Hello dear all,
We are working on threath management system using snort + logsnorter +
syslog servers.
The architecture is very similar to other : Each site have your
logserver that collect events from snort IDS,
routers, Pix firewalls and webservers. ( the lasts using logsnorter ) these
logservers send the "interesting" events to the central logserver....
The central logserver make the correlation of these events and show on
the analyst console.
We need make a events severity evaluation, at the moment we ar working
with this formule:
Severity = Sensor + Criticality( Type of rule / ip destination )
Sensor : Each sensor have specific value ( is not same the event
detect by the router that internal IDS )
Criticality : Each pair of Type of rule ( IIS , Shellcode, Trojan )
and your destination have specific value ( is not same one attack with Nimda
to one webserver that run Apache )
Each event have your severity , if the severity is < 3 the event is
showed with white on the console.
if severity is >=3 and <=6 the event is showed yellow
if severity is >= 7 and <=8 the event is showed orange
if severity is >=9 the event is showed red
I need know , how find the relation between the events and the set
of rules that trigger it event.
Could you help me, please ?
Thanks a lot.
=======================================
Julio Jaime
Americas Zone Security Administrator
Accor Services - Servicios Ticket S.A.
Av. Díaz Vélez 4367
(C1200 AAK) Bs. As. - Argentina
Tel.: (54-11) 4909-1375
Fax.: (54-11) 4909-1394
jjaimeat_private
=======================================
----------------------------------------------------------------------------
-------------------------------
Este mensaje electrónico y todos los archivos adjuntos que contiene son
confidenciales y se encuentran destinados, exclusivamente, a la persona a
quien han sido dirigidos. Si ha recibido este mensaje por error, agradecemos
la inmediata devolución a su emisor. La publicación, el uso, la
distribución, la impresión o la copia no autorizada de este mensaje y del
contenido de los archivos adjuntos se encuentran estrictamente prohibidos.
This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error please send it back to the person that sent it
to you. Unauthorized publication, use, dissemination, forwarding, printing
or copying of this email and its associated attachments is strictly
prohibited.
Ce message électronique et tous les fichiers attachés qu'il contient sont
confidentiels et destinés exclusivement à l'usage de la personne à laquelle
ils sont adressés. Si vous avez reçu ce message par erreur, merci de le
retourner à son émetteur. La publication, l'usage, la distribution,
l'impression ou la copie non autorisée de ce message et des attachements
qu'il contient sont strictement interdits.
----------------------------------------------------------------------------
--------------------------------
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Apr 24 2003 - 19:57:10 PDT