NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Pen-test> 2009-08

RE: Software to Correlate traffic from various devices

From: Tran Thanh Hai (haittfpt.net)
Date: Thu Aug 06 2009 - 08:28:01 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

OSSIM is a good option

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of Fred H
Sent: Wednesday, August 05, 2009 10:14 PM
To: Adriel T. Desautels; Aseem Kumar
Cc: pen-testsecurityfocus.com
Subject: Re: Software to Correlate traffic from various devices

Another option for a big budget is Cisco Mars. It has many templates for
various log input types, as well as the ability to create your own custom
parser.

Fred Hamilton
Information Security Analyst 2
Financial Sector

----- Original Message ----
From: Adriel T. Desautels <ad_listsnetragard.com>
To: Aseem Kumar <kumaraseemgmail.com>
Cc: pen-testsecurityfocus.com
Sent: Thursday, July 30, 2009 2:11:13 PM
Subject: Re: Software to Correlate traffic from various devices

Asseem,
If you have big budget (about $200K for arcsight) and you can afford it
try ArcSight. Its powerful but requires a lot of work to setup. Once its
up and running, it really rocks! If you don't have a massive budget, then
try prelude-ids from http://www.prelude-ids.org. It is a very powerful
system that can be used for free, or you can pay for the faster commercial
modules ($10K for the works or something like that). Prelude can take input
from anything, normalize it with minimal to no data loss, and correlate
against it.

On Jul 25, 2009, at 7:06 AM, Aseem Kumar wrote:

> Hi all,
>
> I am looking for an application that will allow me to write logic to
> correlate alerts that can be fed in the format of (device type,alarm
> name(from snort ids specifically) severity level, source ip, source
> port, destination ip, destination port, timestamp & event count) from
> a csv file.
> The application need not be too fancy GUI kind, but one with a simple
> interface but allows me to write logics using complex combinations of
> various fields in various stages.
>
> I have a logging software that logs everything, but it correlation
> part is not reliable. Is anyone aware of any such software. Also not
> looking for very expensive software.
>
>
> Thanks
> Aseem
>
> --
> Love enables you to put your deepest feelings and fears in the palm of
> your partner's hand, knowing they will be handled with care.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review
Board
>
> Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
>

    Adriel T. Desautels
    ad_listsnetragard.com
        --------------------------------------

Subscribe to our blog
http://snosoft.blogspot.com

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]