[logs] Correlation Whitepaper

• Previous message: Jason Haar: "Re: [logs] TCPwrappers logging without serving"
• Next in thread: Marcus J. Ranum: "Re: [logs] Correlation Whitepaper"
• Reply: Marcus J. Ranum: "Re: [logs] Correlation Whitepaper"
• Reply: Jason Haar: "Re: [logs] Correlation Whitepaper"
• Reply: Matthew F. Caldwell: "RE: [logs] Correlation Whitepaper"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear All,
Couldn't find a correlation howto on the list. Pretty
much looking into log correlation especially on IDS
(particularly SNORT's log). Having 5 IDS console
logging to a single box running currently available
front-end (acid, demarc) yet - no things such as
severity , history and correlation. 

I'm looking into something that should say something
like "sensor #1 attack has been detected by sensor #2
a month ago with a same source IP, including its
severity and prediction."

Plus - I'm looking into what elemnt shall the exist
for correlation. 

Basically looking onto what would be the next target
looking at current attack (present time and date) and
attack explaination and shall it be back ?

thanks



__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Mike Blomgren: "RE: [logs] TCPwrappers logging without serving"
• Previous message: Jason Haar: "Re: [logs] TCPwrappers logging without serving"
• Next in thread: Marcus J. Ranum: "Re: [logs] Correlation Whitepaper"
• Reply: Marcus J. Ranum: "Re: [logs] Correlation Whitepaper"
• Reply: Jason Haar: "Re: [logs] Correlation Whitepaper"
• Reply: Matthew F. Caldwell: "RE: [logs] Correlation Whitepaper"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 19 2003 - 19:15:59 PDT