seems to be key here. Some method of pulling log/alert information from diverse systems into a single cohesive real-time repository. We've done it, but the number of systems currently supported is minimal. We're adding to this as we go. I'm certain other companies are working in the same direction.

>
> Vulnerability Name and Event Correlation.
> Well ladies and gentlemen, this is where is starts to get
> messy.

Indeed. It seems to require a lot of product customization. The nitty gritty of this involves custom tailoring alerts/logging in various packages, or, doing a whole bunch of string parsing on the central system. We've elected to do the former in most cases. In others, a mix.

IIRC, there are companies out there that are focusing (like us) on centralized attack/threat/trending/pattern analysis. I've bumped into several at trade shows stating they have varying capabilities (with regards to different firewall/ids vendors) in doing this. Summary, I think we're all in the same boat. I'm a little out of the loop here... is there a movement to standardize threat/attack nomenclature/reporting etc? Has anyone submitted an RFC? If this has been done, someone point me to the appropriate RFC number, because I have some serious reading to do.

 
 

Relevant Pages

  • RE: looking for logs analysis infrasctructure
    ... capabilities for event correlation, etc., and supposedly will include an XML ... Manage multi log files format (from firewall to ... Do You Yahoo!? ...
    (Security-Basics)
  • Re: Linear correlation, circular correlation, or other?
    ... I am collecting hours of data from multiple sensors at tens of kilo ... do linear correlation, B) do cyclic correlation, or C) buffer incoming ... Another way to frame the question is to ask: "over what time period ... another sequence B then you may be wasting compute time because the ...
    (comp.dsp)
  • Re: Calculating from mutual share prices the correlation coeffiient of returns
    ... >>(which, if accurate, indicates that the performance of these two funds ... >Do you really believe a time period of less than one month is sufficient to ... >truly measure the correlation of returns in two mutual funds?! ... that he uses monthly, but Yao et al, in Managing Your Portfolio, uses ...
    (microsoft.public.excel.worksheet.functions)
  • RE: IDS Correlation
    ... The following is a listing of correlation techniques I have seen publicly. ... Statistics Table holds key information about Event counts and Time period over hosts. ... This is a manual process of configuring rules to act as a higher-level signature. ...
    (Focus-IDS)