2014-02-23 9:39 GMT+02:00 Rolf Nufable <[email protected]>:
> Sir I think the Jump and option command is not a good option for
> correlating, any other tips for chaining rules for correlation?
>
Jump and Options rules are currently the only options for setting up rule
hierarchies. Defined rule hierarchies are very similar to Linux iptables
rule chains which allow for arranging rules in a much more cost-efficient
way. If you don't like hierarchical setup, you have to keep the setup you
currently have -- flat rule sequences which process both raw and synthetic
events. If you would like to define filters for synthetic events in flat
rule sequences, you could use the --intcontexts command line flag which
forces SEC to create internal contexts for different types of input events.
Your filters could then check for the presence of relevant contexts (see
http://simple-evcorr.sourceforge.net/man.html#lbAZ).
BR, risto
I
> currently I've achieved a 2 layer correlation , with the rules Im using
> eg.
>
> nov 22 10-05-08 foohost foo bar
> nov 23 10-05-08 foohost1 foo bar
>
> rule 1
> type=Single
> ptype=RegExp
> pattern=^\S+\s+\d+\s+\S+\(foohost)\s+(.*)
> continue=TakeNext
> desc=$0
> action=event 0 $1 SAMPLE:foo exit on signal $2 at $t
>
> Rule2
> type=Single
> ptype=RegExp
> pattern=^\S+\s+\d+\s+\S+\(foohost1)\s+(.*)
> continue=TakeNext
> desc=$0
> action=event 0 $1 SAMPLE1:foo exit on signal $2 at $t
>
> Correlation rule
> type=PairWithWindow
> ptype=RegExp
> pattern=^(\S+)\s+(SAMPLE):(\S+)\s+(.*)
> continue=TakeNext
> desc=$0
> action=write example
> ptype2=Regexp
> pattern2=^(\S+)\s+(SAMPLE1):(\S+)\s+(.*)
> desc2=$0
> action2=write (in database CORR:sample+sample1)
> window=300
>
> result : CORR: SAMPLE+SAMPLE1(their content
>
>
> On Saturday, February 22, 2014 4:36 PM, Rolf Nufable <
> [email protected]> wrote:
> Sir
>
> My main objective is to correlate events from snort which are assumed to
> be phases of multi stage attacks and enter it to a database for processing
>
> currently I've achieved a 2 layer correlation , with the rules Im using
> eg.
>
> nov 22 10-05-08 foohost foo bar
> nov 23 10-05-08 foohost1 foo bar
>
> rule 1
> type=Single
> ptype=RegExp
> pattern=^\S+\s+\d+\s+\S+\(foohost)\s+(.*)
> continue=TakeNext
> desc=$0
> action=event 0 $1 SAMPLE:foo exit on signal $2 at $t
>
> Rule2
> type=Single
> ptype=RegExp
> pattern=^\S+\s+\d+\s+\S+\(foohost1)\s+(.*)
> continue=TakeNext
> desc=$0
> action=event 0 $1 SAMPLE1:foo exit on signal $2 at $t
>
> Correlation rule
> type=PairWithWindow
> ptype=RegExp
> pattern=^(\S+)\s+(SAMPLE):(\S+)\s+(.*)
> continue=TakeNext
> desc=$0
> action=write example
> ptype2=Regexp
> pattern2=^(\S+)\s+(SAMPLE1):(\S+)\s+(.*)
> desc2=$0
> action2=write (in database CORR:sample+sample1)
> window=300
>
> result : CORR: SAMPLE+SAMPLE1(their content)
>
> uhm currently Im trying the same method and add another layer for the
> correlation but It doesnt work, any tips sir that can help me solve this ??
>
>
>
>
>
> On , Rolf Nufable <[email protected]> wrote:
> I want to correlate them then insert the snort alerts/events to a
> database
>
> sorry for the late reply
>
>
> On Monday, February 10, 2014 12:52 PM, David Lang <[email protected]> wrote:
> On Sat, 8 Feb 2014, Rolf Nufable wrote:
>
>
> > is it possible to link 3 configuration files for correlation?
> >
> > like in this example it used 2 configuration files to correlate and
> insert it to the database
> >
> >
> http://simple-evcorr.sourceforge.net/SEC-tutorial/article-part2.html#DATABASEINTEGRATION
> >
> >
> > My goal is to correlate event from snort and be able to correlate using
> 3 successive trigger of rules
> > and then insert it to a database for processing
> >
> > please help me I'm kinda lost
>
>
> it's not clear why you are saying you need separate configuration files.
>
> can you back up a little bit and explain what you are trying to do
>
> you want to see a particular message from snort, then do what?
>
> David Lang
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
>
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
>
>
>
>
>
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
