AlienVault Correlation Customization

8/18/2019 AlienVault Correlation Customization

1/12

AlienVault™, AlienVault Unified Security Management™, AlienVault USM™, AlienVault Open Threat Exchange™, AlienVault OTX™,Open Threat Exchange™, AlienVault OTX Reputation Monitor™, AlienVault OTX Reputation Monitor Alert™, AlienVault OSSIM™ and

OSSIM™ are trademarks or service marks of AlienVault.

AlienVault Unified Security Management™ Solution

Complete. Simple. Affordable

Customizing Correlation Directives orCross Correlation Rules


2/12


Customizing Correlation Directives or Cross Correlation Rules

DC-00164 Edition 01 Copyright© 2015 AlienVault. All rights reserved. Page 2 of 12

Introduction

In Correlation Reference Guide we explain what correlation is and how it works in AlienVaultUnified Security ManagementTM (USMTM). We also describe the AlienVault USM web interfaces forCorrelation directives and Cross Correlation rules. In this document, we will focus on how tocustomize Correlation directives or Cross Correlation rules in USM.

Customizing Correlation Directives

Customizing Cross Correlation Rules

Customizing Correlation Directives

Modifying a Built-in Directive By default, AlienVault USM comes with over 2,000 built-in directives. They are written by theresearchers in AlienVault Labs, who research global threats & vulnerabilities every day. It is highlyrecommended that you learn how these directives are configured first, and then tailor them to yourspecific needs.

For example, you might want to detect dropped packets going to a single host on a firewall. If youtake a look at the built-in directives, you will see that such a directive exists, which detects droppedpackets on the Cisco PIX firewall. However, in order to detect dropped packets on a differentfirewall, for instance, the Fortinet FortiGate firewall, you will need to customize the directive.

In this section, we will use this example to show the steps required to modify a built-in directive. It

involves the following 4 tasks:

Figure 1. Procedures for modifying a built-in directive.

https://www.alienvault.com/doc-repo/usm/security-intelligence/AlienVault_Correlation_Reference_Guide.pdfhttps://www.alienvault.com/doc-repo/usm/security-intelligence/AlienVault_Correlation_Reference_Guide.pdfhttps://www.alienvault.com/doc-repo/usm/security-intelligence/AlienVault_Correlation_Reference_Guide.pdfhttps://www.alienvault.com/doc-repo/usm/security-intelligence/AlienVault_Correlation_Reference_Guide.pdf


3/12




Task 1: Clone an existing directive

Task 2: Edit directive global properties

Task 3: Edit correlation rules Task 4: Restart Server

Task 1: Clone an existing directive

To clone an existing directive,

1. Navigate to Configuration > Threat Intelligence > Directives.2. Type ‘packets’ in the search box to search for the appropriate directive.

3. Scroll down on the page to find the directive titled “AV Network attack, too manydropped inbound packets from DST_IP ”

4. Click the Clone icon to clone the directive.5. Confirm that you wish to clone the directive by clicking YES when prompted.

6. The cloned directive in the User Contributed category.

Figure 2. Cloning a directive.

Task 2: Edit directive global properties

To edit the cloned directive,

1. Click the Edit icon to the left of the directive.2. A new window appears displaying the global properties of the directive.3. Change the name to “AV Network attack, too many dropped on Fortigate”.

4. Optionally, modify the taxonomy and priority of the directive as well.5. Click SAVE. You may need to scroll down to reveal the button.

Note: By default, USM disables the built-in directive automatically once it is cloned. If you wantboth to be working at the same time, make sure to enable the built-in directive as well.


4/12


5/12




You may edit other attributes of the correlation rules. Some attributes, such as NAME,RELIABILITY, TIMEOUT, and OCCURRENCE are changed by clicking the value, making the

changes inline, and then clicking OK. Other attributes, such as FROM, TO, DATA SOURCE, andEVENT TYPE, are changed by clicking the green + (plus) sign, then making the selection from theresulting screen.

Task 4: Restart Server

Restart the ossim-server process by clicking the Restart Server button. Confirm the restart byclicking YES when prompted.

Figure 5. Restart Server would restart the ossim-server process.

Creating a New Directive

In Modifying a Built-in Directive, we describe how to modify an existing Correlation Directiveprovided by AlienVault Labs. But sometimes, you may find that none of the built-in directives workin your environment because they do not have the correct condition defined. In this case, you cancreate a new directive from scratch. Let’s see how it works by going through an example.

