Analyzer is a great tool. I would recommend it to anyone using an IDS. Regards, Cade Cairns
On Tue, 26 Nov 2002, Johnny Stork wrote: > Been watching the growth of improved, statisical/correlational models of analyzing >IDS/Firewall logs.....I will be setting up the Deepsight client on my IDS/Firewall >and can post my experiences if others are interested. Symantec and SecurityFocus seem >to be the primary developers > > > > > > > > > -----Original message----- > > From: "Oliver Friedrichs" > > To: [EMAIL PROTECTED] > > Date: 11/18/2002(Mon) 05:40pm > > Subject: DeepSight Analyzer 4.0 Announcement > > > > Hi everyone, I wanted to let you know that we have completed the rollout of > > DeepSight Analyzer 4.0. As always, the service is available at: > > > > http://analyzer.securityfocus.com > > > > This release includes a number of significant improvements, and features, > > that we hope you'll find useful. A partial list of new features follow, > > > > One feature that we added to the system a few months ago now was the > > ability to receive a daily summary report (via email) of the top events and > > activity being observed on your network. This feature has been extremely > > popular, and provides an easy way to receive daily reports on your event > > activity. > > > > Second, we've added support for a number of additional devices, including > > Firewalls, which many of you have been asking for. The DeepSight Analyzer > > service now supports the following devices: > > > > > > Security Device Versions > > > > BlackIce 2.0-3.x > > Cisco IOS 12.x > > Cisco PIX 4.2-5.1 > > Cisco Secure IDS (Netranger) 2.5-3.0 > > Enterasys Dragon 4.2.2 > > Firewall-1 Next Generation, NG > > IP Chains OS Independent > > IPF OS Independent > > NetProwler 3.5x > > NetScreen 200, 100, 50, 25, 5XP appliance > > RealSecure 3.1-5.5, 6.00-6.5 > > Snort 1.6-1.8.x > > Snort Portscan 1.6-1.8.x > > ZoneAlarm 2.6.0 > > > > A number of improvements have been made to the DeepSight Analyzer website > > to facilitate the addition of Firewall data, and to improve the system > > based on your feedback. These include the following: > > > > NEW - User statistics page > > > > The statistics page summarizes the event activity being observed by your > > sensors by a number of different categories on a single screen. These > > categories include: > > > > - Top increasing IDS events - A set of graphs depicting the events that > > are seeing the most significant increase on your network > > > > - Top increasing Port activity - A set of graphs depicting the ports that > > are seeing the most signficant increase on your network > > > > - Top attacked products - The top products being targetted on your > > network > > > > - Top offending ISPs - The top ISPs from which events targetting your > > network originate > > > > - Top ports - The top ports your sensors are observing activity on > > > > - Top source IPs - The top source IP addresses from which your sensors > > are observing activity > > > > - Top countries - The top sources countries from which your sensors are > > observing activity > > > > The majority of these items will also allow you to drill down to view > > specific events associated with these items. > > > > NEW - Events Screen > > > > The "Events" screen has replaced the previous "Incidents" screen. This > > screen contains a series of sub-options, designed to allow you to view your > > Intrusion Detection System and Firewall Events rolled up by a number of > > different categories. These categories are: > > > > - By Event Type - This will allow viewing of events rolled up by unique > > event type > > - By Destination Port - This will allow viewing of events rolled up by > > unique destination port > > - By Source Address - This will allow viewing of events rolled up by > > unique source address > > - By Source Domain - This will allow viewing of events rolled up by > > unique source domain > > - By Source Country - This will allow viewing of events rolled up by > > unique source country > > - By Source ISP - This will allow viewing of events rolled up by unique > > source ISP > > - By Logs - This will allow viewing of events rolled up by the log in > > which they were uploaded. This will replace the existing upper level "Logs" > > tab > > > > NEW - Report Overhaul > > > > We have overhauled the previous reports to consist of a series of 6 > > summary reports. These 6 reports provide the same information that was > > previously available, a more compact fashion. The following six reports > > are available: > > > > - Event Summary > > > > This report provides a breakdown of event and port activity observed by > > your network intrusion detection and firewall systems. It is helpful in > > determining which attacks are targeting your network, and determining the > > trend of this activity. This report consists of multiple pages if both IDS > > and Firewall events were provided and selected, or a single page if only > > one of these event types have been provided or selected. > > > > - Origin Summary > > > > This report provides a breakdown of where events targeting your network > > are originating. It is helpful in determining who is attacking you, and > > determining the trend of attack activity from each source. This report > > depicts both IDS and Firewall activity, if events were provided and > > selected, or only one of these if only one of these event types have been > > provided or selected. This report includes: > > > > Top IP(s) targeting your network > > Top ISP(s) from which attacks originate > > Top Country(s) from which attacks originate > > > > - Category Summary > > > > This report provides a breakdown of event activity by the category or > > class of events that are targeting your network. This report is useful in > > determining the type of activity that is most frequently observed targeting > > your network. > > > > - Target Products > > > > This report provides a breakdown of the products and applications that > > are being targeted on your network. This knowledge provides you with > > insight into the possible intent of these events, and precautions that > > should be taken in protecting these services. > > > > - Event Time > > > > This report provides a breakdown of the timeframe when network security > > events most commonly occur on your network. Knowledge of when these events > > occur allows for the tracking of historical activity and the allocation of > > resources for future planning. > > > > - IP Analysis > > > > This report provides insight into the activity of a single IP address > > that is targeting your network. This report consists of a number of > > components that reflect the activity, habits, and applications that the IP > > address is targeting. In correlating a number of these data points, this > > report presents the origin of the attacker, and the vulnerabilities and > > services targeted by the attacker. > > > > NEW - Report Configuration Wizard > > > > A new Report Configuration Wizard has replaced the previous report > > configuration screen in the "Reports" section. This wizard is intended to > > simplify the generation of reports, by allowing more flexible selection of > > reporting criteria. This screen consists of a series of 6 screens, each > > allowing entry of reporting criteria. This screen contains the same > > functionality as the previous report configuration screen, with the > > following additions: > > > > - The ability to specify which IDS sensors you would like to include data > > from in your report > > - The specification of multiple source addresses and source countries to > > report on > > - The specification of multiple destination addresses to report on > > - The specification of multiple event categories to report on > > - The specification of multiple product categories to report on > > > > We hope you like these changes, and continue to use the DeepSight Analyzer > > service. Please feel free to send any feedback to: > > > > [EMAIL PROTECTED] > > > > Thank you! > > > > - Oliver > > > > > > > > > > > > > ________________________________ > Open Enterprise Solutions > Open Solutions for an Open World > > Johnny Stork, BA > Calgary, AB > Canada > > http://www.openenterprise.ca > http://www.open-solutions.ca > > > >
