2014-02-23 9:39 GMT+02:00 Rolf Nufable <rolf_16_nufa...@yahoo.com>:
> Sir I think the Jump and option command is not a good option for
> correlating, any other tips for chaining rules for correlation? I
>
> currently I've achieved a 2 layer correlation , with the rules Im using
> eg.
>
> nov 22 10-05-08 foohost foo bar
> nov 23 10-05-08 foohost1 foo bar
>
> rule 1
> type=Single
> ptype=RegExp
> pattern=^\S+\s+\d+\s+\S+\(foohost)\s+(.*)
> continue=TakeNext
> desc=$0
> action=event 0 $1 SAMPLE:foo exit on signal $2 at $t
>
> Rule2
> type=Single
> ptype=RegExp
> pattern=^\S+\s+\d+\s+\S+\(foohost1)\s+(.*)
> continue=TakeNext
> desc=$0
> action=event 0 $1 SAMPLE1:foo exit on signal $2 at $t
>
> Correlation rule
> type=PairWithWindow
> ptype=RegExp
> pattern=^(\S+)\s+(SAMPLE):(\S+)\s+(.*)
> continue=TakeNext
> desc=$0
> action=write example
> ptype2=Regexp
> pattern2=^(\S+)\s+(SAMPLE1):(\S+)\s+(.*)
> desc2=$0
> action2=write (in database CORR:sample+sample1)
> window=300
>
> result : CORR: SAMPLE+SAMPLE1(their content
>
>
> On Saturday, February 22, 2014 4:36 PM, Rolf Nufable <
> rolf_16_nufa...@yahoo.com> wrote:
> Sir
>
> My main objective is to correlate events from snort which are assumed to
> be phases of multi stage attacks and enter it to a database for processing
>
> currently I've achieved a 2 layer correlation , with the rules Im using
> eg.
>
> nov 22 10-05-08 foohost foo bar
> nov 23 10-05-08 foohost1 foo bar
>
> rule 1
> type=Single
> ptype=RegExp
> pattern=^\S+\s+\d+\s+\S+\(foohost)\s+(.*)
> continue=TakeNext
> desc=$0
> action=event 0 $1 SAMPLE:foo exit on signal $2 at $t
>
> Rule2
> type=Single
> ptype=RegExp
> pattern=^\S+\s+\d+\s+\S+\(foohost1)\s+(.*)
> continue=TakeNext
> desc=$0
> action=event 0 $1 SAMPLE1:foo exit on signal $2 at $t
>
> Correlation rule
> type=PairWithWindow
> ptype=RegExp
> pattern=^(\S+)\s+(SAMPLE):(\S+)\s+(.*)
> continue=TakeNext
> desc=$0
> action=write example
> ptype2=Regexp
> pattern2=^(\S+)\s+(SAMPLE1):(\S+)\s+(.*)
> desc2=$0
> action2=write (in database CORR:sample+sample1)
> window=300
>
> result : CORR: SAMPLE+SAMPLE1(their content)
>
> uhm currently Im trying the same method and add another layer for the
> correlation but It doesnt work, any tips sir that can help me solve this ??
>
>
>
>
>
> On , Rolf Nufable <rolf_16_nufa...@yahoo.com> wrote:
> I want to correlate them then insert the snort alerts/events to a
> database
>
> sorry for the late reply
>
>
> On Monday, February 10, 2014 12:52 PM, David Lang <da...@lang.hm> wrote:
> On Sat, 8 Feb 2014, Rolf Nufable wrote:
>
>
> > is it possible to link 3 configuration files for correlation?
> >
> > like in this example it used 2 configuration files to correlate and
> insert it to the database
> >
> >
> http://simple-evcorr.sourceforge.net/SEC-tutorial/article-part2.html#DATABASEINTEGRATION
> >
> >
> > My goal is to correlate event from snort and be able to correlate using
> 3 successive trigger of rules
> > and then insert it to a database for processing
> >
> > please help me I'm kinda lost
>
>
> it's not clear why you are saying you need separate configuration files.
>
> can you back up a little bit and explain what you are trying to do
>
> you want to see a particular message from snort, then do what?
>
> David Lang
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
>
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
>
>
>
>
>
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