In this example, we will create a custom directive to detect a Denial of Service (DoS) attack thatseeks to exhaust a service running on TCP port 139 on a specific server. Such an attack may be

indicated by many connections from a single host (possibly with bad reputation) to the destinationserver on port 139. Firewall events can be checked for connections to the server by using adetector type data source plugin. Once the correlation engine detects that the number ofconnections is dangerously high, you can also use a monitor type data source plugin to discover ifthe service on the server is still up.

Figure 6 shows the four correlation levels that will be used by the directive. The first threecorrelation rules will check for the number of connections to the server using a detector type data


6/12




source plugin. The last correlation rule will check if the service is still up on the server by using amonitor type data source plugin. Every time a rule in the correlation directive is met, the reliability of

the directive event will increase, thus increasing the risk of the detected event.

Figure 6. Correlation levels used by the sample directive.

Creating this directive involves the following 6 tasks:

Task 1: Create a new directive

Task 2: Add a level 1 rule


Task 4: Repeat task 3 as needed

Task 5: Add the last rule


Correlation Level 1

Correlation Level 2

Correlation Level 3

Correlation Level 4

1ACCEPT CONN event from the firewall

Port 139

Source: A

100 ACCEPT CONN events from the firewall

Port 139

Source: A

1,000 ACCEPT CONN events from the firewall

Port 139

Source: A

Is the service still up?


7/12




Figure 7. Procedures for creating a new directive.

Task 1: Create a new directive

To create a new directive:

1. Navigate to Configuration > Threat Intelligence > Directives.

2. Click the New Directive button.3. A new window displays as shown in Figure 8. 4. For Name for the directive, enter ’DoS Attack at NetBIOS’.

5. Enter the Taxonomy:

a. For Intent, select ’Delivery & Attack’.

b. For Strategy, select ‘Denial of Service – Resource exhaustion’.

c. For Method, enter ‘Attack’.

6. Leave the Priority at the default value: 3.7. Click Next.8. The New Directive window displays.

9. Proceed to Task 2.


8/12




Figure 8. Creating a new directive.


This task is to add a level 1 rule, where we try to match one Cisco ASA access permitted event ona particular server on port 139. To add this rule, continue from Task 1 in the New Directive

window.

1. On the Rule name screen, enter a name for the rule. For example, ‘Establishedconnections’. Click NEXT.

2. On the Rule name > Plugin screen,

a. Type ‘cisco-asa’ in the search box to find the Cisco-ASA plugin.

b. Click the blue Cisco-ASA box to select that plugin.3. On the Rule name > Plugin > Event Type screen,

a. Type ‘ permitted ’ to search for access permitted events, such as ’106102 –

ASA: A packet was either permitted or denied by an acces…’ and

’710002 – ASA: access permitted’.b. Click the + (plus) sign next to the individual event types. They will move to the left

column instead.c. Click NEXT.

4. On the Rule name > Plugin > Event Type > Network screen,a. Leave Source Host / Network and Source Port(s) empty, which means ANY asset.

b. In the Destination Host / Network area, choose your server from the Assets list byclicking it. It will appear in the Destination box.

c. In the box for Destination Port(s), enter 139.

d. Click NEXT.5. On the Rule name > Plugin > Event Type > Network > Reliability screen,


9/12




a. Select a Reliability value (from 0 to 10) by clicking the blue square with theappropriate number. In this example, we use 1. The reliability value is low because

you don’t want to generate false alarms. b. Click Finish.c. The New Directive window closes.


In this task, we try to match the same events matched by the level 1 rule. We want to make sure touse 1) the same event types; 2) the same source and destination IP addresses; and 3) the samedestination port that were used in the level 1 rule. The difference is that we want to detect 100 suchevents this time.

To do that, we add a level 2 rule.

1. Click the green + (plus) sign at the right side of the first rule under the ACTION heading.2. The New Rule window displays.3. Follow step #1 and #2 in Task 2. 4. On the Rule name > Plugin > Event Type screen, click the button that reads Plugin SID

from rule of Level 1. This will select the same event types as in the level 1 rule.5. On the Rule name > Plugin > Event Type > Network screen,

a. For Source Host / Network, in the From a parent rule dropdown, select ‘Source

IP from level 1’.

b. Leave the Source Port(s) empty.c. For Destination Host / Network, in the From a parent rule dropdown, select

‘Destination IP from level 1’.

d. For Destination Port(s), in the From a parent rule dropdown, select‘Destination Port from level 1’.

e. Click NEXT.

