Home page logo

basics logo Security Basics mailing list archives

RE: FW/IPS log correlation software
From: "Nathan Sherlock" <nathans () cyberklix com>
Date: Tue, 15 Apr 2008 11:22:14 -0400

As part of our Managed Security Services, we manage multiple enVision platforms and have successfully written alerts 
that correlate IPS/FW logs.

Once you adopt an alert rule creation methodology possible within enVision and research the relevant message ID's, half 
the battle is done - also, testing various scenarios and thresholds is key.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Albert Gonzalez
Sent: Saturday, April 12, 2008 11:54 PM
To: bart knippenberg; Raimar Melchior
Cc: security-basics () securityfocus com
Subject: Re: FW/IPS log correlation software


ArcSight does not do correlation before events are sent to the manager.
Several operations are available at the SmartConnector (agent) level,

    - Parsing
    - Filtering
    - Aggregation and/or BATCH operations.
    - RAW event

Since ArcSight uses a different connector for different data source it would
be hard to do correlation when the SmartConnector is only parsing/forwarding
checkpoint logs, etc... Without the ability of seeing the other data sources
being collected it cannot correlate against those events.


Albert Gonzalez, ACSA
http://www.cerveau.us/ || http://distributed.honeynets.org
"Success comes to the person who does today, what you are thinking of doing

On 4/4/08 2:24 AM, "bart knippenberg" <bartknippenberg () gmail com> wrote:

Hello Raimar,

Maybe you can take a look at RSA envision? This is at the moment
number one for Gartner. From technical point of view is this produkt
much better as Cisco Mars or Arcsight. Envision can correlate a hugh
amount of logs, has collectors for a lot of produkts, has a decent
Gui. Logs are not prefiltered when they are stored. (Arcsight does a
correlation before logs are send form agents or stored in database).

Best regards

Bart Knippenberg

2008/4/3 Raimar Melchior <raimar.melchior () crocodial de>:
Hello list,

 we want a central log station where logs from firewalls, ips and other
security devices are sent to. All of our components support the syslog
 The challange is to filter and correlate this huge amount of logs. We also
want to create filtering and reports (graphical). The server should have a
graphical frontend (gui).
 We tried the kiwi syslog server but it doesn't meet our requirements. Any
good enterprise software out there ?
 Any suggestions would be very appreciated.

 Many Thanks,

 Security Consultant


 Niederlassung Köln
 Von-der-Wettern-Str. 25
 51149 Köln

 office: +492203-69923-16
 mobile: +49170-2265680
 eMail: rm () crocodial de

 Sitz der Gesellschaft: Hamburg
 Eingetragen: Amtsgericht Hamburg Nr. HRB 83456
 Geschäftsführung: Wolfgang Dierke, Helmut Hansen, Lutz Klöber

 CROCODIAL SecurityDays 2008:
  Berlin:      16.04.2008          Hamburg:     22.02.2008
              26.09.2008                       05.09.2008
  Bremen:      04.04.2008          Hannover:    18.04.2008
              12.09.2008                       19.09.2008
  Dortmund:    23.10.2008          Köln:        05.06.2008
  Düsseldorf:  10.04.2008

Notice of Confidentiality:
The information transmitted is intended only for the person or
entity to which it is addressed and may contain confidential
and/or privileged material. Any review re-transmission
dissemination or other use of or taking of any action in reliance
upon this information by persons or entities other than the
intended recipient is prohibited. If you received this in error
please contact the sender immediately by return electronic
transmission and then immediately delete this transmission
including all attachments without copying distributing or
disclosing same.

Avis de confidentialité:
L´information transmise est strictement réservée à la personne
ou à l´organisme auquel elle est adressée et peut être de nature
confidentielle. Toute lecture retransmission divulgation ou autre
utilisation de cette information ou toute action prise sur la foi de
cette information par des personnes ou organismes autres que
son destinataire est interdite. Si vous avez reçu cette information
par erreur veuillez contacter son expéditeur immédiatement par
retour du courrier électronique puis supprimer cette information y
compris toutes pièces jointes sans en avoir copié divulgué ou
diffusé le contenu.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]