Re: FW/IPS log correlation software



Just a clarification for this (Arcsight does a correlation before logs are send form agents or stored in database).

ArcSight does not do a correlation before hitting the manager/db it. ArcSight connectors can do filtering and aggregation prior to forwarding to the manager if that is desired.


----- Original Message ----
From: bart knippenberg <bartknippenberg@xxxxxxxxx>
To: Raimar Melchior <raimar.melchior@xxxxxxxxxxxx>
Cc: security-basics@xxxxxxxxxxxxxxxxx
Sent: Friday, April 4, 2008 3:24:12 AM
Subject: Re: FW/IPS log correlation software

Hello Raimar,

Maybe you can take a look at RSA envision? This is at the moment
number one for Gartner. From technical point of view is this produkt
much better as Cisco Mars or Arcsight. Envision can correlate a hugh
amount of logs, has collectors for a lot of produkts, has a decent
Gui. Logs are not prefiltered when they are stored. (Arcsight does a
correlation before logs are send form agents or stored in database).

Best regards

Bart Knippenberg

2008/4/3 Raimar Melchior <raimar.melchior@xxxxxxxxxxxx>:
Hello list,

we want a central log station where logs from firewalls, ips and other
security devices are sent to. All of our components support the syslog
protocol.
The challange is to filter and correlate this huge amount of logs. We also
want to create filtering and reports (graphical). The server should have a
graphical frontend (gui).
We tried the kiwi syslog server but it doesn't meet our requirements. Any
good enterprise software out there ?
Any suggestions would be very appreciated.

Many Thanks,
Raimar

Security Consultant

CROCODIAL IT Security GmbH

Niederlassung Köln
Von-der-Wettern-Str. 25
51149 Köln

office: +492203-69923-16
mobile: +49170-2265680
eMail: rm@xxxxxxxxxxxx
http://www.crocodial.de/


Sitz der Gesellschaft: Hamburg
Eingetragen: Amtsgericht Hamburg Nr. HRB 83456
Geschäftsführung: Wolfgang Dierke, Helmut Hansen, Lutz Klöber

----------------------------------------------------------------------
CROCODIAL SecurityDays 2008:
----------------------------------------------------------------------
Berlin: 16.04.2008 Hamburg: 22.02.2008
26.09.2008 05.09.2008
Bremen: 04.04.2008 Hannover: 18.04.2008
12.09.2008 19.09.2008
Dortmund: 23.10.2008 Köln: 05.06.2008
Düsseldorf: 10.04.2008








____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.
http://tc.deals.yahoo.com/tc/blockbuster/text5.com



Relevant Pages

  • RE: Views and Correlation in Intrusion Detection
    ... linking/counting/suppression) and correlation takes place further down the ... Aggregating and normalizing the logs is not a huge ... We have over 500 global firewalls. ... considered security related. ...
    (Focus-IDS)
  • Re: FW/IPS log correlation software
    ... ArcSight does not do correlation before events are sent to the manager. ... checkpoint logs, etc... ... Security Consultant ...
    (Security-Basics)
  • RE: RE : Log Help
    ... anomoly detection are merely pieces of a larger threat analysis process. ... Much of the confusion comes from vendors who imply that correlation ... designed by 3 CISSP's with a sound background in security OP's. ... > to monitor logs ...
    (Security-Basics)
  • Re: r^2 and log transformation
    ... appropriate transformation of regression variables’, ... from a set of alternative regression specifications involving different ... the correlation of the log-y values with the ... when you take logs.) ...
    (sci.stat.math)
  • RE: Views and Correlation in Intrusion Detection
    ... I was able to see similarities in different logs ... Views and Correlation in Intrusion Detection ... the applications logs may not ... world's premier technical IT security event! ...
    (Focus-IDS)