Snort mailing list archives
RE: Event-Correlation& avoiding false positives
From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Mon, 7 Jun 2004 11:14:38 -0500
The best thing that can be done is to create some sort of database that matches vulnerable versions of software to rules, and then maps those to systems/subnets/etc... Then... Let snort alert on anything that may matter to you, and use your database to filter out falses. Not sure vulnerability scans would be as valuable as mapping rules to application versions... Problem is, not many people are doing this well out there. And with the number of rules that roll in, a centralized effort with some sort of standardized naming/versioning is about the only way to do it without going bald and having a stroke. -----Original Message----- From: Maetzky, Steffen (Extern) [mailto:Steffen.Maetzky () gedas de] Sent: Monday, June 07, 2004 3:32 AM To: 'Snort-User (snort-users () lists sourceforge net)' Subject: [Snort-users] Event-Correlation& avoiding false positives Hi, Does anyone know a possibility to make a kind of automated event correlation? I'm searching for a possibility that allows me to make something like that: 1. make vulnerability scans in a specified period 2. comparrison to events 3. delete actions/events for which our network isn't vulnerable Thanks in advance, Steffen ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Event-Correlation& avoiding false positives Maetzky, Steffen (Extern) (Jun 07)
- <Possible follow-ups>
- RE: Event-Correlation& avoiding false positives Kreimendahl, Chad J (Jun 07)
- RE: Event-Correlation& avoiding false positives Eric Hines (Jun 07)
- Re: Event-Correlation& avoiding false positives Brian (Jun 07)
- RE: Event-Correlation& avoiding false positives Eric Hines (Jun 07)
- RE: Event-Correlation& avoiding false positives hugh_fraser (Jun 08)
- Re: Event-Correlation& avoiding false positives DK (Jun 08)