IDS Event/Incident Tracking

From: Seth Leone <s1leone(at)yahoo.com>
Date: Fri Jul 18 2003 - 03:49:54 EDT

I was wondering aloud to myself the other day how other IDS admins/managers track event-investigation alarms?

As analyst, once an Event of Interest(EoI) occurs either via manual review, notification, or correlation tool, what is being used to further track this event?

What prompted this thought was my own lack (and judging from ids docs and google searches for such) of a specific tool/addd-on. Yes, we have the Sensor, the Database, the SIM tools and well documentated policy and procedures. But what about a tool to record only those EoI's that need followup? My SIM and Sensors dont do it(currently).....Yes I can lookup any event in my sensor/sim database but I can't query for any events that I investigated either yesterday or last year.

Obvious solutions would be commercial ticket management systems or a roll-your-own script db tool, tho I've haven't seen anything either documented or publicly praised for our field yet.

I work in an distributed NIDS environment and have put together a makeshift DB for Investigation/Eventtracking /reporting, yet it's just another window on my analyst workstation (though my SIM vendor vows to put this type of tool into one of their next releases)

In the meantime, I'm just curious as to how other IDS admins/managers are doing their tracking.

-sal  

---

Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com

---

Is your IDS deployed correctly?
Find out by easily testing it with real-world attacks from CORE IMPACT. Go to www.coresecurity.com/promos/sf_eids1 to learn more.

---

Received on Fri Jul 18 19:58:31 2003