Re: Event-Correlation& avoiding false positives

[DK <dk () ossim net>]

Hi.

I mentioned this a couple of months ago on this lists but if you're 
willing to try our server-part I would be glad to hear your results.

At Ossim (http://www.ossim.net) we take the following approach:

1) Every alert / event / whatever has it's own priority and 
reliability. Snort provides the priority, Nessus too. The reliability 
should be adapted to the environment or increased in case of attack 
confirmation.
2) Prescan your hosts / networks.
3) If a Snort alert is being raised for an already identified Nessus 
vulnerability, add priorities and reliabilities (never exceeding 5 & 
10). This way we can get improved alerts (call it alarms) for possible 
vulnerable hosts.

This way we can filter the results providing the end-user with a 
reduced set of alerts but storing every involved event so we can post 
process them.

Greetings,

Dominique

Am 08.06.2004 um 16:32 schrieb <hugh_fraser () dofasco ca>:

> I agree with the author of the perl script mentioned here, who said
>
>         "I don't know about you, but when someone is shooting bullets at
> me, I would like to know they are shooting at me, even if they miss."
>
> With that in mind, I don't disable any alerts in snort based upon a
> profile of our infrastructure. All events seen are collected. I do,
> however, apply some statistics to the events as they happen to identify
> significant changes in behaviour. This allows me to flag changes in
> activity (whether it's an event or a source or destination address), 
> and
> that change is often an indication of some kind of attack. Since I'm
> collecting everything I can collect, the forensic step in an
> investigation has all the information available, but I'm (ideally)
> notified only when there's something to look at.
>
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Brian
> Sent: Monday, June 07, 2004 2:48 PM
> To: Eric Hines
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Event-Correlation& avoiding false positives
>
>
> On Mon, Jun 07, 2004 at 12:07:41PM -0500, Eric Hines wrote:
> > There are also commercial tools available that correlates Nessus
> > vulnerability scanning with IDS events.
>
> Yep.  And there is a 40 line perl script.
>
> http://www.shmoo.com/~bmc/software/honeysuckle
>
> Brian
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: GNOME Foundation
> Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event. GNOME
> Users and Developers European Conference, 28-30th June in Norway
> http://2004/guadec.org _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: GNOME Foundation
> Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
> GNOME Users and Developers European Conference, 28-30th June in Norway
> http://2004/guadec.org
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list



-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users