[Discussion] Multi-tiered detection, and some feature suggestions

• Previous message (by thread): [Discussion] Multi-tiered detection, and some feature suggestions
• Next message (by thread): [Discussion] db schema
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Oct 29, 2008 at 2:39 PM, David J. Bianco <david at vorant.com> wrote:
> In my organization, we're collecting lots of network forensic information to
> support our intrusion analysis process.
...
> I would like to put that here for discussion, but I'd also like to extend it
> to include the capability of an analyst to flag "indicators" that might
> tie an attacker's various attempts together.  For example, two attacks
> that originate from the same IP might reasonably be considered related,
> even if they are separated by days, weeks or months.  If we find two pieces
> of malware exfiltrating data to the same DNS name, it's a good bet they're
> under the same control.  Email addresses, attachement names, URL patterns...
> there are probably a lot of different types of indicators I'm not even
> considering.
>
> I'd like to see a system that could keep track of indicators, tie them to
> specific "incidents", and then flag additional uses of these same indicators,
> either in future or historical occurrences, including situations where the
> historical events weren't flagged as security alerts at the time.
>

David and everyone,

I think Splunk can serve this function:

http://marc.info/?l=sguil-users&m=122468353412622&w=2

However, I realize Splunk is not free.  SplunkBase applications are,
since they are released through the Creative Commons license.

Sincerely,

Richard

• Previous message (by thread): [Discussion] Multi-tiered detection, and some feature suggestions
• Next message (by thread): [Discussion] db schema
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]