|
Been watching the growth of improved, statisical/correlational models of analyzing IDS/Firewall logs.....I will be setting up the Deepsight client on my IDS/Firewall and can post my experiences if others are interested. Symantec and SecurityFocus seem to be the primary developers > > > -----Original message----- > From: "Oliver Friedrichs" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Date: 11/18/2002(Mon) 05:40pm > Subject: DeepSight Analyzer 4.0 Announcement > > Hi everyone, I wanted to let you know that we have completed the rollout of > DeepSight Analyzer 4.0. As always, the service is available at: > > http://analyzer.securityfocus.com > > This release includes a number of significant improvements, and features, > that we hope you'll find useful. A partial list of new features follow, > > One feature that we added to the system a few months ago now was the > ability to receive a daily summary report (via email) of the top events and > activity being observed on your network. This feature has been extremely > popular, and provides an easy way to receive daily reports on your event > activity. > > Second, we've added support for a number of additional devices, including > Firewalls, which many of you have been asking for. The DeepSight Analyzer > service now supports the following devices: > > > Security Device Versions > > BlackIce 2.0-3.x > Cisco IOS 12.x > Cisco PIX 4.2-5.1 > Cisco Secure IDS (Netranger) 2.5-3.0 > Enterasys Dragon 4.2.2 > Firewall-1 Next Generation, NG > IP Chains OS Independent > IPF OS Independent > NetProwler 3.5x > NetScreen 200, 100, 50, 25, 5XP appliance > RealSecure 3.1-5.5, 6.00-6.5 > Snort 1.6-1.8.x > Snort Portscan 1.6-1.8.x > ZoneAlarm 2.6.0 > > A number of improvements have been made to the DeepSight Analyzer website > to facilitate the addition of Firewall data, and to improve the system > based on your feedback. These include the following: > > NEW - User statistics page > > The statistics page summarizes the event activity being observed by your > sensors by a number of different categories on a single screen. These > categories include: > > - Top increasing IDS events - A set of graphs depicting the events that > are seeing the most significant increase on your network > > - Top increasing Port activity - A set of graphs depicting the ports that > are seeing the most signficant increase on your network > > - Top attacked products - The top products being targetted on your > network > > - Top offending ISPs - The top ISPs from which events targetting your > network originate > > - Top ports - The top ports your sensors are observing activity on > > - Top source IPs - The top source IP addresses from which your sensors > are observing activity > > - Top countries - The top sources countries from which your sensors are > observing activity > > The majority of these items will also allow you to drill down to view > specific events associated with these items. > > NEW - Events Screen > > The "Events" screen has replaced the previous "Incidents" screen. This > screen contains a series of sub-options, designed to allow you to view your > Intrusion Detection System and Firewall Events rolled up by a number of > different categories. These categories are: > > - By Event Type - This will allow viewing of events rolled up by unique > event type > - By Destination Port - This will allow viewing of events rolled up by > unique destination port > - By Source Address - This will allow viewing of events rolled up by > unique source address > - By Source Domain - This will allow viewing of events rolled up by > unique source domain > - By Source Country - This will allow viewing of events rolled up by > unique source country > - By Source ISP - This will allow viewing of events rolled up by unique > source ISP > - By Logs - This will allow viewing of events rolled up by the log in > which they were uploaded. This will replace the existing upper level "Logs" > tab > > NEW - Report Overhaul > > We have overhauled the previous reports to consist of a series of 6 > summary reports. These 6 reports provide the same information that was > previously available, a more compact fashion. The following six reports > are available: > > - Event Summary > > This report provides a breakdown of event and port activity observed by > your network intrusion detection and firewall systems. It is helpful in > determining which attacks are targeting your network, and determining the > trend of this activity. This report consists of multiple pages if both IDS > and Firewall events were provided and selected, or a single page if only > one of these event types have been provided or selected. > > - Origin Summary > > This report provides a breakdown of where events targeting your network > are originating. It is helpful in determining who is attacking you, and > determining the trend of attack activity from each source. This report > depicts both IDS and Firewall activity, if events were provided and > selected, or only one of these if only one of these event types have been > provided or selected. This report includes: > > Top IP(s) targeting your network > Top ISP(s) from which attacks originate > Top Country(s) from which attacks originate > > - Category Summary > > This report provides a breakdown of event activity by the category or > class of events that are targeting your network. This report is useful in > determining the type of activity that is most frequently observed targeting > your network. > > - Target Products > > This report provides a breakdown of the products and applications that > are being targeted on your network. This knowledge provides you with > insight into the possible intent of these events, and precautions that > should be taken in protecting these services. > > - Event Time > > This report provides a breakdown of the timeframe when network security > events most commonly occur on your network. Knowledge of when these events > occur allows for the tracking of historical activity and the allocation of > resources for future planning. > > - IP Analysis > > This report provides insight into the activity of a single IP address > that is targeting your network. This report consists of a number of > components that reflect the activity, habits, and applications that the IP > address is targeting. In correlating a number of these data points, this > report presents the origin of the attacker, and the vulnerabilities and > services targeted by the attacker. > > NEW - Report Configuration Wizard > > A new Report Configuration Wizard has replaced the previous report > configuration screen in the "Reports" section. This wizard is intended to > simplify the generation of reports, by allowing more flexible selection of > reporting criteria. This screen consists of a series of 6 screens, each > allowing entry of reporting criteria. This screen contains the same > functionality as the previous report configuration screen, with the > following additions: > > - The ability to specify which IDS sensors you would like to include data > from in your report > - The specification of multiple source addresses and source countries to > report on > - The specification of multiple destination addresses to report on > - The specification of multiple event categories to report on > - The specification of multiple product categories to report on > > We hope you like these changes, and continue to use the DeepSight Analyzer > service. Please feel free to send any feedback to: > > [EMAIL PROTECTED] > > Thank you! > > - Oliver > > > > > ________________________________ Open Enterprise Solutions Open Solutions for an Open World Johnny Stork, BA Calgary, AB Canada http://www.openenterprise.ca http://www.open-solutions.ca |
