--- Fabiano <[EMAIL PROTECTED]> wrote: > Hello, Risto! > > Thank you for help me. I have one more > question: is it possible using SEC to match two > events generated by SNORT and make a combination of > those two events generating an unique event ? e.g., > Event A (UDP Portsweep) + Event B (TCP Portsweep) = > Event C (UDP and TCP Portsweep) ? And if so, can I > use the BASE tool for showing that combination of > events? >
Yes - there are two rules (Pair and Pairwithwindow) for pairwise event correlation. Also, you can correlate event pairs by other means (like contexts). As for BASE - I have never used this application and have no idea what kind of input it accepts, but SEC can produce output in a wide variety of ways (executing custom command lines, writing to files and pipes, etc.) So if any of these ways is good for BASE, the answer is yes. br, risto > Thank you again. > > Fabiano > > Risto Vaarandi <[EMAIL PROTECTED]> escreveu: > --- Fabiano wrote: > > > > > Hello, everyone! > > > > I'm studying SEC concepts and usage for event > > correlation but I'm still looking for a way to > > understand the integration of SEC with SNORT. I > know > > how to install SEC but how can I configure it to > > make a integration with SNORT and correlate its > > events? There's a file called 'snort.sec' at > > http://www.bleedingthreats.net/sec/. How can I > > configure this to work exactly the way it should > be? > > > > I'm sorry but I did not find a way to do it > > and that's why I need some help. Really thanks for > > the support. > > > > The integration is relatively straightforward - SEC > is > able to correlate events in real-time from any log > file, and Snort can be configured to log its events > via syslog. For the integration, you have to follow > these simple steps: > > 1) check your snort configuration file (like > /etc/snort/snort.conf) and add a directive for > setting > up syslog logging, for example: > output alert_syslog: log_auth log_alert > (log snort events with the syslog facility 'auth' > and > level 'alert'), > 2) check your syslog server configuration and find > which log file snort events will be written to > (e.g., > on Linux platform events with the facility 'auth' > are > often written to /var/log/secure), > 3) configure sec to monitor this log file (e.g., by > adding -input=/var/log/secure to sec's command line > options) > > The sample rule file at the SEC rule repository > should > work for most syslog servers. If you would like to > see > some examples with a more detailed explanation, > check > this paper: > http://en.hakin9.org/attachments/pdf/hakin9_05_2006_10_EN_str28-39.pdf > > hth, > risto > > > > Fabiano > > > > > > --------------------------------- > > Abra sua conta no Yahoo! Mail, o único sem limite > de > > espaço para armazenamento! > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio > > 2008. > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/> > _______________________________________________ > > Simple-evcorr-users mailing list > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > ____________________________________________________________________________________ > Looking for last minute shopping deals? > Find them fast with Yahoo! Search. > http://tools.search.yahoo.com/newsearch/category.php?category=shopping > > > > --------------------------------- > Abra sua conta no Yahoo! Mail, o único sem limite de > espaço para armazenamento! ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
