customizing correlation directives and cross correlation rules

Copyright© 2016 AlienVault. All rights reserved.

AlienVault Unified Security Management™ for Government v4.12 &

RT Logic CyberC4:Alert v4.12

Customizing Correlation Directives and Cross Correlation Rules

AlienVault, Open Threat Exchange and Unified Security Management are trademarks of AlienVault. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective

companies.

Edition Date of Issue Description of Change(s) 01 08/01/15 Initial Version

AlienVault Unified Security Management™ for Government v4.12


AVUG-00164 Edition 01 Copyright© 2016 AlienVault. All rights reserved. of 15

TABLE OF CONTENTS

1. Introduction ............................................................................................................. 4

2. Customizing Correlation Directives ...................................................................... 4 2.1. Modifying a Built-in Directive ....................................................................................... 4

2.1.1. Task 1: Clone an existing directive ........................................................... 5 2.1.2. Task 2: Edit directive global properties ..................................................... 5 2.1.3. Task 3: Edit correlation rules .................................................................... 6 2.1.4. Task 4: Restart Server.............................................................................. 7

2.2. Creating a New Directive ............................................................................................ 8 2.2.1. Task 1: Create a new directive ................................................................. 9 2.2.2. Task 2: Add a Level 1 Rule .................................................................... 10 2.2.3. Task 3: Add a level 2 rule ....................................................................... 11 2.2.4. Task 4: Repeat step 3 as needed ........................................................... 12 2.2.5. Task 5: Add the last rule ......................................................................... 12 2.2.6. Task 6: Restart Server ........................................................................... 13

3. Customizing Cross Correlation Rules ................................................................ 14 3.1. Creating a Cross Correlation Rule ............................................................................ 14 3.2. Modifying a Cross Correlation Rule........................................................................... 14 3.3. Deleting a Cross Correlation Rule ............................................................................. 15




1. INTRODUCTION In Correlation Reference Guide we explain what correlation is and how it works in AlienVault Unified Security ManagementTM (USMTM) for Government (also referred to in this document as “AlienVault USM” and “USM”). We also describe the AlienVault USM web interfaces for Correlation directives and Cross Correlation rules. In this document, we will focus on how to customize Correlation directives or Cross Correlation rules in USM.

2. CUSTOMIZING CORRELATION DIRECTIVES

2.1. MODIFYING A BUILT-IN DIRECTIVE By default, AlienVault USM comes with over 2,000 built-in directives. Directives are written by the AlienVault Labs researches who research global threats & vulnerabilities every day. It is highly recommended that you learn how these directives are configured first, and then tailor them to your specific needs.

For example, you might want to detect dropped packets going to a single host on a firewall. If you take a look at the built-in directives, you will see that such a directive exists, which detects dropped packets on the Cisco PIX firewall. However, in order to detect dropped packets on a different firewall, for instance, the Fortinet FortiGate firewall, you will need to customize the directive.

In this section, we will use this example to show the steps required to modify a built-in directive. It involves the following 4 tasks:

Figure 1. Procedures for modifying a built-in directive

https://www.alienvault.com/doc-repo/usm/security-intelligence/AlienVault_Correlation_Reference_Guide.pdf




2.1.1. TASK 1: CLONE AN EXISTING DIRECTIVE To clone an existing directive,

1. Navigate to Configuration > Threat Intelligence > Directives. 2. Type ‘packets’ in the search box to search for the appropriate directive. 3. Scroll down on the page to find the directive titled “AV Network attack, too many dropped

inbound packets from DST_IP” 4. Click the Clone icon to clone the directive. 5. Confirm that you wish to clone the directive by clicking YES when prompted. 6. The cloned directive in the User Contributed category.

Figure 2. Cloning a directive

2.1.2. TASK 2: EDIT DIRECTIVE GLOBAL PROPERTIES To edit the cloned directive,

1. Click the Edit icon to the left of the directive. 2. A new window appears displaying the global properties of the directive. 3. Change the name to “AV Network attack, too many dropped on Fortigate”. 4. Optionally, modify the taxonomy and priority of the directive as well. 5. Click SAVE. You may need to scroll down to reveal the button.

USM disables a built-in directive automtically once it is cloned. Be sure to re-enable the built-in directive if you want it to be enabled along with the cloned directive.




Figure 3. Editing a directive's global properties

2.1.3. TASK 3: EDIT CORRELATION RULES

Now, you need to edit the correlation rules so that they match events from the Fortinet FortiGate firewall. To do so,

1. Click the black triangle to the left of the directive to display the correlation rules. 2. In the first rule (first line in the table), under the Data Source column, click the green + (plus)

sign to the left of cisco-pix. The Rule Data Source Configuration window displays. 3. Type ‘fortigate’ in the search box to find the Fortigate plugin. 4. Click the blue Fortigate box to select that plugin. The Plugin Signatures screen displays. 5. Type ‘drop’ to search for the event type(s) that detects dropped packets. You should see 3 -

Fortigate: Drop Forbidden Traffic listed in the right column. 6. Click the + (plus) sign to the right of the event type, or click Add all, to confirm your selection.

