Hi Richard: In message <caj69-dfkwv+bnuy7vipijt8ezof3fpz8eahuj1bbvzysno3...@mail.gmail.com>, Richard_Ostrochovsk writes: >this post loosely follows this one: >https://sourceforge.net/p/simple-evcorr/mailman/message/36867007/. > >Being monitoring consultant and developer, I have >an idea to hide complexity of SEC configurations, >and still to allow to configure it also for >"regular" administrators without any developer or >SEC background.
Being a "regular" administrator, I claim admins that can't program/use programming methods won't be admins much longer. If the companies you work for are depending on (rapidly turning over) junior admins to administer something as important as monitoring and correlation you have a difficult job ahead of you. Knowing regular expressions at the very least is required to use SEC. Getting performance info out of SEC is better, but still difficult. E.G. finding and fixing expensive/poor regular expressions can result in a significant improvement of performance/throughput along with hierarchical structuring of the rulesets. >Imagined concept illustration: > >[configuration DB] -> [generator(s)] -> [SEC configurations] > >The punch line is, that user won't need to know >anything about SEC, but will need to understand >logic of correlations employed, and their >parameters I assume you mean regular expressions, threholds, actions and commands etc. >(configuration DB may have some kind of GUI). In >the background, higher-level correlations will be >translated to respective SEC rules. There was a web interface referenced back in 2007 at: https://sourceforge.net/p/simple-evcorr/mailman/simple-evcorr-users/thread/op.tnxvfselqmj61d%40genius/#msg6200380 The url's are dead but I have a copy of secadmin from 2009 I have put it up at: https://www.cs.umb.edu/~rouilj/sec/secadmin.tar.gz It doesn't use a back end db IIRC but it was supposed to provide some guidance on creating the correlation rules. Note that it would have to be updated as new rules have been added since it was developed. Also I think it ily supported the basic sec correlations. Risto do you remember this? >Maybe there exists something similar as described >- if somebody knows about something, I'd like if >he or she will navigate me to it. If it does not >exist, maybe this is potential opportunity for >implementation, and this way also SEC could be >more propagated, as still alive alternative to >other newer solutions usable for event >correlations, e.g. based on ELK (I see big >advantage of SEC, that it does not need separate >application infrastructure for log collection and >processing). Any opinions about this topic? One thing I had played with was using templates to create new correlation types by deploying a set of basic correlations (pair, single, and single with threshold for example) into a single unit tied together by specifying fill-in parameters (regular expressions, threshold counts etc.). I used filepp to expand the correlation files into something that sec could consume. This was done at a previous employer. I don't think I have any of that work anymore. But it was able to generate more complex correlations with a simpler interface for others to fill in. Maybe this provides some ideas? -- -- rouilj John Rouillard =========================================================================== My employers don't acknowledge my existence much less my opinions. _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
