Part 2.f: Configuring the OSSIM correlation engine

Correlation is a large part of security event monitoring.

https://alienvault.bloomfire.com/search?value=correlation&search-type=all
https://encrypted.google.com/search?q=correlation+inurl%3Awww.alienvault.com%2Fwiki%2Fdoku.php%3Fid%3Duser_manual%3Aintelligence
https://encrypted.google.com/search?q=correlation+inurl%3Awww.alienvault.com%2Fwiki%2Fdoku.php&oq=correlation+inurl%3Awww.alienvault.com%2Fwiki%2Fdoku.php

Types of correlation:
“Logical correlation: Using pre-defined and customized correlation rules.
Inventory correlation: Through inventory look ups the system is able to determine the validity of an event by simply checking the platform and applications running on the attacked machine. If the attacked system is not vulnerable to such type of attacks, the event is simply discarded. For e.g. An event announcing attack against IIS, won’t be relevant if the device is running Apache.
Cross correlation: If the event announces an event trying to exploit a previously detected vulnerability on a device, the reliability of the attack is raised up.”

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: