RE: IDS Correlation

From: Matthew F. Caldwell (mattc@guarded.net)
Date: 03/22/02 

Date: Fri, 22 Mar 2002 13:02:56 -0500
From: "Matthew F. Caldwell" <mattc@guarded.net>
To: "Xiaoyong Wu" <xwu@anr.mcnc.org>, "Keith T. Morgan" <keith.morgan@terradon.com>

-----Original Message-----
From: Xiaoyong Wu [mailto:xwu@anr.mcnc.org]
Sent: Friday, March 22, 2002 12:42 PM
To: Keith T. Morgan
Cc: Matthew F. Caldwell; focus-ids@securityfocus.com
Subject: RE: IDS Correlation

On Fri, 22 Mar 2002, Keith T. Morgan wrote:

> >
> > Checkpoint FW1 X.X.X.X Z.Z.Z.Z accept
> > Enterasys Dragon X.X.X.X Z.Z.Z.Z IISUNICODE
> > ISS RealSecure X.X.X.X Z.Z.Z.Z Nimda_Worm
>
> We do this by centralizing logging and built a front-end to
> view/analyze/search/mine it all.
That's great. But, what if there're spoofed IP addresses? Will that
introduce a long list to go through and with no way to correlate them as
from one attack? How about some front-end that can sort and aggregate on
any column involved?

Some of the products do have pre-engine/pre-correlation filters that allow this spoofing filtering to be accomplished. Also, I think IDS is supposed to be able to figure this out on his own thusly a need for better spoof detection in IDS.

>
> >
> > Cross Organization Correlation
> > Managed Service Providers and Intelligence Service Providers
> > can do this, (or at least I hope so)
>
> We do.
I heard that some ARIS products also did the same. Does that mean the
customer information or user information will be send to a central place
for analysis? Will that be some problem for privacy? How do your products
or services cope with this issue?

I can't speak of others but neuSECURE has compartmentalized data, with user accounts that have role based access rights to that data. Privacy maintained through close path encryption.

>
> > Time by Event Correlation
> > Statistics Table holds key information about Event counts and
> > Time period over hosts. Picks up slow scans and that type of
> > thing if you have lots of memory :>
>
> Again, centralized logging seems to be key here. Some method of pulling
> log/alert information from diverse systems into a single cohesive
> real-time repository. We've done it, but the number of systems
> currently supported is minimal. We're adding to this as we go. I'm
> certain other companies are working in the same direction.
>
Well, I would be interested to see some Open Source results coming out. Is
there any standard for this kind of information? How are those Intrusion
Detection Exchange Format or Common Intrusion Specification Language? Or,
will there be an XML schema for this?

Most of these schema's are directed toward IDS's I think there needs to be a more Open Standard that can include many types of data. XML IDMEF is a module in our system, so it can take the data from IDS' supporting that format, just like OPSEC for checkpoint or SNMPv3 for routers/switches.

> >
> > Vulnerability Name and Event Correlation.
> > Well ladies and gentlemen, this is where is starts to get
> > messy.
>
> Indeed. It seems to require a lot of product customization. The nitty
> gritty of this involves custom tailoring alerts/logging in various
> packages, or, doing a whole bunch of string parsing on the central
> system. We've elected to do the former in most cases. In others, a
> mix.
>
> IIRC, there are companies out there that are focusing (like us) on
> centralized attack/threat/trending/pattern analysis. I've bumped into
> several at trade shows stating they have varying capabilities (with
> regards to different firewall/ids vendors) in doing this. Summary, I
> think we're all in the same boat. I'm a little out of the loop here...
> is there a movement to standardize threat/attack nomenclature/reporting
> etc? Has anyone submitted an RFC? If this has been done, someone point
> me to the appropriate RFC number, because I have some serious reading to
> do.
>

None?

Lets work on it.

>
>
>

-Xiaoyong
-----------------------------------
Network Research Engineer, 919.248.1469
Advanced Network Research Group,MCNC xwu@anr.mcnc.org

Good Old North State, did you go to NCSU?

Relevant Pages

  • RE: Correlation software
    ... >analysis and triage of FW, IDS, IPS, AV, VA and network events using ... >scans and recent event history and attack source. ... >rules for your correlation engine for each new potential attack vector ... Find out by easily testing it with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: Ossim
    ... I'm an It engineering student co Politecnico di Milano. ... I'm studying ids correlation for my thesis ... the source code, nor a single doc about implementation. ... Test Your IDS ...
    (Focus-IDS)
  • Need help in correlation
    ... E_status column from 'R' to 'C', i have to pick up ids from another ... based upon SourceID table(store procedure selects those id s from ... make only one receive shape as activity true and neither i can make ... ""you must specify at least one already-initialized correlation set ...
    (microsoft.public.biztalk.general)
  • Need help in correlation
    ... E_status column from 'R' to 'C', i have to pick up ids from another ... based upon SourceID table(store procedure selects those id s from ... make only one receive shape as activity true and neither i can make ... ""you must specify at least one already-initialized correlation set ...
    (microsoft.public.biztalk.general)