Part 2.f: Configuring the OSSIM correlation engine

Correlation is a large part of security event monitoring.

Types of correlation:
“Logical correlation: Using pre-defined and customized correlation rules.
Inventory correlation: Through inventory look ups the system is able to determine the validity of an event by simply checking the platform and applications running on the attacked machine. If the attacked system is not vulnerable to such type of attacks, the event is simply discarded. For e.g. An event announcing attack against IIS, won’t be relevant if the device is running Apache.
Cross correlation: If the event announces an event trying to exploit a previously detected vulnerability on a device, the reliability of the attack is raised up.”

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: