Lubo, Correlation is making many vendors sweat. Marcus is right on target with his assessment. Well correlation must go beyond just data consolidation/percolation. Correlation engines at their very soul need to be able to create new patterns from patterns of patterns. Example: Code red scan + code red II + 12 other attacks + netbios attempts == New Pattern (nimda). Originally, we had rulesets for 14 different attack vectors, then when they were used in conjunction they were correlated to become the pattern for Nimbda. Just content correlation, time correlation, target/source correlation is still basic data consolidation. Being able to gleam new patterns from that consolidation, and adapt those patterns, would be the future of correlation, IMO. $0.02 worth, Mike On Friday 19 July 2002 05:29, Lubomir.Nistorat_private shared this knowledge: > event correlation is what makes me sweat.. a perfect correlation should > do content corelation, time correlation etc.. that means it's always not > sufficiently correlated (whatever software)... On Friday 19 July 2002 05:29, Lubomir.Nistorat_private shared this knowledge: > event correlation is what makes me sweat.. a perfect correlation should > do content corelation, time correlation etc.. that means it's always not > sufficiently correlated (whatever software)... > lubo > -- Mike Poor gpg key: http://www.digitalguardian.net/mike_digitalguardian.asc ggp fingerprint: 31D3 6BD0 09D9 84B4 85E6 2EBA 0182 D447 97ED 6D41 --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri Jul 19 2002 - 17:36:34 PDT