Log correlation
Results 1 to 7 of 7

Thread: Log correlation

  1. #1
    Senior Member
    Join Date
    Nov 2002
    Posts
    382

    Log correlation

    AO contribution could be helpful around here!

    I'm looking for an open source that makes log correlation.

    Just to clarify let's take an example.
    network is composed by 2 segments:
    1- Internal (traffic flows that requires internet connection goes through the DMZ...)
    2- DMZ
    Both segments are protected by firewall (iptables for linux fans), and by NIDS (snort -> rule based).
    DMZ servers are monitrored by host IDS.

    What I'm looking for is a tool that centralized & correlates all logs to give a synthetic view of what is going on. An obvious case is for instance a simple TCP port DoS attack that could be detected by many IDSs, but getting several logs for the same event is polluting the admin view.

    Any idea folks

    For those taht are interested into correlation read this http://www.cs.umass.edu/Dienst/Repos...014/postscript
    or this http://www.securityfocus.com/infocus/1231

    I found one on sourceforge but there is nothing dev yet and it started in 2001... (snif!)
    http://sourceforge.net/projects/opencorrelation/
    [shadow] SHARING KNOWLEDGE[/shadow]

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Networker: Have different set of rules for the IDS's. Thats what I do. On my internal IDS's I watch for traffic outbound and only the traffic inbound that the firewall would let through. Then on my External IDS I watch for inbound traffic that the firewall blocks. I'm a windows guy so I used Snare on my servers to send their event logs to a central server via syslog which is where Snort reports to as well. The firewall is also told to send all it's logs to that same log server.

    What I end up with is a chronological picture of each event on the network as it takes place. I use Puresecure to watch for events in real time and use that to trigger closer looks at stuff every day by using the single log file I create.

    The one thing I can't seem to do without spending cash is move the IIS logs to the syslog too.... Now that would be near perfect.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    TigerShark... this might help you with IIS log to syslog.

    http://www.intersectalliance.com/projects/BackLogIIS/

    It is GPL...

    Only a beta though, is that why you arent using it when you are already using snare from the same people?

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Thanks Ichni.....

    It either wasn't there when I found Snare or there was something I didn't like, (memory seems to say that it only worked for 1 site and I have 5 but I'm dragging that from the depths of an old brain....<s>)

    I'll give it a try and see what happens.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    Thanx for the tips Tiger, detection in outbound or inbound related to where the IDS is located is a good idea!
    That's efficient to cope a simple DoS attack.

    Let's take another example in a coporate network. Internal flows are separated from the internet thanx to DMZ. In the case where someone is driving some buffer overflow exploits from one site to the other, a correlation software will give me the ability to know who is the target and what PC is the source within a single alarm (& If the source is not in the internal network it can be assumed that the attack is coming from outside).

    The idea is to simplify the readibility of centralized logs.
    [shadow] SHARING KNOWLEDGE[/shadow]

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ichnisan is a genius!!!!!!!! 'Nuff said?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    LOL

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •