AlienVault Unified Unified Security Management™ Solution Complete. Simple. Affordable
Customizing Correlation Directives or Cross Correlation Rules
AlienVault™, AlienVault Unified Security Management™, AlienVault USM™, A lienVault Open Threat Exchange™, AlienVault OTX™, Open Threat Exchange™, AlienVault OTX Reputation Monitor™, AlienVault OTX Reputation Monitor Alert™, AlienVault OSSIM™ and OSSIM™ are trademarks or service marks of AlienVault.
AlienVault Unified Security Management ™ Solution Customizing Correlation Directives or Cross Correlation Rules
Introduction In Correlation Reference Guide we explain what correlation is and how it works in AlienVault Unified Security Management TM (USMTM). We also describe the AlienVault USM web interfaces for Correlation directives and Cross Correlation rules. In this document, we will focus on how to customize Correlation directives or Cross Correlation rules in USM.
Customizing Correlation Directives Customizing Cross Correlation Rules
Customizing Correlation Directives Modifying a Built-in Directive By default, AlienVault USM comes with over 2,000 built-in directives. They are written by the researchers in AlienVault Labs, who research global threats & vulnerabilities every day. It is highly recommended that you learn how these directives are configured first, and then tailor them to your specific needs. For example, you might want to detect dropped packets going to a single host on a firewall. If you take a look at the built-in directives, you will see that such a directive exists, which detects dropped packets on the Cisco PIX firewall. However, in order to detect dropped packets on a different firewall, for instance, the Fortinet FortiGate firewall, you will need to customize the directive. In this section, we will use this example to show the steps required to modify a built-in directive. It involves the following 4 tasks:
Figure 1. Procedures for modifying a built-in directive.
DC-00164
Edition 01
Copyright© 2015 AlienVault. All rights reserved.
Page 2 of 12
AlienVault Unified Security Management ™ Solution Customizing Correlation Directives or Cross Correlation Rules
Task Task Task Task
1: 2: 3: 4:
Clone an existing directive Edit directive global properties Edit correlation rules Restart Server
Task 1: Clone an existing directive To clone an existing directive, 1. Navigate to Configuration > Threat Intelligence > Directives . 2. Type ‘packets’ in the search box to search for the appropriate directive. 3. Scroll down on the page to find the directive titled “AV Network attack, too many ” dropped inbound packets from DST_IP 4. Click the Clone icon to clone the directive. 5. Confirm that you wish to clone the directive by clicking YES when prompted. 6. The cloned directive in the User Contributed category.
Figure 2. Cloning a directive.
Note: By default, USM disables the built-in directive automatically once it is cloned. If you want both to be working at the same time, make sure to enable the built-in directive as well.
Task 2: Edit directive global properties To edit the cloned directive, 1. 2. 3. 4. 5.
DC-00164
Click the Edit icon to the left of the directive. A new window appears displaying the global properties of the directive. Change the name to “AV Network attack, too many dropped on Fortigate ”. Optionally, modify the taxonomy and priority of the directive as well. Click SAVE. You may need to scroll down to reveal the button.
Edition 01
Copyright© 2015 AlienVault. All rights reserved.
Page 3 of 12
AlienVault Unified Security Management ™ Solution Customizing Correlation Directives or Cross Correlation Rules
Figure 3. Editing a directive's global properties.
Task 3: Edit correlation rules Now, you need to edit the correlation rules so that they match events from the Fortinet FortiGate firewall. To do so, 1. Click the black triangle to the left of the directive to display the correlation rules. 2. In the first rule (first line in the table), under the Data Source column, click the green + (plus) sign to the left of cisco-pix. The Rule Data Source Configuration window displays. 3. Type ‘fortigate’ in the search box to find the Fortigate plugin. 4. Click the blue Fortigate box to select that plugin. The Plugin Signatures screen displays. 5. Type ‘drop’ to search for the event type(s) that detects dropped packets. You should see 3 - Fortigate: Drop Forbidden Traffic listed in the right column. 6. Click the + (plus) sign to the right of the event type, or click Add all, to confirm your selection. The event type will move to the left column instead. 7. Click Finish. Repeat step #2 to #6 for all the rules in the directive. Notice that there is no Finish button as stated in step #7. Click the Selected from List button instead. The final directive should look like Figure 4:
Figure 4. Custom directive – AV Network attack, too many dropped on Fortigate.
DC-00164
Edition 01
Copyright© 2015 AlienVault. All rights reserved.
Page 4 of 12
AlienVault Unified Security Management ™ Solution Customizing Correlation Directives or Cross Correlation Rules
You may edit other attributes of the correlation rules. Some attributes, such as NAME, RELIABILITY, TIMEOUT, and OCCURRENCE are changed by clicking the value, making the changes inline, and then clicking OK. Other attributes, such as FROM, TO, DATA SOURCE, and EVENT TYPE, are changed by clicking the green + (plus) sign, then making the selection from the resulting screen.
Task 4: Restart Server Restart the ossim-server process by clicking the Restart Server button. Confirm the restart by clicking YES when prompted.
Figure 5. Restart Server would restart the ossim -server process.
