[Discussion] OSSIM and Sig Reliability

Sun Mar 1 10:43:42 EST 2009

I definitely like this too. But it's way into post processing. Out of
our immediate scope.

But what information could the engine provide to help the event manager
make these decisions? Surely there's something it could help with?

Maybe on the behavioral note the engine could start full captures or
something when suspicious things happen so the analyst would immediately
have more context?

Matt

> First of Kevin's ideas:
> 
> Ossim (http://www.ossim.net/) has an interesting use of the reliability
> of the sig, the priority of the host and some other things to assign a
> risk to the attack. Using a similar system individual signatures can be
> given a reliability which could mean sure fire attacks are flagged
> immediately while unreliable signatures are not flagged immediately
> until other factors are met. For instance under ossim you can basically
> say (in an xml directive) if there are these snort sids it is a
> reliability of 3 and if these snort sigs appear +2, if it persistent
> (for a set time) +1 and if a web page error message appears +1 and so
> on. Using such a system could mean false positives can automatically
> lowered while making more reliable attacks against priority resources
> and the events related to that attack available to the analyst (being
> able to define the priority of an asset such as a server farm in
> comparison so the secretary's desktop would be useful). Also things like
> if the attack was blocked by IPS or even a firewall if the logs are
> available that the attack was mitigated the risk level can be reduced.
> 
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc