Part 2.f: Configuring the OSSIM correlation engine
< Part 1: Raise your awareness
< Part 2: The Console
< Part 2.a: Configure AlienVault’s OSSIM as your primary security console
< Part 2.b: Adding assets to OSSIM
< Part 2.c: Configuring OSSIM plugins
< Part 2.d: Scheduling asset inventory and configuring software inventory
< Part 2.e: Distributing OSSIM sensor boxes
Correlation is a large part of security event monitoring.
Types of correlation:
“Logical correlation: Using pre-defined and customized correlation rules.
Inventory correlation: Through inventory look ups the system is able to determine the validity of an event by simply checking the platform and applications running on the attacked machine. If the attacked system is not vulnerable to such type of attacks, the event is simply discarded. For e.g. An event announcing attack against IIS, won’t be relevant if the device is running Apache.
Cross correlation: If the event announces an event trying to exploit a previously detected vulnerability on a device, the reliability of the attack is raised up.”