I'm pretty sure the ISS decisions server will corelate entries from multiple sources including all ISS products (host/network IDS), system/network/database scanners and CheckPoint Firewall-1 logs. Sticks it all in an SQL database and generates reports/alarms from that. Shaun Who does'nt work for ISS - just uses their products. -----Original Message----- From: owner-firewall-wizardsat_private [mailto:owner-firewall-wizardsat_private]On Behalf Of Pete Storm Sent: Wednesday, 12 January 2000 6:18 AM To: firewall-wizardsat_private Subject: Tools to correlate attacks b/w diff. logs Hi all, Does anyone know of a tool out there that will allow me to correlate incidents between several different logs? For example, if I see an attempt to pull off a php exploit on my IDS it stands to reason that I'll see a similar log entry on my web server. What I'm looking for is something that will pull these two records out of the individual logs and place them in an "incident" log as a related event. The current problem is that we're talking about hundreds of thousands of log entries. Suppose I could Perl it, but I was kinda hoping there might be a commercial/shareware tool out there already that could do it so much better than I could. thanks, phs __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:57:16 PDT