RE: Correlation software

From: Joe Luna (joe.luna_at_kinkos.com)
Date: 03/20/04

  • Next message: Alberto Gonzalez: "RE: Correlation software"
    Date: Fri, 19 Mar 2004 17:21:53 -0800
    To: focus-ids@securityfocus.com
    
    

    Is anyone aware of any open source (free..) event correlation packages,
    or an initiative to develop such a beast?

    When looking at commercial solutions I was able to work with ArcSight
    and found their solution impressive.

    -Joe

    -----Original Message-----
    From: Chris Kirschke [mailto:durnie@hushmail.com]
    Sent: Friday, March 19, 2004 4:23 PM
    To: sam@neuroflux.com; focus-ids@securityfocus.com; phollows@open.com
    Subject: RE: Correlation software

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Check out www.guarded.net, their NeuSecure app is what we use at our
    bank and we've enjoyed it the entire way...

    durnie

    On Fri, 19 Mar 2004 02:56:53 -0800 Phil Hollows <phollows@open.com>
    wrote:
    > [Fair Warning: I work for a security management and correlation
    >company]
    >
    >
    >
    > Hi Sam & list:

    >
    >
    > Security Threat Manager (STM) from Open (www.open.com
    <http://www.open.com>
    >) does what you're looking for, providing real-time correlation,
    >analysis and triage of FW, IDS, IPS, AV, VA and network events using
    >a variety of techniques. It links multiple (tens or hundreds or
    >for worms thousands) of raw events from your devices into a few timely,

    > actionable and relevant alerts - in other words, significant false
    >positive reduction. It links events to asset values and vulnerability
    >scans and recent event history and attack source. It also provides
    >extensive reporting and analysis capabilities into attacks, correlated
    >threats and operations performance. We've a couple of case studies
    >(no registration required) on how the product works and the benefits
    >it can bring at http://www.open.com/pdf/STM_Case_Study_Legal_ROI.pdf
    ><http://www.open.com/pdf/STM_Case_Study_Legal_ROI.pdf> and
    http://www.open.com/pdf/STM_Case_Study_Finance_Firewall.pdf
    ><http://www.open.com/pdf/STM_Case_Study_Finance_Firewall.pdf> if
    >you're interested.
    >
    >
    >
    > STM features a nightly update service that updates its internal
    >database of exploit and vulnerability signatures, so instead of writing
    >rules for your correlation engine for each new potential attack vector
    >and spending time managing it, you are free to focus on improving
    >policies, testing and verifying patches, ensuring that your IDS are
    >up to date, and otherwise working on proactive defense. It all runs
    >on standard hardware too, and because it uses a "no rules" approach
    >to correlation, it's fast to install, baseline and tune.
    >
    >
    >
    > Enough of the product info - I'm more than happy to continue the
    >conversation off-list for Sam and anyone else who's interested in
    >product or implementation-specific detail.
    >
    >
    >
    > Thanks
    >
    >
    >
    > Phil Hollows
    >
    > VP
    >
    > OpenService Inc (www.open.com <http://www.open.com> )
    >
    >
    >
    > -----Original Message-----
    > From: sam@neuroflux.com [mailto:sam@neuroflux.com]
    > Sent: Thu 3/18/2004 11:07 AM
    > To: focus-ids@securityfocus.com
    > Cc:
    > Subject: Correlation software
    >
    >
    >
    > Hello.. Thank you all for your responses to my Entercept email,
    > they have
    > all been fantastic!
    >
    > I am also looking to find out if there are any commercial Log
    Correlation
    > packages available? I'm looking for something that can
    correlate
    >Firewall
    > + IDS + HIDS type of logs and create a logical flow of events..
    >
    > Can anyone recommend, or point me in the right direction?
    >
    > Thanks!
    > -Sam
    >
    >
    > ---------------------------------------------------------------
    >------------
    > Test your IDS
    >
    > Is your IDS deployed correctly?
    > Find out by easily testing it with real-world attacks from CORE
    >IMPACT.
    >
    > Visit:
    > www.coresecurity.com/promos/sf_eids1 to learn more.
    > ---------------------------------------------------------------
    >------------
    >
    >
    >

    life is meant to be lived. hear me? didn't think so...
    -----BEGIN PGP SIGNATURE-----
    Note: This signature can be verified at https://www.hushtools.com/verify
    Version: Hush 2.3

    wkYEARECAAYFAkBbjvoACgkQ3UH5NRolsbaq5ACguxPk1PrBNmlr6baOVVJT1SMgqxYA
    njlR/REuYZd8T4sHxv29c2oahqfG
    =gQ8z
    -----END PGP SIGNATURE-----

    ------------------------------------------------------------------------

    ---
    Test your IDS
    Is your IDS deployed correctly?
    Find out by easily testing it with real-world attacks from CORE IMPACT.
    Visit: 
    www.coresecurity.com/promos/sf_eids1 to learn more.
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Alberto Gonzalez: "RE: Correlation software"

    Relevant Pages

    • RE: Correlation software
      ... >analysis and triage of FW, IDS, IPS, AV, VA and network events using ... >scans and recent event history and attack source. ... >rules for your correlation engine for each new potential attack vector ... Find out by easily testing it with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • Re: Correlation software
      ... >>analysis and triage of FW, IDS, IPS, AV, VA and network events using ... >>scans and recent event history and attack source. ... >>to correlation, it's fast to install, baseline and tune. ... >Find out by easily testing it with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • RE: Views and Correlation in Intrusion Detection
      ... correlation is supposed to give you. ... (random port probes against your firewall, zone transfers, most of ... BlackICE's "port probe" alerts, etc...) ... >>severity of the attack becomes increased to critical, ...
      (Focus-IDS)
    • Tech paper on proposed future generation NIDS
      ... Data is aggregated from the network ... UDP packets, or other incongruity in data and packet types. ... to reduce IDS rule sets and attack proccessing. ... When people in security speak of correlation, ...
      (Focus-IDS)
    • RE: Views and Correlation in Intrusion Detection
      ... end of the day - the only attack that counts is the 1 in 100,000,000 ... Views and Correlation in Intrusion Detection ... We have over 500 global firewalls. ... considered security related. ...
      (Focus-IDS)