[Snort-users] Correllation resources

Joel Esler jesler at ...1935...
Tue Oct 16 11:11:21 EDT 2012


On Tue, Oct 16, 2012 at 10:53:01AM -0400, Justin wrote:
> Do you guys have any good web resources for how to correlate and research
> events? As in if one gets an event, and wants to check a write up on it,
> what sites are best to use?
> I've seen google groups, seclist.org and http://www.snortid.com, and while
> sometimes I feel the write ups answer my questions well, I sometimes feel as
> if some sig ID's and events may not be documented as well as one would like.
> Especially the ET sigs.
> 
> Is there anywhere that posts in-depth decode analysis of the PCAP files for
> events that are triggered in IDS? 
> Is there anywhere that has maybe a IDS diary (Some nice snorter that has
> documented what they have done to definitively know when to tune and when to
> turn off rules)?
> Are there any sites that post maybe a CVE/bug ID to signature correlation?


Not really in the detail that you are looking for yet.  The best bet, is, if you don't understand an alert, write the Snort-sigs list and we'll work with you to explain the situation.  We just require a pcap.  

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire




More information about the Snort-users mailing list