DK 'Log : tags/correlation

Tutorial 4: Correlation engine primer
Mon, 10 Dec 2007

Introduction

In order to answer to a recent forum post I had to do a quick research since it had been some time since I last tested this.
The exact question was:

Hello,

Is there a document talking about how the directives are processed?  One question
that I have is if you have multiple directives created and an event comes in
that matches the initial states of more than a single directive will both actually
process the event, or only the first match (which I think is the case)?

Thanks for any clarification you can provide.

Stephen

This post gives a bit of insight to how the correlation engine works and features some simple, custom made directives that help me answer that question.

The test environment features two events belonging to the ssh plugin (plugin_id 4003):

SSH password failed (plugin_sid 1)
SSH password accepted (plugin_sid 7)

In order to test this I've created three directives (plugin_id 1505)

Test directive 21, grouping one login failure and one success
Test directive 22, grouping one login failure and one success
Test directive 23, used in the second case, grouping those two

So, with all of this in place it was easy to simulate this failing a login and succeeding afterwards.

::read more

posted at: 12:47 | path: /ossim/tutorials | permanent link to this entry | 3 comments |
Tags: correlation, directives, tutorial, ossim

Categories

/ (57)
    code/ (1)
    feed/ (1)
    friends/ (1)
    ossim/ (37)
        installer/ (3)
        plugins/ (2)
        tuning/ (3)
        tutorials/ (8)
    personal/ (16)
        campus/ (2)
        opinion/ (1)
        travel/ (1)
    rants/ (1)

Dominique Karg
(feel free to get in touch)

Friend's blogs:

Certified Application Security Specialist

< December 2007 >

Mo Tu We Th Fr Sa Su

1 2

3 4 5 6 7 8 9

10 11 12 13 14 15 16

17 18 19 20 21 22 23

24 25 26 27 28 29 30

31