Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Correlation Tool

from [Joseph Jenkins] Network Security [Permanent Link]
Subject: RE: Correlation Tool
Date: Wed, 25 Jan 2006 19:52:22 -0800 
I implemented MARS a few months ago and have been nothing but happy with it.
We are using a freeware product called SNARE to feed our windows events into
the server so that we can use it to correlate all of our server activities.
It is a bit pricy, but I believe you are getting what you pay for.

-----Original Message-----
From: Damien Dinh [mailto:DDinh@sycuan.com] 
Sent: Wednesday, January 25, 2006 1:59 PM
To: Anton Chuvakin; Adeduwon, Alex A
Cc: firewalls@securityfocus.com
Subject: RE: Correlation Tool

Protego (now Cisco MARS) and TriGeo are two commercial products if you
want to go $$ route.  They will correlate events from other network
devices and host-based intrusion products beyond just firewall and IDS
logs.  I'm just now implementing MARS.  You are welcome to email me if
you have any questions.

Cheers,
Damien Dinh
ddinh@sycuan.com

-----Original Message-----
From: anton.chuvakin@gmail.com [mailto:anton.chuvakin@gmail.com] On
Behalf Of Anton Chuvakin
Sent: Wednesday, January 25, 2006 10:10 AM
To: Adeduwon, Alex A
Cc: firewalls@securityfocus.com
Subject: Re: Correlation Tool

Alex and all,


Does anyone know of tool(s) very suitable for Fw and IDS logs

correlation,

reporting and trending?  What I mean is this, if an environment has

PIX firewalls

already configured with some custom logging like how many hits on xyz

ports, etc

and they want to make meaningful data or report from those types of

statistics.  Or

another scenario is to take a string from an IDS alert/log and dump it

for a

meaningful output without having to manually  research and crack my

brain as to

what that alert means.


Well, apart from commercial SIM (SIEM, SEM, whatever) tools that all
do that (to various extent ...), your choices are kinda scarce.


From the open source side, SEC and OSSIM might provide parts of it

[correlation], various firewall and IDS log reporters - more parts
[summary reports]. One can also use Sguil  for more real-time alert
investigation, but it relies on having specific types of data and
Snort NIDS alerts.

Tieing the stuff together will likely be your own effort... good luck.

Best,
--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA     http://www.chuvakin.org
http://www.securitywarrior.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Firewall Management Policy, Max Ashton
Next by Date:  good drawing tool for network, Dinesh
Previous by Thread:  RE: Correlation Tool, Damien Dinh
Next by Thread:  RE: Correlation Tool, Murtland, Jerry
Indexes:  [Date] [Thread] [Top] [All Lists]