could the jump rules and option rules be used for event correlating?
On Sunday, February 23, 2014 8:23 PM, Risto Vaarandi <[email protected]>
wrote:
2014-02-23 9:39 GMT+02:00 Rolf Nufable <[email protected]>:
Sir I think the Jump and option command is not a good option for correlating,
any other tips for chaining rules for correlation?
Jump and Options rules are currently the only options for setting up rule
hierarchies. Defined rule hierarchies are very similar to Linux iptables rule
chains which allow for arranging rules in a much more cost-efficient way. If
you don't like hierarchical setup, you have to keep the setup you currently
have -- flat rule sequences which process both raw and synthetic events. If you
would like to define filters for synthetic events in flat rule sequences, you
could use the --intcontexts command line flag which forces SEC to create
internal contexts for different types of input events. Your filters could then
check for the presence of relevant contexts (see
http://simple-evcorr.sourceforge.net/man.html#lbAZ).
BR, risto
I
>currently I've achieved a 2 layer correlation , with the rules Im using
>eg.
>
>
>nov 22 10-05-08 foohost foo bar
>nov 23 10-05-08 foohost1 foo bar
>
>
>rule 1
>type=Single
>ptype=RegExp
>pattern=^\S+\s+\d+\s+\S+\(foohost)\s+(.*)
>continue=TakeNext
>desc=$0
>action=event 0 $1
SAMPLE:foo exit on signal $2 at $t
>
>
>Rule2
>type=Single
>ptype=RegExp
>pattern=^\S+\s+\d+\s+\S+\(foohost1)\s+(.*)
>continue=TakeNext
>desc=$0
>action=event 0 $1 SAMPLE1:foo exit on signal $2 at $t
>
>
>Correlation rule
>type=PairWithWindow
>ptype=RegExp
>pattern=^(\S+)\s+(SAMPLE):(\S+)\s+(.*)
>continue=TakeNext
>desc=$0
>action=write example
>ptype2=Regexp
>pattern2=^(\S+)\s+(SAMPLE1):(\S+)\s+(.*)
>desc2=$0
>action2=write (in database CORR:sample+sample1)
>window=300
>
>
>result : CORR: SAMPLE+SAMPLE1(their content
>
>
>
>On Saturday, February 22, 2014 4:36 PM, Rolf Nufable
><[email protected]> wrote:
>
>Sir
>
>
>My main objective is to correlate events from snort which are assumed to be
>phases of multi stage attacks and enter it to a database for processing
>
>
>currently I've achieved a 2 layer correlation , with the rules Im using
>eg.
>
>
>nov 22 10-05-08 foohost foo bar
>nov 23 10-05-08 foohost1 foo bar
>
>
>rule 1
>type=Single
>ptype=RegExp
>pattern=^\S+\s+\d+\s+\S+\(foohost)\s+(.*)
>continue=TakeNext
>desc=$0
>action=event 0 $1 SAMPLE:foo exit on signal $2 at $t
>
>
>Rule2
>type=Single
>ptype=RegExp
>pattern=^\S+\s+\d+\s+\S+\(foohost1)\s+(.*)
>continue=TakeNext
>desc=$0
>action=event 0 $1 SAMPLE1:foo exit on signal $2 at $t
>
>
>Correlation rule
>type=PairWithWindow
>ptype=RegExp
>pattern=^(\S+)\s+(SAMPLE):(\S+)\s+(.*)
>continue=TakeNext
>desc=$0
>action=write example
>ptype2=Regexp
>pattern2=^(\S+)\s+(SAMPLE1):(\S+)\s+(.*)
>desc2=$0
>action2=write (in database CORR:sample+sample1)
>window=300
>
>
>result : CORR: SAMPLE+SAMPLE1(their content)
>
>
>uhm currently Im trying the same method and add another layer for the
>correlation but It doesnt work, any tips sir that can help me solve this ??
>
>
>
>
>
>
>
>
>
>On , Rolf Nufable <[email protected]> wrote:
>
>I want to correlate them then insert the snort alerts/events to a database
>
>
>sorry for the late reply
>
>
>
>On Monday, February 10, 2014 12:52 PM, David Lang <[email protected]> wrote:
>
>On Sat, 8 Feb 2014, Rolf Nufable wrote:
>
>
>> is it possible to link 3 configuration files for correlation?
>>
>> like in this example it used 2 configuration files to correlate and insert
>> it to the database
>>
>> http://simple-evcorr.sourceforge.net/SEC-tutorial/article-part2.html#DATABASEINTEGRATION
>>
>>
>> My goal is to correlate event from snort and be able to correlate using 3
>> successive trigger of rules
>> and then insert
it to a database for processing
>>
>> please help me I'm kinda lost
>
>it's not clear why you are saying you need separate configuration files.
>
>can you back up a little bit and explain what you are trying to do
>
>you want to see a particular message from snort, then do what?
>
>David Lang
>
>------------------------------------------------------------------------------
>Managing the Performance of Cloud-Based Applications
>Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>Read the Whitepaper.
>http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
>
>_______________________________________________
>Simple-evcorr-users mailing list
>[email protected]
>https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
>
>
>
>
>
------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries. Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
