The AlienVault Blogs: Taking On Today’s Threats

The most recent posts from across the AlienVault blogs.


Late-breaking discoveries and in-depth analysis.


Practical, how-to advice, tips and guidance.


Perspectives on trends and industry happenings.

New AlienVault OSSIM v4.0 is out: New correlation capabilities

Today we are launching the new AlienVault OSSIM v4.0.

You can download it from here.

Apart from tons of new features, we have improved the correlation engine capabilities, two of the most impressive features are:

- Taxonomy correlation based on the Category and Subcategory of the events.

- Correlation using the Open Threat Exchange (OTX) data.

The correlation directives editor has been improved so you won’t need an XML editor anymore (in theory :D).

I will share with you a couple of  basic examples that will teach you how to use the new interface to build correlation rules using this new features.

Example 1: Outbound FTP connection to an external server marked as suspicious

On this example we will see how to detect outbound FTP connections to an external server that is present on the Open Threat Exchange system that indicates that can be a malicious or hacked server where data is being exfiltrated.

To create a new correlation rule click on Intelligence->Correlation Directives and then on the button “Add Directive”

Set the priority to 5:

And create the rule for the first level (the correlation directive will have only one level)

Then select the Taxonomy radio button and set the product type to Firewall

On the next window, select the Taxonomy radio button once again and set the category to Network and the subcategory to FTP_activity

The next window is used to set the source and destination conditions. For the Source we will click on HOME_NET, that means the correlation rule with match on events that have a source address belonging to the local networks we have defined in the system. For the destination click on !HOME_NET that will match on destination address that are outside our network. Click also on Reputation options and set “Reputation to” to yes. It will match on destination addresses that are marked as suspicious on the Open Threat Exchange data.

For the next windows you can let the default values set.

Once you create the correlation directive you have to perform a last step, it is because a small bug on the web interface. Go to Intelligence->Correlation Directives and on the User category click on “Edit XML directive file”:

As you can see in the following screenshot, add the content type=“detector” to the rule level of the XML file:

Finally click on Restart Server and your correlation rule will be loaded on the system.

Following you can see an example of the correlation rule firing:

If you click on the details, you will see that the alarm has been fired using an event from a Cisco Pix Firewall

This correlation rule is very useful to detect information being leaked to external servers by malware or intruders.

Example 2: SQL injection followed by error 500 on the web server

In this example we will see how to detect potential SQL injections in our web servers. The rule will detect an SQL injection attack detected by an Intrusion Detection System (IDS) followed by an error 500 on the destination web server that indicates that an error was detected on the web application.

Let’s create a new directive:

Let the default values for the next windows.

Then edit your recently created directive and add a new rule level:

On the next screen you have to set the option Source, From a parent rule: Source IP from level 1 and Destination, From a Parent Rule: Destination IP from level 1 that means the source and destination should match with the values seen in the first level we created.

Set the number of ocurrences to 1:

The timeout to 10 seconds:

And the reliability to 8:

Now you are done, remember to edit the XML file as we did in the previous example and add the type=“detector” to both rule levels:

Enjoy it!. Remember if you have any comments or doubts feel free to ask in our brand new Alienvault OSSIM Forum

Blog Home