THE CORRELATION ADVANTAGES OF ANET SURELOG

INTERNATIONAL EDITION SIEM PRODUCT

TABLE OF CONTENTS

THE CORRELATION ADVANTAGES OF ANET SURELOG INTERNATIONAL EDITION SIEM PRODUCT ..... 1

The advantages of SureLog correlation engine: ...................................................................................... 3

The taxonomy: ..................................................................................................................................... 3

Logs and detected taxonomy examples: ......................................................................................... 5

The scenario based rules: .................................................................................................................... 7

Correlating more than one rules by order or time .......................................................................... 8

The logical independence .............................................................................................................. 10

The thrashold rules: ....................................................................................................................... 10

Threat Intelligence: ............................................................................................................................ 11

Example correlation rules: ................................................................................................................ 12

IntelligentResponse ........................................................................................................................... 14

ANET SURELOG International Edition has many advantages compared to its rivals in terms of the

speed of log collection, big data infrastructure, compliance reports, its speed, ease of use, user

interface, the number of devices supported, distributed architecture, taxonomy and correlation

features.

The most important feature of SIEM products is correlation. It analyzes too many different logs and

makes correlation to get the exact result.

Before we mention about the correlation advantages of ANET SURELOG International Edition

product, to explain the main features of the correlation:

SureLog is fast -Supports 50,000 EPS with thousands of rules

Rule Chains.

Advanced correlation rules

SureLog supports rule suspending. Preventing rule firing for a defined time period. Suspend

Rule A 1 hour after fire

Compression-based correlation. Monitors multiple occurrences of the same event, removes

redundancies and reports them as a single event.Time-based correlation

Has a visual user interface for writing correlation rules.

Has TAG feature which doesn’t exist even in many global products (Adding fields

automatically or manually by the user).

Threshold-based correlation. Has a threshold to trigger a report when a specified number of

similar events occur.

Filter-based correlation. Inspects each event to determine if it matches a pattern defined by

a regular expression. If a match is found, an action may be triggered as specified in the rule.

Sequence-based correlation. Helps to establish causality of events. Events can be correlated

based on specific sequential relationships. For example, synchronizing multiple events such

as event A being followed by event B to trigger an action.

Time-based correlation

Supports non-negative case rules which doesn't exist event in many global products

Supports Context base correlation which doesn’t exist even in many global products.

Supports hierarchical correlation which doesn’t exist even in many global products.

Supports dynamic correlation list management which doesn’t exist even in many global

products.

It has a wide support of operators. For example:

The advantages of SureLog correlation engine:

The advantages of SureLog product compared to existing SIEM products are explained in this part.

These advantages are divided into four main categories:

The taxonomy

The scenario based rules

Threat Intelligence

IntelligentResponse

The taxonomy:

The taxonmy is defined as grouping in the simplest way. To give an example:

A Router login process

A switch login process

A Firewall login process

A Windows server login process

A Linux login process

All these login processes are handled to be grouped as login process under a single group and then it

both enables to report with one single click “Report all login processes in my network” and write

correlation rule such as After UTM device blocks 15 packets from the same IP as infected and in 5

minutes if login attempt to network occurs, mail the machine information which makes this login

attempt and the machine information exposed to this login attempt.

Taxonomy is a mapping of information from heterogeneous sources to a common classification. A

taxonomy aids in pattern recognition and also improves the scope and stability of correlation rules.

When events from heterogeneous sources are normalized they can be analyzed by a smaller number

of correlation rules, which reduces deployment and support labor. In addition, normalized events are

easier to work with when developing reports and dashboards

Taxonomy is the process of creating and adding precious log type (group) information into the

normalized event with the result of evaluation of the signature database of the source, pointers in

log (like system-alert-00016), and the direct meanings(zone untrust, int untrust contained in the log.

Some of the existing 1537 taxonomy groups in SureLog:

Reconnaissance->Scan->Host

• TCPTrafficAudit->TCP SYN Flag

• ICMPTrafficAudit

• NamingTrafficAudit

• Malicious->Web->SQL

• Flow->Fragmentation

• httpproxy->TrafficAuditaccept

• HTTPDynamicContentAccess

• WebTrafficAudit.Web Content

• HealthStatus.Informational.Traffic.Start

• Malicious.BufferOverflow

• Malicious.Trojan

• PolicyViolation

• Malicious.Web.Attack

Logs and detected taxonomy examples:

Fortigate

o Log: date=2014-05-11 time=18:52:15 devname=JLL_FW devid=FG200B3910602686

logid=0419016384 type=utmsubtype=ipseventtype=signaturelevel=alertvd="root"

severity=lowsrcip=192.168.100.45 dstip=192.168.100.45 srcintf="port2"

dstintf="Vlan_3" policyid=49 identidx=0 sessionid=388914 status=detectedproto=6

service=http count=1 attackname="ZmEu.Vulnerability.Scanner" srcport=38281

dstport=80 attackid=30024 sensor="all_default_pass"

ref="http://www.fortinet.com/ids/VID30024" incidentserialno=1432164121

msg="web_app3: ZmEu.Vulnerability.Scanner,"

o Taxonamy :HTTPDynamicContentAccess

Netscreen

o Log:2010-05-27 10:52:57 Local0.Notice 192.168.0.251 Prolink_SSG20:

NetScreendevice_id=Prolink_SSG20 [Root]system-notification-00257(traffic):

start_time="2010-05-27 09:53:44" duration=304 policy_id=190 service=http proto=6

srczone=DMZ dstzone=Untrustaction=Permit sent=788 rcvd=558 src=172.16.0.200

dst=91.191.162.21 src_port=57693 dst_port=80 src-xlated ip=85.99.239.110

port=2976 dst-xlated ip=91.191.162.21 port=80 session_id=7456 reason=Close - AGE

OUT<000>

o Taxonamy :TCPTrafficAudit.

Paloalto

o Log:Jan 6 18:26:27 1,2012/01/06 18:26:27,0004C100842,THREAT,url,1,2012/01/06

18:26:25,10.141.0.96,84.51.27.173,0.0.0.0,0.0.0.0,Default

Out,superfresh\\mun001tr,,web-

browsing,vsys1,Trust,Untrust,ethernet1/2,ethernet1/1,anet,2012/01/06

18:26:26,51273,1,1924,80,0,0,0x8000,tcp,alert,\"mobis.ulker.com.tr/dss/raporlar/ra

p_anlik_satis.aspx\",(9999),Kerevitas_WhiteList,informational,client-to-

server,0,0x0,10.0.0.0-10.255.255.255,Turkey,0,text/html

o Taxonamy :WebTrafficAudit.Web Content

Sonicwall

o Log:<134>id=firewall sn=0017C5598622 time="2011-02-13 16:20:31"

fw=81.214.84.237 pri=6 c=1024 m=537 msg="Connection Closed" n=0

src=81.214.84.237:4854:X1: dst=195.175.39.40:53:X1:ttdns40.ttnet.net.tr

proto=udp/dns sent=75 rcvd=414

o Taxonamy :NamingTrafficAudit

Cisco Pix

o Log:Aug 17 2011 15:04:42 212.109.105.1 : %PIX-6-302013: Builtinbound TCP

connection 2493108 for outside:78.187.203.198/16884 (78.187.203.198/16884) to

inside:192.168.147.2/80 (212.109.105.3/80}

o Taxonamy :HealthStatus.Informational.Traffic.Start

Snort

o Log:09/22-21:03:36.341625 [**] [1:12798:4] SHELLCODE base64 x86 NOOP [**]

[Classification: Executablecodewasdetected] [Priority: 1] {TCP} 188.72.243.72:80 ->

192.168.3.65:1035

o Taxonamy : Malicious.BufferOverflow

o Log:09/22-21:03:36.341958 [**] [1:2013976:10] ET TROJAN Zeus POST RequesttoCnC

- URL agnostic [**] [Classification: A Network Trojanwasdetected] [Priority: 1] {TCP}

192.168.3.65:1036 -> 188.72.243.72:80

o Taxonamy : Malicious.Trojan

o Log:09/22-21:03:36.306197 [**] [1:2014819:1] ET INFO PackedExecutableDownload

[**] [Classification: Miscactivity] [Priority: 3] {TCP} 188.72.243.72:80 ->

192.168.3.65:1033

o Taxonamy : PolicyViolation

o Log:09/22-21:03:36.306197 [**] [1:15306:12] FILE-IDENTIFY

PortableExecutablebinary file magicdetection [**] [Classification: Miscactivity]

[Priority: 3] {TCP} 188.72.243.72:80 -> 192.168.3.65:1033

o Taxonamy : Malicious.Web.Attack

The taxonomy module in the correlation wizard is shown in the following figure:

SureLog International Edition has about 3 million signatures for about 350 log types.

