Home
Login
Register
Search
Home
AlienVault Correlation Customization
AlienVault Correlation Customization
March 23, 2018 | Author: mario_kgl | Category:
Denial Of Service Attack
,
Firewall (Computing)
,
Port (Computer Networking)
,
Transmission Control Protocol
,
Computer Network
DOWNLOAD
Share
Report this link
Comments
Description
AlienVault Unified Security Management™ SolutionComplete. Simple. Affordable Customizing Correlation Directives or Cross Correlation Rules AlienVault™, AlienVault Unified Security Management™, AlienVault USM™, AlienVault Open Threat Exchange™, AlienVault OTX™, Open Threat Exchange™, AlienVault OTX Reputation Monitor™, AlienVault OTX Reputation Monitor Alert™, AlienVault OSSIM™ and OSSIM™ are trademarks or service marks of AlienVault. If you take a look at the built-in directives. who research global threats & vulnerabilities every day. Customizing Correlation Directives Customizing Cross Correlation Rules Customizing Correlation Directives Modifying a Built-in Directive By default. For example. Page 2 of 12 . In this section. We also describe the AlienVault USM web interfaces for Correlation directives and Cross Correlation rules. we will focus on how to customize Correlation directives or Cross Correlation rules in USM. you will see that such a directive exists. They are written by the researchers in AlienVault Labs. It is highly recommended that you learn how these directives are configured first.AlienVault Unified Security Management™ Solution Customizing Correlation Directives or Cross Correlation Rules Introduction In Correlation Reference Guide we explain what correlation is and how it works in AlienVault Unified Security ManagementTM (USMTM). the Fortinet FortiGate firewall. we will use this example to show the steps required to modify a built-in directive. AlienVault USM comes with over 2. in order to detect dropped packets on a different firewall. In this document. you might want to detect dropped packets going to a single host on a firewall. which detects dropped packets on the Cisco PIX firewall.000 built-in directives. DC-00164 Edition 01 Copyright© 2015 AlienVault. for instance. However. Procedures for modifying a built-in directive. and then tailor them to your specific needs. you will need to customize the directive. It involves the following 4 tasks: Figure 1. All rights reserved. 2. 1. Note: By default. All rights reserved. 2. Navigate to Configuration > Threat Intelligence > Directives. 5. 3. You may need to scroll down to reveal the button. USM disables the built-in directive automatically once it is cloned. 1. If you want both to be working at the same time. The cloned directive in the User Contributed category. A new window appears displaying the global properties of the directive. Change the name to “AV Network attack. Scroll down on the page to find the directive titled “AV Network attack. 4. 5.AlienVault Unified Security Management™ Solution Customizing Correlation Directives or Cross Correlation Rules Task 1: Clone an existing directive Task 2: Edit directive global properties Task 3: Edit correlation rules Task 4: Restart Server Task 1: Clone an existing directive To clone an existing directive. Click SAVE. Confirm that you wish to clone the directive by clicking YES when prompted. Type ‘packets’ in the search box to search for the appropriate directive. Figure 2. make sure to enable the built-in directive as well. Task 2: Edit directive global properties To edit the cloned directive. Page 3 of 12 . Edition 01 Copyright© 2015 AlienVault. 6. too many dropped on Fortigate”. DC-00164 Click the Edit icon to the left of the directive. Cloning a directive. 3. Click the Clone icon to clone the directive. Optionally. too many dropped inbound packets from DST_IP” 4. modify the taxonomy and priority of the directive as well. Custom directive – AV Network attack. Click the black triangle to the left of the directive to display the correlation rules. 7. Page 4 of 12 . In the first rule (first line in the table). Type ‘drop’ to search for the event type(s) that detects dropped packets. 3. All rights reserved. Task 3: Edit correlation rules Now. or click Add all. Click the + (plus) sign to the right of the event type. Click the Selected from List button instead. you need to edit the correlation rules so that they match events from the Fortinet FortiGate firewall. 2. Click Finish. 1. Type ‘fortigate’ in the search box to find the Fortigate plugin. Click the blue Fortigate box to select that plugin. to confirm your selection. The final directive should look like Figure 4: Figure 4. Editing a directive's global properties. 5. You should see 3 . To do so.Fortigate: Drop Forbidden Traffic listed in the right column. Repeat step #2 to #6 for all the rules in the directive.AlienVault Unified Security Management™ Solution Customizing Correlation Directives or Cross Correlation Rules Figure 3. Notice that there is no Finish button as stated in step #7. click the green + (plus) sign to the left of cisco-pix. The Rule Data Source Configuration window displays. too many dropped on Fortigate. The Plugin Signatures screen displays. 4. under the Data Source column. The event type will move to the left column instead. 6. DC-00164 Edition 01 Copyright© 2015 AlienVault. Let’s see how it works by going through an example. RELIABILITY. Once the correlation engine detects that the number of connections is dangerously high. we will create a custom directive to detect a Denial of Service (DoS) attack that seeks to exhaust a service running on TCP port 139 on a specific server. In this case. Some attributes. you can also use a monitor type data source plugin to discover if the service on the server is still up. and then clicking OK. Task 4: Restart Server Restart the ossim-server process by clicking the Restart Server button. Firewall events can be checked for connections to the server by using a detector type data source plugin. Creating a New Directive In Modifying a Built-in Directive. making the changes inline. Such an attack may be indicated by many connections from a single host (possibly with bad reputation) to the destination server on port 139. But sometimes. Other attributes. Page 5 of 12 . you can create a new directive from scratch. Confirm the restart by clicking YES when prompted. Figure 6 shows the four correlation levels that will be used by the directive. In this example. DATA SOURCE. and OCCURRENCE are changed by clicking the value. such as FROM. Figure 5. are changed by clicking the green + (plus) sign. The first three correlation rules will check for the number of connections to the server using a detector type data DC-00164 Edition 01 Copyright© 2015 AlienVault. Restart Server would restart the ossim-server process.AlienVault Unified Security Management™ Solution Customizing Correlation Directives or Cross Correlation Rules You may edit other attributes of the correlation rules. TO. you may find that none of the built-in directives work in your environment because they do not have the correct condition defined. TIMEOUT. All rights reserved. and EVENT TYPE. we describe how to modify an existing Correlation Directive provided by AlienVault Labs. then making the selection from the resulting screen. such as NAME. Creating this directive involves the following 6 tasks: Task 1: Create a new directive Task 2: Add a level 1 rule Task 3: Add a level 2 rule Task 4: Repeat task 3 as needed Task 5: Add the last rule Task 6: Restart Server DC-00164 Edition 01 Copyright© 2015 AlienVault. The last correlation rule will check if the service is still up on the server by using a monitor type data source plugin. Correlation levels used by the sample directive. Page 6 of 12 . the reliability of the directive event will increase. All rights reserved. Every time a rule in the correlation directive is met. thus increasing the risk of the detected event.000 ACCEPT CONN events from the firewall Port 139 Source: A Correlation Level 4 Is the service still up? Figure 6. Correlation Level 1 1 ACCEPT CONN event from the firewall Port 139 Source: A Correlation Level 2 100 ACCEPT CONN events from the firewall Port 139 Source: A Correlation Level 3 1.AlienVault Unified Security Management™ Solution Customizing Correlation Directives or Cross Correlation Rules source plugin. For Method. c. 6. b. Task 1: Create a new directive To create a new directive: 1. 7. A new window displays as shown in Figure 8. For Strategy. Edition 01 Copyright© 2015 AlienVault. The New Directive window displays. enter ’DoS Attack at NetBIOS’. 3. 9. 