RE: [logs] Correlation Whitepaper

• Previous message: Desai, Ashish: "RE: [logs] TCPwrappers logging without serving"
• Maybe in reply to: Ganu Skop: "[logs] Correlation Whitepaper"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ganu, 

	I would encourage you to download my whitepaper on different
types of correlation.  It can be found here
http://www.guarded.net/literature.html
It talks about the rules based correlation in SEC and other products on
the market as well as some other types of correlation.  The elements
depend on what you're looking for; you can use Source IP addresses as
one, if you want to see a large portion of your external attacker data.
Internal wise depending on your IDS, but you can use the Username
(particularly failed logins) to determine insider activity. You're
talking about predictive analysis, which isn't great TODAY from my
experience. Port scans and things like that are easy to predict or easy
to analyze, it (meaning the algorithm) doesn't know for a certainty the
attack will be back. The accuracy of those algorithms has yet to be
determined.

Matt

Matthew F. Caldwell, CISSP
Founder and Chief Security Officer
GuardedNet, Inc. 
www.guarded.net
mattcat_private


-----Original Message-----
From: Ganu Skop [mailto:skopganuat_private] 
Sent: Monday, May 19, 2003 2:20 AM
To: loganalysisat_private
Subject: [logs] Correlation Whitepaper

Dear All,
Couldn't find a correlation howto on the list. Pretty
much looking into log correlation especially on IDS
(particularly SNORT's log). Having 5 IDS console
logging to a single box running currently available
front-end (acid, demarc) yet - no things such as
severity , history and correlation. 

I'm looking into something that should say something
like "sensor #1 attack has been detected by sensor #2
a month ago with a same source IP, including its
severity and prediction."

Plus - I'm looking into what elemnt shall the exist
for correlation. 

Basically looking onto what would be the next target
looking at current attack (present time and date) and
attack explaination and shall it be back ?

thanks



__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Bob the Builder: "[logs] php/syslog/mysql"
• Previous message: Desai, Ashish: "RE: [logs] TCPwrappers logging without serving"
• Maybe in reply to: Ganu Skop: "[logs] Correlation Whitepaper"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 20 2003 - 10:43:30 PDT