RE: Views and Correlation in Intrusion Detection
From: Jim Butterworth (res0qh1m_at_verizon.net)
Date: 06/17/03
- Previous message: Randy Taylor: "Gartner comments (was Re: Rather funny; looks like page defacement to me)"
- In reply to: Blake Matheny: "Views and Correlation in Intrusion Detection"
- Next in thread: DAVID MARKLE: "Re: Views and Correlation in Intrusion Detection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Blake Matheny'" <bmatheny@mkfifo.net>, <focus-ids@securityfocus.com> Date: Tue, 17 Jun 2003 10:40:22 -0700
I quickly realized what you are talking about and decided that a
centralized logging mechanism, and log content analysis was needed.
From this effort, I was able to see similarities in different logs
(SNORT/router syslogs, firewall logs, proxy logs, DHCP, netlogs, sniffer
logs, etc...) they all had a few fields that were common. Time, source
& dest ip address, port usage, header information. Using a Python
script, we were able to automate the data aggregation into a centralized
MySQL server and we could build tables and queries based upon common
traffic. If an alert from the IDS came it at such and such a time, we
could pull all log outputs from that time, and IP information (source
AND destination - who else was this machine talking to on my network?),
DHCP lease information, etc... We could then go to the machine in
question and run fport on the machine to map applications to port usage.
I agree, I think the gold is the analysis log aggregation and data
mining...
r/Jim Butterworth
SANS GCIA
-----Original Message-----
From: bite me,,, [mailto:matheny@enry.net] On Behalf Of Blake Matheny
Sent: Tuesday, June 17, 2003 10:32 AM
To: focus-ids@securityfocus.com
Subject: Views and Correlation in Intrusion Detection
Two areas that I have recently been doing research in, are views and
their
connection to correlation techniques. In terms of systems, given some
event,
the information we get about the occurrence of such an event comes to us
in
the form of either a primary or a secondary view. Information about
secondary
views typically come to us from applications such as firewalls and ID
systems.
Primary information usually is received from the application actually
processing this data for use. For instance, an ID sensor may produce an
alert
about some traffic. However, this is a secondary view of the event and
needs
to be correlated with other, relevant information. So of course firewall
logs
might be checked, to see if traffic actually passed that corresponds to
the
event in question. This is also a secondary view, so a third place is
checked,
the applications logs.
There are really several issues here. First of all, a tremendous amount
of
time is being spent, trying to correlate all the relevant information.
This is
something that _can_ be automated. Second, the applications logs may not
be
trustworthy. Third, and to me, most importantly, is the fact that this
is such
a 'basic' thing that people using ID systems have to do, and there is no
piece
of software yet that does this.
So something we have been working on, is a system to deal with this
basic
type of scenario. This will entail data transformations into an
intermediary
language, an event description language, offline state analysis and
several
other components (there is more information at
http://www.nongnu.org/babe/).
If you spend some time thinking about everything involved to do this in
a
scalable fashion, it's an enormous task (I said basic, not simple). What
I am
finding frustrating, is that much of the base research has not yet even
been
done. Much of the research that has been done, is either too primitive
or too
impractical to be implemented. Is this due to the infancy and immaturity
of
the field, do people not see this as being feasible and therefor aren't
spending the research time, or is this simply too far down the line? In
any
case, feedback welcome. Thanks.
Cheers,
-Blake
-- Blake Matheny "... one of the main causes of the fall of the bmatheny@mkfifo.net Roman Empire was that, lacking zero, they had http://www.mkfifo.net no way to indicate successful termination of http://ovmj.org/GNUnet/ their C programs." --Robert Firth ------------------------------------------------------------------------ ------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
- Previous message: Randy Taylor: "Gartner comments (was Re: Rather funny; looks like page defacement to me)"
- In reply to: Blake Matheny: "Views and Correlation in Intrusion Detection"
- Next in thread: DAVID MARKLE: "Re: Views and Correlation in Intrusion Detection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