Creating a New Directive In Modifying a Built-in Directive, we describe how to modify an existing Correlation Directive provided by AlienVault Labs. But sometimes, you may find that none of the built-in directives work in your environment because they do not have the correct condition defined. In this case, you can create a new directive from scratch. Let’s see how it works by going through an example. In this example, we will create a custom directive to detect a Denial of Service (DoS) attack that seeks to exhaust a service running on TCP port 139 on a specific server. Such an attack may be indicated by many connections from a single host (possibly with bad reputation) to the destination server on port 139. Firewall events can be checked for connections to the server by using a detector type data source plugin. Once the correlation engine detects that the number of connections is dangerously high, you can also use a monitor type data source plugin to discover if the service on the server is still up. Figure 6 shows the four correlation levels that will be used by the directive. The first three correlation rules will check for the number of connections to the server using a detector type data
DC-00164
Edition 01
Copyright© 2015 AlienVault. All rights reserved.
Page 5 of 12
AlienVault Unified Security Management ™ Solution Customizing Correlation Directives or Cross Correlation Rules
source plugin. The last correlation rule will check if the service is still up on the server by using a monitor type data source plugin. Every time a rule in the correlation directive is met, the reliability of the directive event will increase, thus increasing the risk of the detected event. 1ACCEPT CONN event from the firewall
Correlation Level 1
Port 139 Source: A
100 ACCEPT CONN events from the firewall
Correlation Level 2
Port 139 Source: A
1,00 0 ACCEPT CONN events from the firewall
Correlation Level 3
Port 139 Source: A
Correlation Level 4
Is the service still up?
Figure 6. Correlation levels used by the sample directive.
Creating this directive involves the following 6 tasks: Task 1: Create a new directive Task 2: Add a level 1 rule Task 3: Add a level 2 rule Task 4: Repeat task 3 as needed Task 5: Add the last rule Task 6: Restart Server
DC-00164
Edition 01
Copyright© 2015 AlienVault. All rights reserved.
Page 6 of 12
AlienVault Unified Security Management ™ Solution Customizing Correlation Directives or Cross Correlation Rules
Figure 7. Procedures for creating a new directive.
Task 1: Create a new directive To create a new directive: 1. 2. 3. 4. 5.
6. 7. 8. 9.
DC-00164
Navigate to Configuration > Threat Intelligence > Directives . Click the New Directive button. A new window displays as shown in Figure 8. For Name for the directive, enter ’DoS Attack at NetBIOS’. Enter the Taxonomy: a. For Intent, select ’Delivery & Attack’. b. For Strategy, select ‘Denial of Service – Resource exhaustion’. c. For Method, enter ‘Attack’. Leave the Priority at the default value: 3. Click Next. The New Directive window displays. Proceed to Task 2.
Edition 01
Copyright© 2015 AlienVault. All rights reserved.
Page 7 of 12
AlienVault Unified Security Management ™ Solution Customizing Correlation Directives or Cross Correlation Rules
Figure 8. Creating a new directive.
Task 2: Add a level 1 rule This task is to add a level 1 rule, where we try to match one Cisco ASA access permitted event on a particular server on port 139. To add this rule, continue from Task 1 in the New Directive window. 1. On the Rule name screen, enter a name for the rule. For example, ‘Established connections’. Click NEXT. 2. On the Rule name > Plugin screen, a. Type ‘cisco-asa’ in the search box to find the Cisco-ASA plugin. b. Click the blue Cisco-ASA box to select that plugin. 3. On the Rule name > Plugin > Event Type screen, permitted ’ to search for access permitted events, such as ’106102 – a. Type ‘ ASA: A packet was either permitted or denied by an acces…’ and ’710002 – ASA: access permitted’. b. Click the + (plus) sign next to the individual event types. They will move to the left column instead. c. Click NEXT. 4. On the Rule name > Plugin > Event Type > Network screen, a. Leave Source Host / Network and Source Port(s) empty, which means ANY asset. b. In the Destination Host / Network area, choose your server from the Assets list by clicking it. It will appear in the Destination box. c. In the box for Destination Port(s), enter 139. d. Click NEXT. 5. On the Rule name > Plugin > Event Type > Network > Reliability screen,
DC-00164
Edition 01
Copyright© 2015 AlienVault. All rights reserved.
Page 8 of 12
AlienVault Unified Security Management ™ Solution Customizing Correlation Directives or Cross Correlation Rules
a. Select a Reliability value (from 0 to 10) by clicking the blue square with the appropriate number. In this example, we use 1. The reliability value is low because you don’t want to generate false alarms. b. Click Finish. c. The New Directive window closes.
Task 3: Add a level 2 rule In this task, we try to match the same events matched by the level 1 rule. We want to make sure to use 1) the same event types; 2) the same source and destination IP addresses; and 3) the same destination port that were used in the level 1 rule. The difference is that we want to detect 100 such events this time. To do that, we add a level 2 rule. 1. 2. 3. 4.