4. Click the New Directive button.AlienVault Unified Security Management™ Solution Customizing Correlation Directives or Cross Correlation Rules Figure 7. Procedures for creating a new directive. select ‘Denial of Service – Resource exhaustion’. All rights reserved. Proceed to Task 2. Leave the Priority at the default value: 3. For Name for the directive. Click Next. enter ‘Attack’. Enter the Taxonomy: a. select ’Delivery & Attack’. 5. DC-00164 Navigate to Configuration > Threat Intelligence > Directives. 2. 8. For Intent. Page 7 of 12 . Type ‘permitted’ to search for access permitted events. Page 8 of 12 . c. In the box for Destination Port(s). 4. On the Rule name > Plugin > Event Type screen. choose your server from the Assets list by clicking it. It will appear in the Destination box. d. Creating a new directive. On the Rule name > Plugin > Event Type > Network > Reliability screen. In the Destination Host / Network area. enter 139. Leave Source Host / Network and Source Port(s) empty. All rights reserved. such as ’106102 – ASA: A packet was either permitted or denied by an acces…’ and ’710002 – ASA: access permitted’. 2. continue from Task 1 in the New Directive window. which means ANY asset. enter a name for the rule. 1. c. 5. On the Rule name screen. Click the blue Cisco-ASA box to select that plugin. On the Rule name > Plugin > Event Type > Network screen. DC-00164 Edition 01 Copyright© 2015 AlienVault. Click NEXT. a. On the Rule name > Plugin screen. a. where we try to match one Cisco ASA access permitted event on a particular server on port 139. b. b.AlienVault Unified Security Management™ Solution Customizing Correlation Directives or Cross Correlation Rules Figure 8. To add this rule. They will move to the left column instead. ‘Established connections’. Click NEXT. Task 2: Add a level 1 rule This task is to add a level 1 rule. Type ‘cisco-asa’ in the search box to find the Cisco-ASA plugin. For example. a. Click the + (plus) sign next to the individual event types. 3. Click NEXT. b. All rights reserved. c. On the Rule name > Plugin > Event Type screen. Selecting source and destination IP from level 1. The New Rule window displays. in the From a parent rule dropdown. d. 4. Page 9 of 12 . a. and 3) the same destination port that were used in the level 1 rule. The reliability value is low because you don’t want to generate false alarms.AlienVault Unified Security Management™ Solution Customizing Correlation Directives or Cross Correlation Rules a. 2. select ‘Source IP from level 1’. Task 3: Add a level 2 rule In this task. In this example. Follow step #1 and #2 in Task 2. we use 1. To do that. 2) the same source and destination IP addresses. Leave the Source Port(s) empty. 6. in the From a parent rule dropdown. Select a Reliability value (from 0 to 10) by clicking the blue square with the appropriate number. 3. we add a level 2 rule. This will select the same event types as in the level 1 rule. we try to match the same events matched by the level 1 rule. The difference is that we want to detect 100 such events this time. DC-00164 Edition 01 Copyright© 2015 AlienVault. On the Rule name > Plugin > Event Type > Network screen. e. select ‘Destination IP from level 1’. For Destination Host / Network. in the From a parent rule dropdown. 5. We want to make sure to use 1) the same event types. The New Directive window closes. 1. click the button that reads Plugin SID from rule of Level 1. c. Click Finish. Click NEXT. Figure 9. b. b. select ‘Destination Port from level 1’. On the Rule name > Plugin > Event Type > Network > Reliability screen. For Destination Port(s). For Source Host / Network. Click the green + (plus) sign at the right side of the first rule under the ACTION heading. Click SELECTED FROM LIST. Click the + (plus) sign at the right side of the third rule to add a child rule. Repeat Task 3. 1 for timeout and 3 for occurrence. It will check whether a TCP port on a destination server is closed or not responding to requests. Similarly. Figure 10. and click OK. Click the original value to turn on editing. In this example. Task 5: Add the last rule In the last rule for this example. On the Rule name > Plugin screen. DC-00164 Edition 01 Copyright© 2015 AlienVault. Except that in step #1. Enter a name for this rule. Repeat Step #4 to #7 in Task 3. 