[Snort-users] Correlation on Snort Events
jasonb at ...1935...
Tue Sep 6 06:20:24 EDT 2005
Kamal Ahmed wrote:
> What snort can do is (as per my understanding) is to generate events
> based on rules, or to sniff/snoop network traffic, this is all well and
> good, but I do not see a person going thru every log message to find out
> meaningful information, regarding what the packet actually meant to do
> (in case of any intrusion type attack). Is there a correlation engine ,
> which can have rules like:
That is exactly what intrusion analysts do. Correlation engines do exist
for the larger effort. For Open Source you might want to check out ossim.
> If message A is received which contains X text, and within N amount of
> time another message B is received on the wire, containing Y text ,
> generate an log message , and also send an e-mail to (let's say Security
You can already achieve this in large part within snort itself by using
flowbits. The time constraint is pretty useless for detecting actual
attackers and for automated events is generally not needed.
More information about the Snort-users