[Discussion] OSSIM and Sig Reliability
Matt Jonkman
jonkman at jonkmans.com
Sun Mar 1 15:15:23 UTC 2009
First of Kevin's ideas:
Ossim (http://www.ossim.net/) has an interesting use of the reliability
of the sig, the priority of the host and some other things to assign a
risk to the attack. Using a similar system individual signatures can be
given a reliability which could mean sure fire attacks are flagged
immediately while unreliable signatures are not flagged immediately
until other factors are met. For instance under ossim you can basically
say (in an xml directive) if there are these snort sids it is a
reliability of 3 and if these snort sigs appear +2, if it persistent
(for a set time) +1 and if a web page error message appears +1 and so
on. Using such a system could mean false positives can automatically
lowered while making more reliable attacks against priority resources
and the events related to that attack available to the analyst (being
able to define the priority of an asset such as a server farm in
comparison so the secretary's desktop would be useful). Also things like
if the attack was blocked by IPS or even a firewall if the logs are
available that the attack was mitigated the risk level can be reduced.
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Discussion
mailing list