Log Correlation/SIEM Rule Examples and Correlation Engine

Performance Data

Dr. Ertuğrul AKBAŞ

eakbas@gmail.com

ertugrul.akbas@anetyazilim.com.tr

The correlation capability is one of the most important features of a SIEM product. The correlation capabilities

of SIEM products differ [1].

The correlation rules examples are listed below with a SIEM product which has average correlation capability.

1. Warn if 5 failed logon attempts are tried with different usernames from the same IP to the same

machine in 15 minutes and after that, if a successful login occurs from the same IP to any machine.

2. Warn if a host scan is made by an IP and then if a successful connection is established by the same IP

and then backward connection is established from connected IP to connecting IP.

3. Warn if more than 100 connections are established from the different external IPs to the same

destination IP in one minute.

4. Warn if 100 connections are established from the same external IP through different ports to the same

destination IP in one minute.

5. Warn if the same user tries more than three failed logon attempts to the same machine in an hour.

6. Warn if a user can’t log into any server and caused failed authentication and in two hours if that user

can’t log into the same server.

7. Warn one if more than 100 packets are blocked by UTM/FireWall from the same source IP and don’t

warn within an hour. (Millions of packets are blocked in case of DDOS attack. If email is sent for each,

you are exposed yo yourself DDOS attack.)

8. Report the source IP which causes UnusualUDPTraffic.

9. Warn if a traffic is occurred to a source or from a source in IPReputation list.

10. Warn if network traffic occurs from the source or to a source in malicious link list published by

TRCERT - Turkey - Computer Emergency Response Team

11. If someone sets up DHCP server in your network or if a different gateway broadcasts, to find out this:

Warn if a traffic occurs from inside to outside or from outside to inside whose protocol is UDP,

destination port is 67, and destination IP is not in registered IP list.

12. Warn if an IP scan occurs.

13. Warn if SQL attack occurs via web server.

14. Warn if the servers are accessed out of hours.

15. Warn if the same user tries more than three failed logon attempts to different machines in an minute.

16. Warn If an attack followed by account change

17. Warn If scan followed by an attack

18. Detects An Unusual Condition Where A Source Has Authentication Failures At A Host But That Is Not

Followed By A Successful Authentication At The Same Host Within 2 Hours

19. Look for a new account being created followed by immediate authentication activity from that same

account would detect the backdoor account creation followed by the account being used to telnet

back into the system

20. Monitor same source having excessive logon failures at distinct hosts,

21. Check whether the source of an attack was previously the destination of an attack (within 15 minutes)

22. Check whether there are 5 events from host firewalls with severity 4 or greater in 10 minutes between

the same source and destination IP

23. Look for a new account being created, followed shortly by access/authentication failure activity from

the same account

24. Monitor system access outside of business hours

The rules 1,7,11,12 numbered shown above require Taxonomy capability. Therefore, The correlation capability

in each SIEM product is different [1].

To develop such rules; although developing such rules using a wizard is a distinguishing feature in SIEM

products. The required CPU and RAM resources for correlation are important parameters in terms of the

number of such rules [2].

If these parameters are not determined accurately in the project; log loses, problems in alarm identification

generation, and such cases are encountered [3].

For example, the suggested physical server specifications of Sentinel 6.1 product for 20 correlation rules are 2

core 3 Ghz CPU and 4 GB RAM [2]. This server neither collects logs nor makes normalization process. It is a

physical server used for only log correlation [2]. The manufacturer suggests to add a new physical correlation

server in case of need rather than specifying net 20 figures in the latest version [3].

The manufacturers such as HP, IBM also suggest to add physical resource instead of giving a net figure

depending on the situation.

There are relationships among the total correlation rule to be executed and EPS values together with CPU,

RAM, Disk speed and how many physical or virtual correlation servers [7].

References:

1. http://www.slideshare.net/anetertugrul/gerek-siem-nedir-olmazsa-olmazlar-ve-gerek-siem-rn-ile-

gvenlik-analiz-senaryolar

2. http://www.slideshare.net/NOVL/how-to-architect-a-novell-sentinel-implementation

3. http://www.slideshare.net/anetertugrul/log-ynetimi-sisteminizin-log-karp-karmadn-test-etmek-ister-

misiniz

4. https://www.netiq.com/documentation/sentinel-73/s73_install/data/b19meos5.html#b12e1bcy

5. http://www.slideshare.net/anetertugrul/siniflandirma-temell-korelasyon-yaklaimi

6. http://www.slideshare.net/anetertugrul/threat-intelligence-ve-siem

7. http://www.slideshare.net/anetertugrul/siem-sure-log-arcsight-qradar-alienvault-solarwinds-

performans-verileri