SupaRice Posted October 4, 2010 Share Posted October 4, 2010 I'm looking for a good event correlation device/software. Something that can help reduce the standard information overload you get from the tons of log messages from firewalls, IPS devices, servers, etc. Security oriented correlation. I've had experience with Cisco's MARS: http://www.cisco.com/en/US/products/ps6241/index.html Which is a great idea, that works well in a lab. But in the real world, ummmm, not so much. Not to mention you have to have pretty much all Cisco gear for it to be of any value. And, like everything else they make, it's ridiculously expensive. I've also messed with Splunk, which I think is awesome, but doesn't really put any intelligent correlation to the information. It just seems to be a better way to sort information. http://www.splunk.com Has anyone used something that they like? The only other ones I know of, which are both really expensive, are RSA enVision and Q1. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 5, 2010 Share Posted October 5, 2010 Don't know if you have heard of checkpoint, but seems to be a good cadidate. http://www.checkpoint.com/products/softwar...smartevent.html Quote Link to comment Share on other sites More sharing options...
SupaRice Posted October 5, 2010 Author Share Posted October 5, 2010 Yeah I've seen that, but I'm looking more for something equipment vendor agnostic. Quote Link to comment Share on other sites More sharing options...
aries_uk Posted December 8, 2012 Share Posted December 8, 2012 Hi SupaRice, You most likely will have this sorted now, but for anybody else who has a similar idea I shall answer anyway. For products such as RSA EnVision, ArcSight, Huntsman, Q1 etc they do not offer any OpenSource stuff, or offer any demos / trial due to the fact they take a lot of time to setup and will only supply with recommended hardware etc A good starting point that I would suggest, as in fact I did also, First of all I would download and install Security Onion which is a Linux distro the comes with SNORT / BroIDS / OSSEC and many other OpenSource software packages are installed, and for the majority are already configured. I am also a big fan of Splunk also and in fact a Security Onion app has already been created for Splunk, so with little effort you can get some nice graphs and information etc from your network. No matter what IDS/IPS that you use you will have to think out and create your own correlation rules (which will take time), due to every environment being different. So depending how you setup your lab you can have an SIEM on a shoe string Thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.