The event type will move to the left column instead. 7. Click Finish.

Repeat step #2 to #6 for all the rules in the directive. Notice that there is no Finish button as stated in step #7. Click the Selected from List button instead. The final directive should look like Figure 4.




Figure 4. Custom directive – AV Network attack, too many dropped on Fortigate

You may edit other attributes of the correlation rules. Some attributes, such as NAME, RELIABILITY, TIMEOUT, and OCCURRENCE, are changed by clicking the value, making the changes inline, and then clicking OK. Other attributes, such as FROM, TO, DATA SOURCE, and EVENT TYPE, are changed by clicking the green + (plus) sign, then making the selection from the resulting screen.

2.1.4. TASK 4: RESTART SERVER Restart the ossim-server process by clicking the Restart Server button. Confirm the restart by clicking YES when prompted.

Figure 5. Restart Server would restart the ossim-server process




2.2. CREATING A NEW DIRECTIVE In Modifying a Built-in Directive, we describe how to modify an existing Correlation Directive provided by AlienVault Labs. But sometimes, you may find that none of the built-in directives work in your environment because they do not have the correct condition defined. In this case, you can create a new directive from scratch. Let’s see how it works by going through an example.

In this example, we will create a custom directive to detect a Denial of Service (DoS) attack that seeks to exhaust a service running on TCP port 139 on a specific server. Such an attack may be indicated by many connections from a single host (possibly with bad reputation) to the destination server on port 139. Firewall events can be checked for connections to the server by using a detector type data source plugin. Once the correlation engine detects that the number of connections is dangerously high, you can also use a monitor type data source plugin to discover if the service on the server is still up.

Figure 6 shows the four correlation levels that will be used by the directive. The first three correlation rules will check for the number of connections to the server using a detector type data source plugin. The last correlation rule will check if the service is still up on the server by using a monitor type data source plugin. Every time a rule in the correlation directive is met, the reliability of the directive event will increase, thus increasing the risk of the detected event.

Figure 6. Correlation levels used by the sample directive




Creating this directive involves the following 6 tasks:

Figure 7. Procedures for creating a new directive

2.2.1. TASK 1: CREATE A NEW DIRECTIVE To create a new directive:

1. Navigate to Configuration > Threat Intelligence > Directives. 2. Click the New Directive button. 3. A new window displays as shown in Error! Reference source not found.. 4. For Name for the directive, enter ’DoS Attack at NetBIOS’. 5. Enter the Taxonomy:

a. For Intent, select ’Delivery & Attack’. b. For Strategy, select ‘Denial of Service – Resource exhaustion’. c. For Method, enter ‘Attack’.

6. Leave the Priority at the default value: 3. 7. Click Next. 8. The New Directive window displays.




Figure 8. Creating a new directive

2.2.2. TASK 2: ADD A LEVEL 1 RULE This task is to add a level 1 rule, where we try to match one Cisco ASA access permitted event on a particular server on port 139. To add this rule, continue from Task 1 in the New Directive window.

1. On the Rule name screen, enter a name for the rule. For example, ‘Established connections’. Click NEXT.

2. On the Rule name > Plugin screen, a. Type ‘cisco-asa’ in the search box to find the Cisco-ASA plugin. b. Click the blue Cisco-ASA box to select that plugin.

3. On the Rule name > Plugin > Event Type screen, a. Type ‘permitted’ to search for access permitted events, such as ’106102 – ASA:

A packet was either permitted or denied by an acces…’ and ’710002 – ASA: access permitted’.

b. Click the + (plus) sign next to the individual event types. They will move to the left column instead.

c. Click NEXT. 4. On the Rule name > Plugin > Event Type > Network screen,

a. Leave Source Host / Network and Source Port(s) empty, which means ANY asset. b. In the Destination Host / Network area, choose your server from the Assets list by

clicking it. It will appear in the Destination box. c. In the box for Destination Port(s), enter 139.




d. Click NEXT. 5. On the Rule name > Plugin > Event Type > Network > Reliability screen,

a. Select a Reliability value (from 0 to 10) by clicking the blue square with the appropriate number. In this example, we use 1. The reliability value is low because you don’t want to generate false alarms.

b. Click Finish. c. The New Directive window closes.

