OSSIM Correlation Engine crosses information from different sources to get a wider visibility, find higher level patterns and fight against false-positives.

There are 3 correlation types:

Lets the administrator create Correlation Directives or logical rules to join different small events to match a new pattern. OSSIM Logical Correlation Engine allows implementing user defined patterns of any kind using hybrid sources (not only detectors but also monitors) and a recursive and hierarchical distributed architecture.

"Crosses" information from IDS's and Vulnerability Scanners, prioriozing or depriorizing the event in case we are vulnerable or not to this attack.

Checks if the attack affects a certain Service and Operating System type and version, and checks if the attacked host has that OS/Service active, discarding the event if not.

A typical correlation example would be a "Worm Detected" after locating a number of abnormal connections. We could create different correlation levels, and correlate some of this "Worm Detected" alarms to produce a more abstract "Plague Alarm".