[Snort-users] Correlation on Snort Events

Jason Brvenik jasonb at ...1935...
Tue Sep 6 06:20:24 EDT 2005

Kamal Ahmed wrote:
> Hi,
> What snort can do is (as per my understanding) is to generate events
> based on rules, or to sniff/snoop network traffic, this is all well and
> good, but I do not see a person going thru every log message to find out
> meaningful information, regarding what the packet actually meant to do
> (in case of any intrusion type attack). Is there a correlation engine ,
> which can have rules like:

That is exactly what intrusion analysts do. Correlation engines do exist 
  for the larger effort. For Open Source you might want to check out ossim.

> If message A is received which contains X text, and within N amount of
> time another message B is received on the wire, containing Y text ,
> generate an log message , and also send an e-mail to (let's say Security
> Administrator)

You can already achieve this in large part within snort itself by using 
flowbits. The time constraint is pretty useless for detecting actual 
attackers and for automated events is generally not needed.

More information about the Snort-users mailing list