hmm lot of money is surely required (if not wasted on licenses and implementation team it'll be wasted on opensource gurus to administer it) but flat panels pay off when there are more customers coming to see the SOC you've built.. (they look cool alright..:) event correlation is what makes me sweat.. a perfect correlation should do content corelation, time correlation etc.. that means it's always not sufficiently correlated (whatever software)... Does anybody know any sec monitoring sw where you can modify correlation rules? (not just time/device but also content?) What are the limitations of correlation (how far should I correlate? i doubt that achieving secure=yes/no status is wise :) lubo -----Ursprüngliche Nachricht----- Von: Marcus J. Ranum [mailto:mjrat_private] Gesendet: Donnerstag, 18. Juli 2002 23:43 An: Fabio Pietrosanti (naif); loganalysisat_private Betreff: Re: [logs] Security Monitoring software customization limit? >suppose that i need to create a SOC for monitoring purpose ( like Counterpane First start with a LOT of money. You'll need it. :) Doing it right (never mind the cool flatpanel displays) is a _hard_ problem. Doing it wrong is pretty straightforward and you can do it in perl with regexps... ;) >- Correlation of event between different device Do you mean time-correlation, proximity-correlation or just mapping events into a normal form and then rewriting them back out? (e.g.: translation) "Correlation of events" is a marketing buzzword these days but nobody has a clue what it actually _IS_ - it occupies the same marketing-term-space as "drilldown" in IDS... mjr. --- Marcus J. Ranum - Computer and communications Security Expertise mjrat_private (http://www.ranum.com) --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private *********************************************************** Neu bei STAR 21 NETWORKS *********************************************************** STAR 21 NETWORKS Internet Zugang jetzt auch mit DSL und attraktiven, echten Flatrates Mit der Einführung von DSL zum 1. Juli 2002 werden die volumenabhängigen INTERNET ACCESS-Tarife abgeschafft und kundenfreundliche Flatrate-Tarife für alle Bandbreiten zwischen 384 Kbit/s und 6 Mbit/s eingeführt, die ausschließlich mit gleicher Upstream- und Downstream-Geschwindigkeit angeboten werden. Alle weiteren Infos unter: www.star21networks.de <http://www.star21networks.de/> infoat_private oder über unsere Service Hotline unter 0 800 - 1 00 73 40. --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri Jul 19 2002 - 06:25:44 PDT