--- Begin Message ---Hi everyone, I wanted to let you know that we have completed the rollout of DeepSight Analyzer 4.0. As always, the service is available at:http://analyzer.securityfocus.com This release includes a number of significant improvements, and features, that we hope you'll find useful. A partial list of new features follow, One feature that we added to the system a few months ago now was the ability to receive a daily summary report (via email) of the top events and activity being observed on your network. This feature has been extremely popular, and provides an easy way to receive daily reports on your event activity. Second, we've added support for a number of additional devices, including Firewalls, which many of you have been asking for. The DeepSight Analyzer service now supports the following devices: Security Device Versions BlackIce 2.0-3.x Cisco IOS 12.x Cisco PIX 4.2-5.1 Cisco Secure IDS (Netranger) 2.5-3.0 Enterasys Dragon 4.2.2 Firewall-1 Next Generation, NG IP Chains OS Independent IPF OS Independent NetProwler 3.5x NetScreen 200, 100, 50, 25, 5XP appliance RealSecure 3.1-5.5, 6.00-6.5 Snort 1.6-1.8.x Snort Portscan 1.6-1.8.x ZoneAlarm 2.6.0 A number of improvements have been made to the DeepSight Analyzer website to facilitate the addition of Firewall data, and to improve the system based on your feedback. These include the following: NEW - User statistics page The statistics page summarizes the event activity being observed by your sensors by a number of different categories on a single screen. These categories include: - Top increasing IDS events - A set of graphs depicting the events that are seeing the most significant increase on your network - Top increasing Port activity - A set of graphs depicting the ports that are seeing the most signficant increase on your network - Top attacked products - The top products being targetted on your network - Top offending ISPs - The top ISPs from which events targetting your network originate - Top ports - The top ports your sensors are observing activity on - Top source IPs - The top source IP addresses from which your sensors are observing activity - Top countries - The top sources countries from which your sensors are observing activity The majority of these items will also allow you to drill down to view specific events associated with these items. NEW - Events Screen The "Events" screen has replaced the previous "Incidents" screen. This screen contains a series of sub-options, designed to allow you to view your Intrusion Detection System and Firewall Events rolled up by a number of different categories. These categories are: - By Event Type - This will allow viewing of events rolled up by unique event type - By Destination Port - This will allow viewing of events rolled up by unique destination port - By Source Address - This will allow viewing of events rolled up by unique source address - By Source Domain - This will allow viewing of events rolled up by unique source domain - By Source Country - This will allow viewing of events rolled up by unique source country - By Source ISP - This will allow viewing of events rolled up by unique source ISP - By Logs - This will allow viewing of events rolled up by the log in which they were uploaded. This will replace the existing upper level "Logs" tab NEW - Report Overhaul We have overhauled the previous reports to consist of a series of 6 summary reports. These 6 reports provide the same information that was previously available, a more compact fashion. The following six reports are available: - Event Summary This report provides a breakdown of event and port activity observed by your network intrusion detection and firewall systems. It is helpful in determining which attacks are targeting your network, and determining the trend of this activity. This report consists of multiple pages if both IDS and Firewall events were provided and selected, or a single page if only one of these event types have been provided or selected. - Origin Summary This report provides a breakdown of where events targeting your network are originating. It is helpful in determining who is attacking you, and determining the trend of attack activity from each source. This report depicts both IDS and Firewall activity, if events were provided and selected, or only one of these if only one of these event types have been provided or selected. This report includes: Top IP(s) targeting your network Top ISP(s) from which attacks originate Top Country(s) from which attacks originate - Category Summary This report provides a breakdown of event activity by the category or class of events that are targeting your network. This report is useful in determining the type of activity that is most frequently observed targeting your network. - Target Products This report provides a breakdown of the products and applications that are being targeted on your network. This knowledge provides you with insight into the possible intent of these events, and precautions that should be taken in protecting these services. - Event Time This report provides a breakdown of the timeframe when network security events most commonly occur on your network. Knowledge of when these events occur allows for the tracking of historical activity and the allocation of resources for future planning. - IP Analysis This report provides insight into the activity of a single IP address that is targeting your network. This report consists of a number of components that reflect the activity, habits, and applications that the IP address is targeting. In correlating a number of these data points, this report presents the origin of the attacker, and the vulnerabilities and services targeted by the attacker. NEW - Report Configuration Wizard A new Report Configuration Wizard has replaced the previous report configuration screen in the "Reports" section. This wizard is intended to simplify the generation of reports, by allowing more flexible selection of reporting criteria. This screen consists of a series of 6 screens, each allowing entry of reporting criteria. This screen contains the same functionality as the previous report configuration screen, with the following additions: - The ability to specify which IDS sensors you would like to include data from in your report - The specification of multiple source addresses and source countries to report on - The specification of multiple destination addresses to report on - The specification of multiple event categories to report on - The specification of multiple product categories to report on We hope you like these changes, and continue to use the DeepSight Analyzer service. Please feel free to send any feedback to: [EMAIL PROTECTED] Thank you! - Oliver--- End Message ---