Figure 9. Selecting source and destination IP from level 1.

6. On the Rule name > Plugin > Event Type > Network > Reliability screen,


10/12




a. Either select an absolute (left column) or relative value (right column). If a relativevalue is selected, the value is added to the reliability of the previous rule. In this

example, we use +2.b. Click Finish.c. The New Directive window closes.

7. Change the Timeout value. Click the original value to turn on editing. Enter 30 (seconds),and click OK.

8. Similarly, change the Occurrence to 100.

Figure 10. Modifying the occurrence value to 100.

Task 4: Repeat step 3 as needed

This task can be repeated as many times as necessary. In this example, we want to add one morerule (level 3) to detect the same events as in the previous rule but with 1000 occurrences.

Repeat Task 3. Except that in step #1, click the first + (plus) sign at the right side of the previousrule under the ACTION heading. And in step #7, change the Occurrence to 1000 instead.

Task 5: Add the last rule

In the last rule for this example, we use a monitor type data source plugin to check whether theservice is still up after a suspected attack.

1. Click the + (plus) sign at the right side of the third rule to add a child rule.2. Enter a name for this rule, such as Service Up

3. On the Rule name > Plugin screen,

a. Type ‘nmap’ in the search box to find the NMAP-Monitor plugin.

b. Click the blue NMAP-Monitor box to select that plugin.4. On the Rule name > Plugin > Event Type screen, choose ‘TCP Port closed’. It will

check whether a TCP port on a destination server is closed or not responding to requests.5. Click SELECTED FROM LIST.6. Repeat Step #4 to #7 in Task 3, but use +6 for reliability value, 1 for timeout and 3 for

occurrence.


11/12




In a rule that uses a monitor type data source plugin, the timeout and occurrence values havedifferent meanings. The timeout value defines how many seconds the plugin will wait to receive a

response from the destination to which the request was sent. Occurrence specifies how many timesthe request will be sent.

In our example, the timeout is set to 1 second and the occurrence is set to 3. This means that three(Is the TCP port closed?) requests will be sent to the destination server, and if a response to theserequests is not received within 1 second, the rule will be matched and the reliability of the directivewill be increased by 6.

Figure 11. The final directive will 4 rules.


Restart the ossim-server process by clicking the Restart Server button. Confirm the restart byclicking YES when prompted.

Customizing Cross Correlation Rules

Similar to Correlation Directives, you can customize Cross Correlation rules as well. Even thoughthe web interface gives an impression that you can cross-correlate events from any data sourcewith those from any other data source, in practice you can only correlate IDS events withvulnerabilities that are detected by AlienVault Vulnerability Scanner.

Creating a Cross Correlation Rule

To create a new Cross Correlation rule,

1. Click NEW.2. Select the Data Source Name, such as snort as shown in the example below.3. Select the Reference Data Source Name, such as nessus-detector in the example.4. Select the Event Type of the data source entered in step #2. For example, snort: “MySQL

root login attempt” .


12/12




5. Select the Reference SID Name of the reference data source entered in step #3. Forexample, nessus: MySQL weak password .

6. Click CREATE RULE. Or, click BACK if you want to discard the changes.

This custom rule would be matched if AlienVault IDS Engine detected MySQL root login attempt toa host that has MySQL weak password vulnerability.

Figure 12. Creating a Cross Correlation rule.

Modifying a Cross Correlation Rule

To edit an existing Cross Correlation rule,

1. Locate the desired Cross Correlation rule and click on it. The entire row will change to lightblue.

2. Click MODIFY.

3. Change any of the four fields as needed.4. Click SAVE RULE to save the changes. Or, click BACK if you want to discard the changes.

Deleting a Cross Correlation Rule

To delete a Cross Correlation rule,

1. Locate the desired Cross Correlation rule and click on it. The entire row will change to lightblue.

2. Click DELETE SELECTED.

Important: Use this button with caution because the web interface will not ask you toconfirm the deletion.

Documents

AlienVault Correlation Customization