Test of the log analysis tool SnIPS

Authors:

  • Teodor Sommestad
  • Hannes Holm

Publish date: 2016-11-30

Report number: FOI-R--4323--SE

Pages: 31

Written in: Swedish

Keywords:

  • Snort
  • alert correlation
  • log analys
  • cybersecurity
  • SnIPS
  • alert verification

Abstract

A large number of tools aiming to support log analysts in the cyber domain has been proposed. Few of these tools have been tested against realistic data and little is known about their effectiveness. This report describes a technical test of the tool Snort Intrusion Analysis using Proof Strengthening (SnIPS). SnIPS correlates alerts form the popular network security sensor Snort to assess if computers in a computer network have been compromised. The result shows that (1) the values SnIPS produce on the probability that a host has been compromised are uncalibrated, but correlated to frequencies of compromise, (2) that SnIPS probably would support log analysts in their work by prioritizing events, and (3) that SnIPS performs well compared to the alternatives. SnIPS, and techniques based on similar ideas, appears to be worth to investigate further.