Tutorial 4: Correlation engine primer
Mon, 10 Dec 2007

Introduction

In order to answer to a recent forum post I had to do a quick research since it had been some time since I last tested this.
The exact question was:

Hello,

Is there a document talking about how the directives are processed?  One question
that I have is if you have multiple directives created and an event comes in
that matches the initial states of more than a single directive will both actually
process the event, or only the first match (which I think is the case)?

Thanks for any clarification you can provide.

Stephen

This post gives a bit of insight to how the correlation engine works and features some simple, custom made directives that help me answer that question.

The test environment features two events belonging to the ssh plugin (plugin_id 4003):
  • SSH password failed (plugin_sid 1)
  • SSH password accepted (plugin_sid 7)
In order to test this I've created three directives (plugin_id 1505)
  • Test directive 21, grouping one login failure and one success
  • Test directive 22, grouping one login failure and one success
  • Test directive 23, used in the second case, grouping those two
So, with all of this in place it was easy to simulate this failing a login and succeeding afterwards.


::read more

posted at: 12:47 | path: /ossim/tutorials | permanent link to this entry | 3 comments |
Tags: , , ,



Categories

/ (37)
    code/ (1)
    feed/ (1)
    ossim/ (24)
        installer/ (3)
        plugins/ (2)
        tuning/ (3)
        tutorials/ (7)
    personal/ (10)
        campus/ (2)
        opinion/ (1)
        travel/ (1)
    rants/ (1)



RSS



< December 2007 >
MoTuWeThFrSaSu
      1 2
3 4 5 6 7 8 9
10111213141516
17181920212223
24252627282930
31      



Archives

2008-Dec
2008-Oct
2008-Aug
2008-Jul
2008-May
2008-Mar
2008-Feb
2008-Jan
2007-Dec
2007-Nov



Tags


Made with PyBlosxom