Professional Documents
Culture Documents
AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX,
Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM and
OSSIM are trademarks or service marks of AlienVault.
Introduction
In Correlation Reference Guide we explain what correlation is and how it works in AlienVault
Unified Security ManagementTM (USMTM). We also describe the AlienVault USM web interfaces for
Correlation directives and Cross Correlation rules. In this document, we will focus on how to
customize Correlation directives or Cross Correlation rules in USM.
DC-00164
Edition 01
Page 2 of 12
DC-00164
Edition 01
Page 3 of 12
DC-00164
Edition 01
Page 4 of 12
You may edit other attributes of the correlation rules. Some attributes, such as NAME,
RELIABILITY, TIMEOUT, and OCCURRENCE are changed by clicking the value, making the
changes inline, and then clicking OK. Other attributes, such as FROM, TO, DATA SOURCE, and
EVENT TYPE, are changed by clicking the green + (plus) sign, then making the selection from the
resulting screen.
DC-00164
Edition 01
Page 5 of 12
source plugin. The last correlation rule will check if the service is still up on the server by using a
monitor type data source plugin. Every time a rule in the correlation directive is met, the reliability of
the directive event will increase, thus increasing the risk of the detected event.
Correlation Level 1
Correlation Level 2
Correlation Level 3
Correlation Level 4
DC-00164
Edition 01
Page 6 of 12
6.
7.
8.
9.
DC-00164
Edition 01
Page 7 of 12
DC-00164
Edition 01
Page 8 of 12
a. Select a Reliability value (from 0 to 10) by clicking the blue square with the
appropriate number. In this example, we use 1. The reliability value is low because
you dont want to generate false alarms.
b. Click Finish.
c. The New Directive window closes.
Click the green + (plus) sign at the right side of the first rule under the ACTION heading.
The New Rule window displays.
Follow step #1 and #2 in Task 2.
On the Rule name > Plugin > Event Type screen, click the button that reads Plugin SID
from rule of Level 1. This will select the same event types as in the level 1 rule.
5. On the Rule name > Plugin > Event Type > Network screen,
a. For Source Host / Network, in the From a parent rule dropdown, select Source
IP from level 1.
b. Leave the Source Port(s) empty.
c. For Destination Host / Network, in the From a parent rule dropdown, select
Destination IP from level 1.
d. For Destination Port(s), in the From a parent rule dropdown, select
Destination Port from level 1.
e. Click NEXT.
6. On the Rule name > Plugin > Event Type > Network > Reliability screen,
DC-00164
Edition 01
Page 9 of 12
a. Either select an absolute (left column) or relative value (right column). If a relative
value is selected, the value is added to the reliability of the previous rule. In this
example, we use +2.
b. Click Finish.
c. The New Directive window closes.
7. Change the Timeout value. Click the original value to turn on editing. Enter 30 (seconds),
and click OK.
8. Similarly, change the Occurrence to 100.
DC-00164
Edition 01
Page 10 of 12
In a rule that uses a monitor type data source plugin, the timeout and occurrence values have
different meanings. The timeout value defines how many seconds the plugin will wait to receive a
response from the destination to which the request was sent. Occurrence specifies how many times
the request will be sent.
In our example, the timeout is set to 1 second and the occurrence is set to 3. This means that three
(Is the TCP port closed?) requests will be sent to the destination server, and if a response to these
requests is not received within 1 second, the rule will be matched and the reliability of the directive
will be increased by 6.
DC-00164
Click NEW.
Select the Data Source Name, such as snort as shown in the example below.
Select the Reference Data Source Name, such as nessus-detector in the example.
Select the Event Type of the data source entered in step #2. For example, snort: MySQL
root login attempt.
Edition 01
Page 11 of 12
5. Select the Reference SID Name of the reference data source entered in step #3. For
example, nessus: MySQL weak password.
6. Click CREATE RULE. Or, click BACK if you want to discard the changes.
This custom rule would be matched if AlienVault IDS Engine detected MySQL root login attempt to
a host that has MySQL weak password vulnerability.
Important: Use this button with caution because the web interface will not ask you to
confirm the deletion.
DC-00164
Edition 01
Page 12 of 12