Click the green + (plus) sign at the right side of the first rule under the ACTION heading. The New Rule window displays. Follow step #1 and #2 in Task 2. On the Rule name > Plugin > Event Type screen, click the button that reads Plugin SID from rule of Level 1. This will select the same event types as in the level 1 rule. 5. On the Rule name > Plugin > Event Type > Network screen, a. For Source Host / Network, in the From a parent rule dropdown, select ‘Source IP from level 1’. b. Leave the Source Port(s) empty. c. For Destination Host / Network, in the From a parent rule dropdown, select ‘Destination IP from level 1’ . d. For Destination Port(s), in the From a parent rule dropdown, select ‘Destination Port from level 1’ . e. Click NEXT.
Figure 9. Selecting source and destination IP from level 1.
6. On the Rule name > Plugin > Event Type > Network > Reliability screen,
DC-00164
Edition 01
Copyright© 2015 AlienVault. All rights reserved.
Page 9 of 12
AlienVault Unified Security Management ™ Solution Customizing Correlation Directives or Cross Correlation Rules
a. Either select an absolute (left column) or relative value (right column). If a relative value is selected, the value is added to the reliability of the previous rule. In this example, we use +2. b. Click Finish. c. The New Directive window closes. 7. Change the Timeout value. Click the original value to turn on editing. Enter 30 (seconds), and click OK. 8. Similarly, change the Occurrence to 100.
Figure 10. Modifying the occurrence value to 100.
Task 4: Repeat step 3 as needed This task can be repeated as many times as necessary. In this example, we want to add one more rule (level 3) to detect the same events as in the previous rule but with 1000 occurrences. Repeat Task 3. Except that in step #1, click the first + (plus) sign at the right side of the previous rule under the ACTION heading. And in step #7, change the Occurrence to 1000 instead.
Task 5: Add the last rule In the last rule for this example, we use a monitor type data source plugin to check whether the service is still up after a suspected attack. 1. Click the + (plus) sign at the right side of the third rule to add a child rule. 2. Enter a name for this rule, such as Service Up 3. On the Rule name > Plugin screen, a. Type ‘nmap’ in the search box to find the NMAP-Monitor plugin. b. Click the blue NMAP-Monitor box to select that plugin. 4. On the Rule name > Plugin > Event Type screen, choose ‘TCP Port closed’ . It will check whether a TCP port on a destination server is closed or not responding to requests. 5. Click SELECTED FROM LIST. 6. Repeat Step #4 to #7 in Task 3, but use +6 for reliability value, 1 for timeout and 3 for occurrence.
DC-00164
Edition 01
Copyright© 2015 AlienVault. All rights reserved.
Page 10 of 12
AlienVault Unified Security Management ™ Solution Customizing Correlation Directives or Cross Correlation Rules
In a rule that uses a monitor type data source plugin, the timeout and occurrence values have different meanings. The timeout value defines how many seconds the plugin will wait to receive a response from the destination to which the request was sent. Occurrence specifies how many times the request will be sent. In our example, the timeout is set to 1 second and the occurrence is set to 3. This means that three (Is the TCP port closed?) requests will be sent to the destination server, and if a response to these requests is not received within 1 second, the rule will be matched and the reliability of the directive will be increased by 6.
Figure 11. The final directive will 4 rules.
Task 6: Restart Server Restart the ossim-server process by clicking the Restart Server button. Confirm the restart by clicking YES when prompted.
Customizing Cross Correlation Rules Similar to Correlation Directives, you can customize Cross Correlation rules as well. Even though the web interface gives an impression that you can cross-correlate events from any data source with those from any other data source, in practice you can only correlate IDS events with vulnerabilities that are detected by AlienVault Vulnerability Scanner.
Creating a Cross Correlation Rule To create a new Cross Correlation rule, 1. 2. 3. 4.
DC-00164
Click NEW. Select the Data Source Name, such as snort as shown in the example below. Select the Reference Data Source Name, such as nessus-detector in the example. Select the Event Type of the data source entered in step #2. For example, snort: “MySQL root login attempt” .
Edition 01
Copyright© 2015 AlienVault. All rights reserved.
Page 11 of 12
AlienVault Unified Security Management ™ Solution Customizing Correlation Directives or Cross Correlation Rules
5. Select the Reference SID Name of the reference data source entered in step #3. For example, nessus: MySQL weak password . 6. Click CREATE RULE. Or, click BACK if you want to discard the changes. This custom rule would be matched if AlienVault IDS Engine detected MySQL root login attempt to a host that has MySQL weak password vulnerability.
Figure 12. Creating a Cross Correlation rule.
Modifying a Cross Correlation Rule To edit an existing Cross Correlation rule, 1. Locate the desired Cross Correlation rule and click on it. The entire row will change to light blue. 2. Click MODIFY. 3. Change any of the four fields as needed. 4. Click SAVE RULE to save the changes. Or, click BACK if you want to discard the changes.
Deleting a Cross Correlation Rule To delete a Cross Correlation rule, 1. Locate the desired Cross Correlation rule and click on it. The entire row will change to light blue. 2. Click DELETE SELECTED.
Important: Use this button with caution because the web interface will not ask you to confirm the deletion.
DC-00164
Edition 01
Copyright© 2015 AlienVault. All rights reserved.
Page 12 of 12