Test of the log analysis tool SnIPS
Publish date: 2016-11-30
Report number: FOI-R--4323--SE
Pages: 31
Written in: Swedish
Keywords:
- Snort
- alert correlation
- log analys
- cybersecurity
- SnIPS
- alert verification
Abstract
A large number of tools aiming to support log analysts in the cyber domain has been proposed. Few of these tools have been tested against realistic data and little is known about their effectiveness. This report describes a technical test of the tool Snort Intrusion Analysis using Proof Strengthening (SnIPS). SnIPS correlates alerts form the popular network security sensor Snort to assess if computers in a computer network have been compromised. The result shows that (1) the values SnIPS produce on the probability that a host has been compromised are uncalibrated, but correlated to frequencies of compromise, (2) that SnIPS probably would support log analysts in their work by prioritizing events, and (3) that SnIPS performs well compared to the alternatives. SnIPS, and techniques based on similar ideas, appears to be worth to investigate further.