2. Either select an absolute (left column) or relative value (right column). Enter 30 (seconds). Change the Timeout value. we use a monitor type data source plugin to check whether the service is still up after a suspected attack. choose ‘TCP Port closed’. Task 4: Repeat step 3 as needed This task can be repeated as many times as necessary. b. b. Click Finish. change the Occurrence to 100. Modifying the occurrence value to 100. such as Service Up 3. 8. 4. If a relative value is selected. 5. we want to add one more rule (level 3) to detect the same events as in the previous rule but with 1000 occurrences. a. 1. but use +6 for reliability value. Page 10 of 12 . All rights reserved. 6. Type ‘nmap’ in the search box to find the NMAP-Monitor plugin. the value is added to the reliability of the previous rule. click the first + (plus) sign at the right side of the previous rule under the ACTION heading. change the Occurrence to 1000 instead. 7. we use +2. c. In this example. And in step #7.AlienVault Unified Security Management™ Solution Customizing Correlation Directives or Cross Correlation Rules a. The New Directive window closes. Click the blue NMAP-Monitor box to select that plugin. On the Rule name > Plugin > Event Type screen. and if a response to these requests is not received within 1 second. Task 6: Restart Server Restart the ossim-server process by clicking the Restart Server button. All rights reserved. in practice you can only correlate IDS events with vulnerabilities that are detected by AlienVault Vulnerability Scanner. In our example. 4. Occurrence specifies how many times the request will be sent. such as snort as shown in the example below. such as nessus-detector in the example. 1. Select the Event Type of the data source entered in step #2.AlienVault Unified Security Management™ Solution Customizing Correlation Directives or Cross Correlation Rules In a rule that uses a monitor type data source plugin. DC-00164 Click NEW. the timeout and occurrence values have different meanings. you can customize Cross Correlation rules as well. 3. Select the Data Source Name. Customizing Cross Correlation Rules Similar to Correlation Directives. the rule will be matched and the reliability of the directive will be increased by 6. Edition 01 Copyright© 2015 AlienVault. Confirm the restart by clicking YES when prompted. Even though the web interface gives an impression that you can cross-correlate events from any data source with those from any other data source. The timeout value defines how many seconds the plugin will wait to receive a response from the destination to which the request was sent. This means that three (Is the TCP port closed?) requests will be sent to the destination server. snort: “MySQL root login attempt”. Figure 11. Page 11 of 12 . Creating a Cross Correlation Rule To create a new Cross Correlation rule. Select the Reference Data Source Name. 2. the timeout is set to 1 second and the occurrence is set to 3. For example. The final directive will 4 rules. click BACK if you want to discard the changes. The entire row will change to light blue. DC-00164 Edition 01 Copyright© 2015 AlienVault. Click CREATE RULE. 4. Click MODIFY. Creating a Cross Correlation rule. 6. Or. This custom rule would be matched if AlienVault IDS Engine detected MySQL root login attempt to a host that has MySQL weak password vulnerability.AlienVault Unified Security Management™ Solution Customizing Correlation Directives or Cross Correlation Rules 5. Important: Use this button with caution because the web interface will not ask you to confirm the deletion. Change any of the four fields as needed. Figure 12. nessus: MySQL weak password. Locate the desired Cross Correlation rule and click on it. Click SAVE RULE to save the changes. Page 12 of 12 . The entire row will change to light blue. Deleting a Cross Correlation Rule To delete a Cross Correlation rule. click BACK if you want to discard the changes. Modifying a Cross Correlation Rule To edit an existing Cross Correlation rule. 1. 2. Select the Reference SID Name of the reference data source entered in step #3. Click DELETE SELECTED. 3. 1. For example. All rights reserved. 2. Locate the desired Cross Correlation rule and click on it. Or.
Report "AlienVault Correlation Customization"
×
Please fill this form, we will try to respond as soon as possible.
Your name
Email
Reason
-Select Reason-
Pornographic
Defamatory
Illegal/Unlawful
Spam
Other Terms Of Service Violation
File a copyright complaint
Description
Copyright © 2024 DOKUMEN.SITE Inc.