Hello Jesus, Following is the design recipe for an /advanced/ OSSEC correlation engine.
The engine is to have the following capabilities: i) Look forward and look back: Wait a certain time for next events, -or- look back a certain time for previous events. ii) Conditions based on the content of decoded fields. iii) More than one condition can be specified simultaneously. iv) Boolean logic (at least the basic AND, OR, NOT) can be used in conditions. Add regex to provide a further boost in capabilities. v) Stickiness: multiple occurrences of events with a field content that matches (or does not match) that of the previous event in the sequence. Ex: Look for multiple occurrences of same events with same IP/different port, or different IP/same port. vi) Generate a new custom event with a predefined alert level when a correlation level is matched. vii) Alert by e-mail (&/or SMS) when a correlation level is matched. _Example_: Correlation Trigger: - Rule Level 1: X occurrences of event A matching one or more conditions within a specified timeout period. Can be a single occurrence, at which time the Level 1 timeout becomes irrelevant, level 2 timer kicks in. - Rules Level 2: Within XX seconds of matching Level 1 -or- in the XX seconds preceding matching of Level 1, look for: - Branch A - XX occurrences of: - Event B with 1 or more conditions relating to Level 1; -and- - Event C with 1 or more conditions relating to Level 1; -or- - ... - Rules Level 3: Within XX seconds of matching Level 2 Branch A -or- in the XX seconds preceding matching Level 2 Branch A, look for: - Branch C - XX occurrences of: - Event D with 1 or more conditions relating to higher-level events in this tree; -and- - Event E with 1 or more conditions relating to higher-level events in this tree; -or- - ... *OR* - Branch D - XX occurrences of: - Event F with 1 or more conditions relating to higher-level events in this tree; -and- - Event G with 1 or more conditions relating to higher-level events in this tree; -or- - ... *OR* - Branch B - XX occurrences of: - Event H with 1 or more conditions relating to Level 1; -and- - Event I with 1 or more conditions relating to level 1; -or- - ... - Rules Level 3: Within XX seconds of matching Level 2 Branch B -or- in the XX seconds preceding matching of Level 2 Branch B, look for: - Branch E - XX occurrences of: - Event J with 1 or more conditions relating to higher-level events in this tree; -and- - Event K with 1 or more conditions relating to higher-level events in this tree; -or- - ... *OR* - Branch F - XX occurrences of: - Event L with 1 or more conditions relating to higher-level events in this tree; -and- - Event M with 1 or more conditions relating to higher-level events in this tree; -or- - ... Conditions for Branches at the same correlation level must be _mutually exclusive_. Example: if a condition for Branch A is 'audit success', for Branch B it would be 'audit failure'. An event can be an audit success, or an audit failure, _it cannot be both_. So at level 2 and below, the correlation engine logic must branch to _only one Branch at a given level_. There can be NO overlap between Branches at the same level. It is the responsibility of the individual designing the correlation logic to ensure the sanity of the logic behind it. Within a Branch, it is OK if more than one rule matches. Level 3 comes below Level 2 Branch A, and another Level 3 may come below Level 2 Branch B. Since Branch A and Branch B are mutually exclusive, Branch C and Branch D at level 3 could be the same under branch A and Branch B. Following the same principles, level 4 comes below level 3, etc... As many levels as necessary can be defined. Such an engine would allow alerting to: - Suspicious low and slow activity that attempts to remain below the security monitoring radar -- provided one knows what to look for. - Scenarios with exponential growth in network connections (such as a worm infection spreading). - Scenarios where a rapid recurrence of specific events occurs on hosts (such as a ransomware infection). - Network footprinting: scans for a specific destination port on multiple destination IPs. - Network footprinting: scans for a wide range of destination ports on a single destination IP. - Dictionary attacks: repeated authentication failures from same source targeting the same account name for all occurrences. - Dictionary attacks: repeated authentication failures from same source targeting a different account name for each occurrence. - When a correlation level is matched, if within the specified timeout period (forward or backward) all the branches for the level below do not match, remove from correlation. - A match at any level may need to trigger an email alert and/or create a new correlation engine generated event. - Correlation engine generated events may be used to trigger other correlations. - Correlation engine generated events may be used in other correlations. Almost /any/ suspicious activity use case could be modeled in an engine that has the capabilities detailed above. The logic can be simple (single level) or convoluted (as many levels and branches as one wishes to put in it). -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature