Open source IDS event correlation
Posted by creining | Filed under Security
I’ve been waiting for someone to release an open source solution for correlating between IDS events and vulnerability assessement information. There has been the QuIDScor project released by Qualys themselves but it works only in conjunction with their product Qualysguard. The other attempts at IDS/VA correlation that I know of are commercial and include Sourcefire’s RNA and Tenable’s NeVO. Oh yea, there’s Brian Caswell’s, err simplistic, honeysuckle too. Well, I saw on the focus-ids list today an announcement for alert verification v0.9.1. From the project homepage: “The verification component of the system is currently implemented as a set of NASL scripts mapped to Snort rules by CVE IDs. When a rule is triggered, the suspect packet and associated event data is queued for verification. A separate thread processes queued unverified alerts by running an associated NASL script against the target host to test for the presence or absence of the vulnerability corresponding to the detected attack. If the NASL script determines that the vulnerability does exist on the target host, the alert is marked as having been verified. If the NASL script determines that the vulnerability does not exist, the alert is marked as unverified. Finally, if no NASL script corresponding to the detected attack is found, the alert is marked as unverifiable. The alert is then released back to the Snort engine.” I wonder what sort of performance impact this patch to snort 2.0.2 has? And there are other considerations to take into account especially on a production network as you *are* actively running Nessus against hosts. Cool stuff though.
Comments are closed.