SureLog Taxonomy Examples:

“SuccessfulLogin”

“Malicious DNS Attack”

“CompromisedVirusAttachmentNotCleaned”

“Informational VPN TunnelFailed”

“Informational.Traffic.Start”

The taxonomy process:

Word bases, Word(s), service combinations,

System signatures (fingerprints) through which data is collected.

And such..

The taxonomy process is done in the result of various combinations and signification process

according to incoming data.

A sensor in sentence decides to examine which parts in the incoming data.

For more information about Taxonomy :

https://www.novell.com/developer/plugin-sdk/sentinel_taxonomy.html

http://www.slideshare.net/anetertugrul/sure-log-context-sensitive-scalable-siem-solution

http://www.slideshare.net/anetertugrul/siniflandirma-temell-korelasyon-yaklaimi

The scenario based rules:

Bring scenario-based approach to events. It just examines all rather than analyzing individual logs.

A sample rule:

1. Warn if user A can’t log into server X and caused failed authentication and in two hours if

that user A can’t log into the same server X

To develop scenario based rule:

Rule Severity: Running more than one rules by order or according to time relation among

them.

Another correlation rule should be created from more than one correlation.

The rule of realization of some parts of more than one different events during a certain

period of time sequentially, not realization of the others ( X ' not Y) should be written.

The rule of more than different events during a certain period of time sequentially ( X ' Y)

should be written.

The priority value should be given for each correlation rule.

Correlating more than one rules by order or time

It is possible to correlate and conclude any deduction for more than rules according to source IP,

destination IP, Computer name, and the source and destination ports are the same or not relation by

relating by order or time relation.

For example:

After 15 packets are blocked from the same IP in one minute, warn if successful login is occurred to

that IP.

After 15 packets are blocked from the same IP, warn if successful login is occurred to that IP in 5

minutes.

In the same way by following the logic above, the rule of realization of some parts of more than one

different events during a certain period of time sequentially, not realization of the others ( X ' not Y)

should be written.

As shown in the editor above

It is possible to create alarm in the form of first Part1_rule occurs, then not_port rule occurs and

then part_3 rule occurs.

The logical independence

It is necessary full flexibility when setting up the relations among logs for developing a scenario

based rule. Any property of any log normalized should be correlated with the property of another log

(For example: Source IP) and then logical operations should be done. SureLog.Int.Ed provides this.

Example: Warn if user A can’t log into server X and caused failed authentication and in two hours if

that user A can’t log into the same server X

As seen from the rule above, it is expected to be user (A) and server (X) at every two logs. It is also

expected to not occur the second event in the second step of the scenario during a specified time.

The threshold rules:

The threshold rules are used to detect the realization situation of one or many different events many

times within a specified time (time window). This rule development wizard is shown in the below.

TheSameEvents and DifferentEvents settings is an outstanding feature according to similar products

from which such rules are written. In addition, the result resulting in from this counting feature can

be connected to another rule.

For example: If 15 packets are blocked from the same source in the system for being infected from

virus, if successful login occurs to the same source in 5 minutes, detect the machine makes this

successful login attempt.

Threat Intelligence:

Threat Intelligence is integrated with different global sources (IP BlockList, Spammersetc.. )

and takes black lists from there and works as warning system by using these data.

Example correlation rules:

After the security device are blocked 15 packets from the same source, Detect if someone

log into the system from any point (Linux, Windows, router, switch, firewall,etc.)

A sample correlation rule/SIEM for Port/Network scan detection: Warn if port access

attempts are occurred to 100 different ports from the same source IP to the same

destination IP in one hour.

After any user tries 3 or more failed logon attempts to any system

(Firewall,Windows,Linux,Switch, etc.) in one hour, warn the all failed logon attempts of that

user during the next 7 (X day) days.

Warn if 60 connections are established from the different sources to the same IP and

destination port in one minute.

After 15 packets are blocked from the same IP in one minute, warn if successful login is

occurred to that IP.

Detect the IP address which makes 100 requests to port 22 of different IPs in one hour.

