RE: IDS Correlation

From: Xiaoyong Wu (xwu@anr.mcnc.org)
Date: 03/22/02 

Date: Fri, 22 Mar 2002 12:41:50 -0500 (EST)
From: Xiaoyong Wu <xwu@anr.mcnc.org>
To: "Keith T. Morgan" <keith.morgan@terradon.com>

On Fri, 22 Mar 2002, Keith T. Morgan wrote:

> >
> > Checkpoint FW1 X.X.X.X Z.Z.Z.Z accept
> > Enterasys Dragon X.X.X.X Z.Z.Z.Z IISUNICODE
> > ISS RealSecure X.X.X.X Z.Z.Z.Z Nimda_Worm
>
> We do this by centralizing logging and built a front-end to
> view/analyze/search/mine it all.
That's great. But, what if there're spoofed IP addresses? Will that
introduce a long list to go through and with no way to correlate them as
from one attack? How about some front-end that can sort and aggregate on
any column involved?

>
> >
> > Cross Organization Correlation
> > Managed Service Providers and Intelligence Service Providers
> > can do this, (or at least I hope so)
>
> We do.
I heard that some ARIS products also did the same. Does that mean the
customer information or user information will be send to a central place
for analysis? Will that be some problem for privacy? How do your products
or services cope with this issue?

>
> > Time by Event Correlation
> > Statistics Table holds key information about Event counts and
> > Time period over hosts. Picks up slow scans and that type of
> > thing if you have lots of memory :>
>
> Again, centralized logging seems to be key here. Some method of pulling
> log/alert information from diverse systems into a single cohesive
> real-time repository. We've done it, but the number of systems
> currently supported is minimal. We're adding to this as we go. I'm
> certain other companies are working in the same direction.
>
Well, I would be interested to see some Open Source results coming out. Is
there any standard for this kind of information? How are those Intrusion
Detection Exchange Format or Common Intrusion Specification Language? Or,
will there be an XML schema for this?

> >
> > Vulnerability Name and Event Correlation.
> > Well ladies and gentlemen, this is where is starts to get
> > messy.
>
> Indeed. It seems to require a lot of product customization. The nitty
> gritty of this involves custom tailoring alerts/logging in various
> packages, or, doing a whole bunch of string parsing on the central
> system. We've elected to do the former in most cases. In others, a
> mix.
>
> IIRC, there are companies out there that are focusing (like us) on
> centralized attack/threat/trending/pattern analysis. I've bumped into
> several at trade shows stating they have varying capabilities (with
> regards to different firewall/ids vendors) in doing this. Summary, I
> think we're all in the same boat. I'm a little out of the loop here...
> is there a movement to standardize threat/attack nomenclature/reporting
> etc? Has anyone submitted an RFC? If this has been done, someone point
> me to the appropriate RFC number, because I have some serious reading to
> do.
>

None?

>
>
>

-Xiaoyong
-----------------------------------
Network Research Engineer, 919.248.1469
Advanced Network Research Group,MCNC xwu@anr.mcnc.org