All,
I was reading this document the other day
(http://www.tenablesecurity.com/images/pdfs/thunder_tasl_scripts.pdf).
Great work on correlation rules, one of the most detailed I've seen!
What I am wondering about is how much success people had creating such
rules for site-specific threats, rather than those that apply to every
network (e.g. IRC bot running or compromised machine scanning out).
>From my experience, creating sensible and effective correlation rules
is easier than writing good NIDS sigs. I am curious whether it matches
the experience of others here?
Best,
--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
http://www.chuvakin.org
http://www.securitywarrior.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