2.2.3. TASK 3: ADD A LEVEL 2 RULE In this task, we try to match the same events matched by the level 1 rule. We want to make sure to use 1) the same event types; 2) the same source and destination IP addresses; and 3) the same destination port that were used in the level 1 rule. The difference is that we want to detect 100 such events this time.

To do that, we add a level 2 rule.

1. Click the green + (plus) sign at the right side of the first rule under the ACTION heading. 2. The New Rule window displays. 3. Follow step #1 and #2 in Task 2 4. On the Rule name > Plugin > Event Type screen, click the button that reads Plugin SID from

rule of Level 1. This will select the same event types as in the level 1 rule. 5. On the Rule name > Plugin > Event Type > Network screen,

a. For Source Host / Network, in the From a parent rule dropdown, select ‘Source IP from level 1’.

b. Leave the Source Port(s) empty. c. For Destination Host / Network, in the From a parent rule dropdown, select

‘Destination IP from level 1’. d. For Destination Port(s), in the From a parent rule dropdown, select ‘Destination

Port from level 1’. e. Click NEXT.

Figure 9. Selecting source and destination IP from level 1




6. On the Rule name > Plugin > Event Type > Network > Reliability screen, a. Either select an absolute (left column) or relative value (right column). If a relative

value is selected, the value is added to the reliability of the previous rule. In this example, we use +2.

b. Click Finish. c. The New Directive window closes.

7. Change the Timeout value. Click the original value to turn on editing. Enter 30 (seconds), and click OK.

8. Similarly, change the Occurrence to 100.

Figure 10. Modifying the occurrence value to 100

2.2.4. TASK 4: REPEAT STEP 3 AS NEEDED This task can be repeated as many times as necessary. In this example, we want to add one more rule (level 3) to detect the same events as in the previous rule but with 1000 occurrences.

Repeat Task 3. Except that in step #1, click the first + (plus) sign at the right side of the previous rule under the ACTION heading. And in step #7, change the Occurrence to 1000 instead.

2.2.5. TASK 5: ADD THE LAST RULE In the last rule for this example, we use a monitor type data source plugin to check whether the service is still up after a suspected attack.

1. Click the + (plus) sign at the right side of the third rule to add a child rule. 2. Enter a name for this rule, such as Service Up 3. On the Rule name > Plugin screen, type ‘nmap’ in the search box to find the NMAP-Monitor

plugin. 4. Click the blue NMAP-Monitor box to select that plugin.




5. On the Rule name > Plugin > Event Type screen, choose ‘TCP Port closed’. It will check whether a TCP port on a destination server is closed or not responding to requests.

6. Click SELECTED FROM LIST. 7. Repeat Step #4 to #7 in Task 3, but use +6 for reliability value, 1 for timeout and 3 for

occurrence.

In a rule that uses a monitor type data source plugin, the timeout and occurrence values have different meanings. The timeout value defines how many seconds the plugin will wait to receive a response from the destination to which the request was sent. Occurrence specifies how many times the request will be sent.

In our example, the timeout is set to 1 second and the occurrence is set to 3. This means that three (Is the TCP port closed?) requests will be sent to the destination server, and if a response to these requests is not received within 1 second, the rule will be matched and the reliability of the directive will be increased by 6.

Figure 11. The final directive will 4 rules

2.2.6. TASK 6: RESTART SERVER Restart the ossim-server process by clicking the Restart Server button. Confirm the restart by clicking YES when prompted.




3. CUSTOMIZING CROSS CORRELATION RULES

3.1. CREATING A CROSS CORRELATION RULE To create a new Cross Correlation rule,

1. Click NEW. 2. Select the Data Source Name, such as snort as shown in the example below. 3. Select the Reference Data Source Name, such as nessus-detector in the example. 4. Select the Event Type of the data source entered in step #2. For example, snort: “MySQL root

login attempt”. 5. Select the Reference SID Name of the reference data source entered in step #3. For example,

nessus: MySQL weak password. 6. Click CREATE RULE. Or, click BACK if you want to discard the changes.

This custom rule would be matched if AlienVault IDS Engine detected MySQL root login attempt to a host that has MySQL weak password vulnerability.

Figure 12. Creating a Cross Correlation rule

3.2. MODIFYING A CROSS CORRELATION RULE

To edit an existing Cross Correlation rule,

1. Locate the desired Cross Correlation rule and click on it. The entire row will change to light blue.

2. Click MODIFY. 3. Change any of the four fields as needed.




4. Click SAVE RULE to save the changes. Or, click BACK if you want to discard the changes.

3.3. DELETING A CROSS CORRELATION RULE To delete a Cross Correlation rule,

1. Locate the desired Cross Correlation rule and click on it. The entire row will change to light blue.

2. Click DELETE SELECTED.

Use this button with caution. You will not be prompted to confirm.

customizing correlation directives and cross correlation rules

Documents