RE: Correlation software

From: Mariusz Burdach (
Date: 03/19/04

  • Next message: Raffael Marty: "Re: Correlation software"
    Date: Fri, 19 Mar 2004 10:29:20 +0100
    To: <>, <>


    If you are looking for any commercial tools, please have a look at Symantec website.
    They offer the Incident Manger product which can correlate events from
    several security tools such firewalls, antiviruses or IDSes and after
    that it creates incidents which meet defined criteria. This product allows
    to create own patterns of attacks. Additionally, you need event
    collectors to collect events from 3rd part products such a Snort or
    RealSecure. Of course, you can collect events from not yet
    supported tools. For example: using Symantec HIDS you can collect logs from
    Honeyd or Squid. The other possibility is to use the Syslog collector,
    but then you have to write roles to transform logs to a normalized form.
    I have to mention that after normalization all events are saved in a DB2
    database. The DB2 database is the component of Symantec Enterprise
    Security Architecture. The Incident Manager takes events from that
    database and looks for patterns of attacks.

    Below I am putting an example of simple pattern of attack. When three types of
    normalized events happen and the destination IP address is the
    same for three of them, the Incident Manager will generate an incident.
    (First event comes from firewall or ids, second and third ones come from the
    host-based ids or the syslog event collector)

    Best regards,
    Mariusz Burdach

    -------------------------------------------pattern of attack-------------------------------------------
            Assign CriteriaOne "CONNECT-SCAN";
            Assign TypeOne "SubCategory";
            Assign CountOne 1;

            Assign CriteriaTwo "AUTHV_OS_Login_User";
            Assign TypeTwo "GenericAlert";
            Assign CountTwo 1;
            Assign CriteriaThree "AUTHS_OS_Login";
            Assign TypeThree "GenericAlert";
            Assign CountThree 1;
            Assign CriteriaOrder "Strict";

            Assign Timeout 3600;
            Assign IncidentSeverity 5;
            BuildString IncidentDescription "Pattern Attack Detected";
            Assign ContinueProcessing False;
            Assign IncidentCode "TargetPattern";
            Assign IncidentCategory "User";
            Assign StateTableSize 1000;
            UseRuleSet TargetPattern;

    -----Original Message-----
    From: []
    Sent: Thursday, March 18, 2004 5:07 PM
    Subject: Correlation software

    Hello.. Thank you all for your responses to my Entercept email, they have
    all been fantastic!

    I am also looking to find out if there are any commercial Log Correlation
    packages available? I'm looking for something that can correlate Firewall
    + IDS + HIDS type of logs and create a logical flow of events..

    Can anyone recommend, or point me in the right direction?


    Test your IDS

    Is your IDS deployed correctly?
    Find out by easily testing it with real-world attacks from CORE IMPACT.

    Visit: to learn more.



  • Next message: Raffael Marty: "Re: Correlation software"