See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/314187274 Log Correlation SIEM Rule Examples and Correlation Engine Performance Data Presentation · July 2016 DOI: 10.13140/RG.2.2.21089.71521 CITATIONS READS 0 10,443 1 author: Ertuğrul Akbaş ANET 40 PUBLICATIONS 21 CITATIONS SEE PROFILE Some of the authors of this publication are also working on these related projects: SureLog SIEM View project SIEM Comparison View project All content following this page was uploaded by Ertuğrul Akbaş on 10 August 2017. The user has requested enhancement of the downloaded file. Log Correlation/SIEM Rule Examples and Correlation Engine Performance Data Dr. Ertuğrul AKBAŞ eakbas@gmail.com ertugrul.akbas@anetyazilim.com.tr The correlation capability is one of the most important features of a SIEM product. The correlation capabilities of SIEM products differ [1]. The correlation rules examples are listed below with a SIEM product which has average correlation capability. 1. Warn if 5 failed logon attempts are tried with different usernames from the same IP to the same machine in 15 minutes and after that, if a successful login occurs from the same IP to any machine. 2. Warn if a host scan is made by an IP and then if a successful connection is established by the same IP and then backward connection is established from connected IP to connecting IP. 3. Warn if more than 100 connections are established from the different external IPs to the same destination IP in one minute. 4. Warn if 100 connections are established from the same external IP through different ports to the same destination IP in one minute. 5. Warn if the same user tries more than three failed logon attempts to the same machine in an hour. 6. Warn if a user can’t log into any server and caused failed authentication and in two hours if that user can’t log into the same server. 7. Warn one if more than 100 packets are blocked by UTM/FireWall from the same source IP and don’t warn within an hour. (Millions of packets are blocked in case of DDOS attack. If email is sent for each, you are exposed yo yourself DDOS attack.) 8. Report the source IP which causes UnusualUDPTraffic. 9. Warn if a traffic is occurred to a source or from a source in IPReputation list. 10. Warn if network traffic occurs from the source or to a source in malicious link list published by TRCERT - Turkey - Computer Emergency Response Team 11. If someone sets up DHCP server in your network or if a different gateway broadcasts, to find out this: Warn if a traffic occurs from inside to outside or from outside to inside whose protocol is UDP, destination port is 67, and destination IP is not in registered IP list. 12. Warn if an IP scan occurs. 13. Warn if SQL attack occurs via web server. 14. Warn if the servers are accessed out of hours. 15. Warn if the same user tries more than three failed logon attempts to different machines in an minute. 16. Warn If an attack followed by account change 17. Warn If scan followed by an attack 18. Detects An Unusual Condition Where A Source Has Authentication Failures At A Host But That Is Not Followed By A Successful Authentication At The Same Host Within 2 Hours 19. Look for a new account being created followed by immediate authentication activity from that same account would detect the backdoor account creation followed by the account being used to telnet back into the system 20. Monitor same source having excessive logon failures at distinct hosts, 21. Check whether the source of an attack was previously the destination of an attack (within 15 minutes) 22. Check whether there are 5 events from host firewalls with severity 4 or greater in 10 minutes between the same source and destination IP 23. Look for a new account being created, followed shortly by access/authentication failure activity from the same account 24. Monitor system access outside of business hours The rules 1,7,11,12 numbered shown above require Taxonomy capability. Therefore, The correlation capability in each SIEM product is different [1]. To develop such rules; although developing such rules using a wizard is a distinguishing feature in SIEM products. The required CPU and RAM resources for correlation are important parameters in terms of the number of such rules [2]. If these parameters are not determined accurately in the project; log loses, problems in alarm identification generation, and such cases are encountered [3]. For example, the suggested physical server specifications of Sentinel 6.1 product for 20 correlation rules are 2 core 3 Ghz CPU and 4 GB RAM [2]. This server neither collects logs nor makes normalization process. It is a physical server used for only log correlation [2]. The manufacturer suggests to add a new physical correlation server in case of need rather than specifying net 20 figures in the latest version [3]. The manufacturers such as HP, IBM also suggest to add physical resource instead of giving a net figure depending on the situation. There are relationships among the total correlation rule to be executed and EPS values together with CPU, RAM, Disk speed and how many physical or virtual correlation servers [7]. References: 1. 2. 3. 4. 5. 6. 7. View publication stats http://www.slideshare.net/anetertugrul/gerek-siem-nedir-olmazsa-olmazlar-ve-gerek-siem-rn-ilegvenlik-analiz-senaryolar http://www.slideshare.net/NOVL/how-to-architect-a-novell-sentinel-implementation http://www.slideshare.net/anetertugrul/log-ynetimi-sisteminizin-log-karp-karmadn-test-etmek-istermisiniz https://www.netiq.com/documentation/sentinel-73/s73_install/data/b19meos5.html#b12e1bcy http://www.slideshare.net/anetertugrul/siniflandirma-temell-korelasyon-yaklaimi http://www.slideshare.net/anetertugrul/threat-intelligence-ve-siem http://www.slideshare.net/anetertugrul/siem-sure-log-arcsight-qradar-alienvault-solarwindsperformans-verileri