A sample correlation rule /SIEM for Fraud detection: If the same user tries to access your

system via different countries, probably fraud is done by that user.

If someone sets up DHCP server in your network or if a different gateway broadcasts, to find

out this: Warn if a traffic occurs from inside to outside or from outside to inside whose

protocol is UDP, destination port is 67, and destination IP is not in registered IP list.

Is there someone making RDP scan? A sample correlation rule for detecting this: Detect the

IP address which makes 100 requests to TCP port 3389 of different IPs in one hour.

Warn if 5 failed logon attempts are tried with different usernames from the same IP to the

same machine in 15 minutes and after that, if a successful login occurs from the same IP to

any machine.

After 15 packets are blocked from the same IP, warn if successful login is occurred to that IP

in 5 minutes.

If 15 packets are blocked from the same source in the system for being infected from virus, if

successful login occurs to the same source in 5 minutes, detect the machine makes this

successful login attempt.

Warn if a new user account is created and accessed to the system with this user and get

failed login.

Warn If the same user logs into Linux server and then logs into Windows server and then a

service is stopped in either of these two servers.

Your technical consultants connect to your company via RDP remotely and makes connection

to their consultancy system either with portal or using client. A special correlation rule which

you can use in such situations: Warn if a user logs into the system and then in 10 minutes if

that user can’t log in through portallogin.html or can’t run saplogon.exe.

A sample correlation rule for Brute-force attempt detection: If too many failed login

attempts ocur from the same IP for the same or different users in a short time, these logs

could be the sign of a brute-force attempt.

Warn if an IP which is reported by UTM/IDS/IPS as the source of an attack, becomes the

target of another attack in the last 15 minutes.

If the traffic of any user is blocked a firewall rule X times in one second, detect this user and

the rule blocking this.

Warn if user A can’t log into server X and caused failed authentication and in two hours if

that user A can’t log into the same server X or take action.

Warn if first event A, then if event B, if event C occurs in 5 minutes and then if event D

occurs.

Warn if first event A, then if event B, if event C doesn't occur in 5 minutes and then if event D

occurs.

Warn if cgi, asp, aspx, jar, php, exe, com, cmd, sh, bat dosyaları batch files are uploaded to be

executed to web server remotely.

W32.Blaster Worm: Warn 10 deny or successful anonymous login attempt occurs in one

minute.

Warn if a user can’t log into the system and caused failed authentication and in two hours if

email is sent from that user’s account despite that user doesn’t login into the system.

Warn if 5 failed logon attempts are tried with different usernames from the same IP to the

same machine in 15 minutes and after that, if a successful login occurs from the same IP to

any machine.

If a host scan is made by an IP and then if a successful connection is established by the same

IP and then backward connection is established from connected IP to connecting IP.

Warn if more than 100 connections are established from the different external IPs to the

same destination IP in one minute.

Warn if 100 connections are established from the same external IP through different ports to

the same destination IP in one minute.

Warn if the same user tries more than three failed logon attempts to the same machine in an

hour.

Warn once if more than 100 packets are blocked by UTM/FireWall from the same source IP

and don’t warn within an hour. (Millions of packets are blocked in case of DDOS attack. If

email is sent for each, you are exposed to yourself DDOS attack.)

Report the source IP which causes UnusualUDPTraffic.

Warn if a traffic is occurred to a source or from a source in IPReputation list.

Warn if network traffic occurs from the source or to a source in malicious link list published

by National Cyber Response to Events (NCRE) Center.

Warn if an IP scan occurs.

Warn if SQL attack occurs via web server.

Warn if the same user tries more than three failed logon attempts to different machines in

an minute.

IntelligentResponse

ANET SureLog SIEM product can handle correlation alerts and actions in smart way through

intelligent response system.

The power of this modele called Intelligent Response in fact emerges the power of correlation engine. Although SureLog product’s correlation engine is built upon fully visual wizards and drag & drop, the easily created rules through visual wizards are converted to JAVA [5] codes in the bacground and is run as a program thread. In this way, the users who know JAVA can create correlation rules by writing JAVA codes with the expertmode feature included in only SureLog product in the world and thereby all kinds of logic with either visual wizards or java codes can be run without any limit. http://www.slideshare.net/anetertugrul/anet-surelog-siem-intelligentresponse-54274144