Sir I think the Jump and option command is not a good option for correlating,
any other tips for chaining rules for correlation? I
currently I've achieved a 2 layer correlation , with the rules Im using
eg.
nov 22 10-05-08 foohost foo bar
nov 23 10-05-08 foohost1 foo bar
rule 1
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\(foohost)\s+(.*)
continue=TakeNext
desc=$0
action=event 0 $1 SAMPLE:foo exit on signal $2 at $t
Rule2
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\(foohost1)\s+(.*)
continue=TakeNext
desc=$0
action=event 0 $1 SAMPLE1:foo exit on signal $2 at $t
Correlation rule
type=PairWithWindow
ptype=RegExp
pattern=^(\S+)\s+(SAMPLE):(\S+)\s+(.*)
continue=TakeNext
desc=$0
action=write example
ptype2=Regexp
pattern2=^(\S+)\s+(SAMPLE1):(\S+)\s+(.*)
desc2=$0
action2=write (in database CORR:sample+sample1)
window=300
result : CORR: SAMPLE+SAMPLE1(their content
On Saturday, February 22, 2014 4:36 PM, Rolf Nufable
<rolf_16_nufa...@yahoo.com> wrote:
Sir
My main objective is to correlate events from snort which are assumed to be
phases of multi stage attacks and enter it to a database for processing
currently I've achieved a 2 layer correlation , with the rules Im using
eg.
nov 22 10-05-08 foohost foo bar
nov 23 10-05-08 foohost1 foo bar
rule 1
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\(foohost)\s+(.*)
continue=TakeNext
desc=$0
action=event 0 $1 SAMPLE:foo exit on signal $2 at $t
Rule2
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\(foohost1)\s+(.*)
continue=TakeNext
desc=$0
action=event 0 $1 SAMPLE1:foo exit on signal $2 at $t
Correlation rule
type=PairWithWindow
ptype=RegExp
pattern=^(\S+)\s+(SAMPLE):(\S+)\s+(.*)
continue=TakeNext
desc=$0
action=write example
ptype2=Regexp
pattern2=^(\S+)\s+(SAMPLE1):(\S+)\s+(.*)
desc2=$0
action2=write (in database CORR:sample+sample1)
window=300
result : CORR: SAMPLE+SAMPLE1(their content)
uhm currently Im trying the same method and add another layer for the
correlation but It doesnt work, any tips sir that can help me solve this ??
On , Rolf Nufable <rolf_16_nufa...@yahoo.com> wrote:
I want to correlate them then insert the snort alerts/events to a database
sorry for the late reply
On Monday, February 10, 2014 12:52 PM, David Lang <da...@lang.hm> wrote:
On Sat, 8 Feb 2014, Rolf Nufable wrote:
> is it possible to link 3 configuration files for correlation?
>
> like in this example it used 2 configuration files to correlate and insert it
> to the database
>
> http://simple-evcorr.sourceforge.net/SEC-tutorial/article-part2.html#DATABASEINTEGRATION
>
>
> My goal is to correlate event from snort and be able to correlate using 3
> successive trigger of rules
> and then insert
it to a database for processing
>
> please help me I'm kinda lost
it's not clear why you are saying you need separate configuration files.
can you back up a little bit and explain what you are trying to do
you want to see a particular message from snort, then do what?
David Lang
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
