RE: alert messages

From: Phil Hollows (phil_at_open.com)
Date: 03/09/04

  • Next message: counterveil_at_yahoo.com: "Re: Entercept HIDS Question"
    To: <focus-ids@securityfocus.com>
    Date: Tue, 9 Mar 2004 11:07:06 -0500
    
    

    [Disclosure: I work for a security management / log analysis vendor]

    Security event management and correlation products, such as Open's Security
    Threat Manager (see http://www.open.com), also do what you are looking for.
    They monitor firewall, IDS, anti-virus and other sentry systems in
    real-time, and alert you based on parameters that you set. You should look
    for the ability to correlate across different vendors (e.g. Cisco PIX and
    Checkpoint FW-NG), device classes and vendors (e.g. relate IDS events from
    ISS with anti-virus data from Symantec). The most powerful systems will
    also correlate an IDS alert with whether or not the target system appears to
    be vulnerable to the attack, and relate all these events to the asset's
    value or importance to your organizations. My company's product also takes
    into account where the attack was launched from (e.g. inside the
    organization or outside).

    The benefit is that the number of alerts you see is significantly reduced,
    as the products take care of consolidating and aggregating alarms into the
    few that you require. What you get is real-time analysis and triage on
    inbound attacks which you can then action, in effect pulling the signal from
    the noise.

    Thank you,

    Sincerely,

    Phil Hollows
    VP Marketing
    OpenService, Inc.
    110 Turnpike Road, Suite 308
    Westborough, MA 01581
    www.open.com

    -----Original Message-----
    From: SecurIT Informatique Inc. [mailto:securit@iquebec.com]
    Sent: Thursday, March 04, 2004 3:32 PM
    To: Rodrigo B. Ramos
    Cc: focus-ids@securityfocus.com
    Subject: Re: alert messages

    Hello.

    I don't think there's any simple "math" to adequately answer your request,
    especially with so little specifics info about the kind of alerts your
    sensor deals with. Anyway, that's not the point.

    I have made a tool called LogAgent Pro 5.2 that was created partly in order
    to help solve this kind of problem. LogAgent is a log file monitoring and
    analyzing program, which will monitor in real-time any ASCII log file and
    the Event Viewer and apply rules you have defined related to the
    appropriate fields for each log. Data can be gathered together in simple
    reports, which you can send when a certain number of alerts is reached
    and/or when a specified amount of time is elapsed. So, if you're receiving
    65000 alerts from a noisy port scan, you can easily gather them into
    reports of 1000 events each, which would generate only 65 messages, while
    still catching less noisy scans by still sending a report when a time-limit
    is reached without waiting to have collected 1000 events. You can also use
    this to get notified on Priorities 1 alerts only, etc...

    One of the rules you can use with LogAgent allows you to call external
    programs (like a SMS messaging program or a pager system), and pass log
    data as parameters so you can customize your alert messages more than just
    "You have received 1000 alerts."

    It's true that you could achieve mostly the same results with some
    scripting, but if you're looking for an already built solution, here it is.

    You can get an eval copy of the software at http://securit.iquebec.com/.

    Hope this helps.

    Adam Richard
    SécurIT Informatique Inc.

    At 01:52 PM 03/03/2004, Rodrigo B. Ramos wrote:

    >Hi!
    >
    >Can anyone help me in the following job?
    >
    >The X Company has more than 1000 machines (desktop and servers) on their
    >WAN. They installed snort as an IDS, they are logging remotely and
    >sending alerts by email and by sms to mobiles.
    >
    >What are the best steps to customize the alerts? The phone company
    >thought that the servers were doing some spam jobs. They send many, many
    >alerts and probably almost flood the phone phone company network.
    >
    >What is the best way to tell the system to send alerts? Which math
    >should I use?
    >
    >I know I can know have to disable some types of rules that just can't
    >affect the ambient, I know I can count packets by priorities, by type of
    >alerts, by packets, ... But what math can I use to send the alerts
    >without flooding mail boxes and mobiles?
    >
    >
    >Best Regards,
    >--
    >Rodrigo Buarque Ramos
    >GPG KEY ID: 0x71CFE098 --> http://pgp.mit.edu
    >Key fingerprint = F381 366D D233 22B4 7E72 A21D DE9B 2FF3 71CF E098
    >55 81 88513524
    >55 81 3463.1593
    >http://www.triforsec.com.br
    >http://www.defenselayer.com
    >
    >
    >---------------------------------------------------------------------------
    >Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    >wireless security
    >
    >Protect your network against hackers, viruses, spam and other risks with
    >Astaro
    >Security Linux, the comprehensive security solution that combines six
    >applications in one software solution for ease of use and lower total cost
    of
    >ownership.
    >
    >Download your free trial at
    >http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
    >---------------------------------------------------------------------------
    >
    >_____________________________________________________________________
    >Un mot doux à envoyer? Une sortie ciné à organiser? Faites le en temps
    >réel avec MSN Messenger! C'est gratuit! http://ifrance.com/_reloc/m

    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
    ---------------------------------------------------------------------------


  • Next message: counterveil_at_yahoo.com: "Re: Entercept HIDS Question"

    Relevant Pages

    • Re: [2nd attempt] keep getting Windows firewall message
      ... alerts, or rather a way to keep the user settings for alerts from ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ...
      (microsoft.public.windowsxp.general)
    • RE: getting alerts about system upgrades
      ... getting alerts about system upgrades ... security lists every day. ... "We are trying to figure out how you conduct a war against ...
      (freebsd-questions)
    • Re: disabling the security status window from appearing on logon
      ... You want Service Center to do is display the alerts once. ... Security Center service must be running and should set to Automatic. ... Security Center to display the alerts for only for particular events. ... must be a reg file and I wouldn't mind knowing how to find that.... ...
      (microsoft.public.windowsxp.customize)
    • Re: Sec Balloons
      ... But later if I keep getting ballons to enable Norton 2005 I ... wonder if I could have stripped some keys using spybot or adaware which ive ... The Security Center alerts are just alerts and they aren't ...
      (microsoft.public.windowsxp.security_admin)
    • Re: alert messages
      ... > sending alerts by email and by sms to mobiles. ... > alerts and probably almost flood the phone phone company network. ... Security Linux, the comprehensive security solution that combines six ...
      (Focus-IDS)