RE: Correlation software

From: Mariusz Burdach (
Date: 03/19/04

  • Next message: Raffael Marty: "Re: Correlation software"
    Date: Fri, 19 Mar 2004 10:29:20 +0100
    To: <>, <>


    If you are looking for any commercial tools, please have a look at Symantec website.
    They offer the Incident Manger product which can correlate events from
    several security tools such firewalls, antiviruses or IDSes and after
    that it creates incidents which meet defined criteria. This product allows
    to create own patterns of attacks. Additionally, you need event
    collectors to collect events from 3rd part products such a Snort or
    RealSecure. Of course, you can collect events from not yet
    supported tools. For example: using Symantec HIDS you can collect logs from
    Honeyd or Squid. The other possibility is to use the Syslog collector,
    but then you have to write roles to transform logs to a normalized form.
    I have to mention that after normalization all events are saved in a DB2
    database. The DB2 database is the component of Symantec Enterprise
    Security Architecture. The Incident Manager takes events from that
    database and looks for patterns of attacks.

    Below I am putting an example of simple pattern of attack. When three types of
    normalized events happen and the destination IP address is the
    same for three of them, the Incident Manager will generate an incident.
    (First event comes from firewall or ids, second and third ones come from the
    host-based ids or the syslog event collector)

    Best regards,
    Mariusz Burdach

    -------------------------------------------pattern of attack-------------------------------------------
            Assign CriteriaOne "CONNECT-SCAN";
            Assign TypeOne "SubCategory";
            Assign CountOne 1;

            Assign CriteriaTwo "AUTHV_OS_Login_User";
            Assign TypeTwo "GenericAlert";
            Assign CountTwo 1;
            Assign CriteriaThree "AUTHS_OS_Login";
            Assign TypeThree "GenericAlert";
            Assign CountThree 1;
            Assign CriteriaOrder "Strict";

            Assign Timeout 3600;
            Assign IncidentSeverity 5;
            BuildString IncidentDescription "Pattern Attack Detected";
            Assign ContinueProcessing False;
            Assign IncidentCode "TargetPattern";
            Assign IncidentCategory "User";
            Assign StateTableSize 1000;
            UseRuleSet TargetPattern;

    -----Original Message-----
    From: []
    Sent: Thursday, March 18, 2004 5:07 PM
    Subject: Correlation software

    Hello.. Thank you all for your responses to my Entercept email, they have
    all been fantastic!

    I am also looking to find out if there are any commercial Log Correlation
    packages available? I'm looking for something that can correlate Firewall
    + IDS + HIDS type of logs and create a logical flow of events..

    Can anyone recommend, or point me in the right direction?


    Test your IDS

    Is your IDS deployed correctly?
    Find out by easily testing it with real-world attacks from CORE IMPACT.

    Visit: to learn more.



  • Next message: Raffael Marty: "Re: Correlation software"

    Relevant Pages

    • RE: IDS Incident Escalation Procedure
      ... Alerts sent to customer and allocated a severity ... DDoS - joining these together to allow other devices to react to IDS ... Subject: IDS Incident Escalation Procedure ...
    • Re: IDS Incident Escalation Procedure
      ... The structure of the core Incident Response Team ... Adherence to any higher level policy, if required (in line with escalation matrices defined in the business continuity plans) ... Now depending on the nature and category of alerts coming from the IDS, an incident can be escalated from the incident handler to CIRT leader to database admin to Legal Counsel. ...
    • RE: IDS Incident Escalation Procedure
      ... Incident Response, called "On Incident Handling and Response: ... Subject: IDS Incident Escalation Procedure ... The structure of the core Incident Response Team ...
      ... WTF ...well only recently I said users dont need an incident like the ... Symantec one.....wonder if Bo is still keen on SW pushing out ... frequent silent upgrades?! ...
    • Re: Port scan attempts
      ... "Alan P" wrote in message ... > Imagine if you had reported the incident, ... >> I did not know the ip belonged to symantec. ...