Analyzer is a great tool.  I would recommend it to anyone using an IDS.

Regards,
Cade Cairns

On Tue, 26 Nov 2002, Johnny Stork wrote:

> Been watching the growth of improved, statisical/correlational models of analyzing 
>IDS/Firewall logs.....I will be setting up the Deepsight client on my IDS/Firewall 
>and can post my experiences if others are interested. Symantec and SecurityFocus seem 
>to be the primary developers
>
>
>
> >
> >
> > -----Original message-----
> > From: "Oliver Friedrichs"
> > To: [EMAIL PROTECTED]
> > Date: 11/18/2002(Mon) 05:40pm
> > Subject: DeepSight Analyzer 4.0 Announcement
> >
> > Hi everyone, I wanted to let you know that we have completed the rollout of
> > DeepSight Analyzer 4.0.  As always, the service is available at:
> >
> > http://analyzer.securityfocus.com
> >
> > This release includes a number of significant improvements, and features,
> > that we hope you'll find useful.  A partial list of new features follow,
> >
> > One feature that we added to the system a few months ago now was the
> > ability to receive a daily summary report (via email) of the top events and
> > activity being observed on your network.  This feature has been extremely
> > popular, and provides an easy way to receive daily reports on your event
> > activity.
> >
> > Second, we've added support for a number of additional devices,  including
> > Firewalls, which many of you have been asking for.  The DeepSight Analyzer
> > service now supports the following devices:
> >
> >
> >  Security Device        Versions
> >
> >  BlackIce               2.0-3.x
> >  Cisco IOS              12.x
> >  Cisco PIX              4.2-5.1
> >  Cisco Secure IDS (Netranger) 2.5-3.0
> >  Enterasys Dragon       4.2.2
> >  Firewall-1             Next Generation, NG
> >  IP Chains              OS Independent
> >  IPF                    OS Independent
> >  NetProwler             3.5x
> >  NetScreen              200, 100, 50, 25, 5XP appliance
> >  RealSecure             3.1-5.5, 6.00-6.5
> >  Snort                        1.6-1.8.x
> >  Snort Portscan               1.6-1.8.x
> >  ZoneAlarm              2.6.0
> >
> > A number of improvements have been made to the DeepSight Analyzer website
> > to facilitate the addition of Firewall data, and to improve the system
> > based on your feedback.  These include the following:
> >
> > NEW - User statistics page
> >
> >   The statistics page summarizes the event activity being observed by your
> > sensors by a number of different categories on a single screen. These
> > categories include:
> >
> >   - Top increasing IDS events - A set of graphs depicting the events that
> > are seeing the most significant increase on your network
> >
> >   - Top increasing Port activity - A set of graphs depicting the ports that
> > are seeing the most signficant increase on your network
> >
> >   - Top attacked products - The top products being targetted on your
> > network
> >
> >   - Top offending ISPs - The top ISPs from which events targetting your
> > network originate
> >
> >   - Top ports - The top ports your sensors are observing activity on
> >
> >   - Top source IPs - The top source IP addresses from which your sensors
> > are observing activity
> >
> >   - Top countries - The top sources countries from which your sensors are
> > observing activity
> >
> >   The majority of these items will also allow you to drill down to view
> > specific events associated with these items.
> >
> > NEW - Events Screen
> >
> >   The "Events" screen has replaced the previous "Incidents" screen. This
> > screen contains a series of sub-options, designed to allow you to view your
> > Intrusion Detection System and Firewall Events rolled up by a number of
> > different categories. These categories are:
> >
> >   - By Event Type - This will allow viewing of events rolled up by unique
> > event type
> >   - By Destination Port - This will allow viewing of events rolled up by
> > unique destination port
> >   - By Source Address - This will allow viewing of events rolled up by
> > unique source address
> >   - By Source Domain - This will allow viewing of events rolled up by
> > unique source domain
> >   - By Source Country - This will allow viewing of events rolled up by
> > unique source country
> >   - By Source ISP - This will allow viewing of events rolled up by unique
> > source ISP
> >   - By Logs - This will allow viewing of events rolled up by the log in
> > which they were uploaded. This will replace the existing upper level "Logs"
> > tab
> >
> > NEW - Report Overhaul
> >
> >   We have overhauled the previous reports to consist of a series of 6
> > summary reports.  These 6 reports provide the same information that was
> > previously available, a more compact fashion.  The following six reports
> > are available:
> >
> >   - Event Summary
> >
> >   This report provides a breakdown of event and port activity observed by
> > your network intrusion detection and firewall systems. It is helpful in
> > determining which attacks are targeting your network, and determining the
> > trend of this activity. This report consists of multiple pages if both IDS
> > and Firewall events were provided and selected, or a single page if only
> > one of these event types have been provided or selected.
> >
> >   - Origin Summary
> >
> >   This report provides a breakdown of where events targeting your network
> > are originating. It is helpful in determining who is attacking you, and
> > determining the trend of attack activity from each source. This report
> > depicts both IDS and Firewall activity, if events were provided and
> > selected, or only one of these if only one of these event types have been
> > provided or selected.  This report includes:
> >
> >       Top IP(s) targeting your network
> >       Top ISP(s) from which attacks originate
> >       Top Country(s) from which attacks originate
> >
> >   - Category Summary
> >
> >   This report provides a breakdown of event activity by the category or
> > class of events that are targeting your network. This report is useful in
> > determining the type of activity that is most frequently observed targeting
> > your network.
> >
> >   - Target Products
> >
> >   This report provides a breakdown of the products and applications that
> > are being targeted on your network. This knowledge provides you with
> > insight into the possible intent of these events, and precautions that
> > should be taken in protecting these services.
> >
> >   - Event Time
> >
> >   This report provides a breakdown of the timeframe when network security
> > events most commonly occur on your network. Knowledge of when these events
> > occur allows for the tracking of historical activity and the allocation of
> > resources for future planning.
> >
> >   - IP Analysis
> >
> >   This report provides insight into the activity of a single IP address
> > that is targeting your network. This report consists of a number of
> > components that reflect the activity, habits, and applications that the IP
> > address is targeting. In correlating a number of these data points, this
> > report presents the origin of the attacker, and the vulnerabilities and
> > services targeted by the attacker.
> >
> > NEW - Report Configuration Wizard
> >
> >   A new Report Configuration Wizard has replaced the previous report
> > configuration screen in the "Reports" section.  This wizard is intended to
> > simplify the generation of reports, by allowing more flexible selection of
> > reporting criteria. This screen consists of a series of 6 screens, each
> > allowing entry of reporting criteria. This screen contains the same
> > functionality as the previous report configuration screen, with the
> > following additions:
> >
> >   - The ability to specify which IDS sensors you would like to include data
> > from in your report
> >   - The specification of multiple source addresses and source countries to
> > report on
> >   - The specification of multiple destination addresses to report on
> >   - The specification of multiple event categories to report on
> >   - The specification of multiple product categories to report on
> >
> > We hope you like these changes, and continue to use the DeepSight Analyzer
> > service.  Please feel free to send any feedback to:
> >
> > [EMAIL PROTECTED]
> >
> > Thank you!
> >
> > - Oliver
> >
> >
> >
> >
> >
>
>
> ________________________________
> Open Enterprise Solutions
> Open Solutions for an Open World
>
> Johnny Stork, BA
> Calgary, AB
> Canada
>
> http://www.openenterprise.ca
> http://www.open-solutions.ca
>
>
>
>

Reply via email to