Hi Risto
Greetings..!!
I would like to get your suggestions on event correlation upon aggregation.
Below rule aggregate events with whitelisting criteria.
---------------------------------------------------------------------------
type=Single
ptype=RegExp
pattern=(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)
desc=load blacklist
action=logonly; delete WL; create WL; \
lcall %events -> (sub{scalar `cat
/usr/local/bin/sec-rules/whitelist.txt`}); \
cevent Whitelist 0 %events
type=Single
ptype=RegExp
pattern=.
context=Whitelist
desc=create a whitelist entry
action=logonly; alias WL WL_$0
type=SingleWithSuppress
ptype=regexp
context=!WL_$2
pattern=IDS.*dst=([\d\.]+).*attack_name=([\w\:\-\/\.\()\s]+)
desc=Suppressed $2 Security Alert towards $1
action= pipe '<5>$0' | nc syslog01 514
window=300
---------------------------------------------------------------------------
Now will "pairwithwindow" rule on top this helps me to achieve correlation
based on Dst. IP($1) field from IDS logs with Threat Intel IP(which is
stored in a file).
Conditions to meet are,
Condition 1: Need to forward Aggregated + Correlated log to external syslog
server.
Condition 2: If Correlation is not matching, Just Aggregated log should be
forwarded to external syslog server.
Please suggest me with best practices.
Regards,
Santhosh S
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
