Вы находитесь на странице: 1из 13

Discover. Investigate. Remediate.

Basic Event Correlation Rules


Copyright 2012 EMC Corporation. All rights reserved. 1

What is Event Correlation?


Event correlation is the analysis a mass of events, pinpointing of the most significant ones, and triggering actions. It is generally composed of 4 steps:
A. Event Filtering Discarding events that are irrelevant to the event correlator. B. Event Aggregation Merging of duplicates of the same event. C. Event Masking Ignoring events that pertain to systems downstream of a failed system. D. Root Cause Analysis Analysis of dependencies between events.

Copyright 2012 EMC Corporation. All rights reserved.

Nextgen/NWFL Process Flow

Parse
Log/Packet Capture Network Rules
Meta Extraction Feeds App rules

Basic Event Correlation Rules

Write Meta

Copyright 2012 EMC Corporation. All rights reserved.

Basic Event Correlation Rules


name=name-string rule=app-rule key=primary-key[,primary-key] thresh=op-string(assoc-key)>value[mb|kb|gb] timewin=value[min|hr|sec] name-string (Rule Name) will be added as meta when an event occurs app-rule (Rule) is a valid application rule primary-key (Instance Key) is a valid language key (e.g. ip.src, ip.dst, etc) with a type of IPv4, IPv6, or UInt16. If a second primary key is specified, it must be of the same type as the first. op-string ( Threshold) is one of: u_count - count unique values of the specified key sum - sum the values of the specified key count - number of sessions (no key-string needs to be specified) assoc-key is a valid language key with a type of IPv4, IPv6, UInt16, UInt32, or UInt64. If a compound key (two primary-keys) is specified, then the assoc-key cannot be IPv4 or IPv6. value for thresh is not scaled if units are not specified value for timewin defaults to seconds if units are not specified

Copyright 2012 EMC Corporation. All rights reserved.

BEC Rule Implementation


BEC Rules can be applied to decoders, log decoders and concentrators. In NwAdministrator, you can manage BEC rules in the Adaptors and Rules section.

In SA, you can manage them in Administration, Devices, View, Config.


Copyright 2012 EMC Corporation. All rights reserved. 5

Sample BEC Rule

name="IPv4 Vertical TCP Port Scan 10" rule="tcp.dstport exists" order=13 thresh=u_count(tcp.dstport)>10 key=ip.src,ip.dst timewin="1 min" type=correlation

Copyright 2012 EMC Corporation. All rights reserved.

BEC Event Filtering


rule=app-rule
The rule is the filter to pinpoint those sessions that are of interest. It follows the same syntax and works like an App Rule.

rule="tcp.dstport exists
will send all sessions that have the tcp.dstport meta field populated on for correlation.

Copyright 2012 EMC Corporation. All rights reserved.

BEC - Aggregation
key=primary-key[,primary-key] key=ip.src,ip.dst
Aggregate (group) filtered sessions by the primary key. In this case, we are grouping the sessions by pairs of source and destination IP.

Copyright 2012 EMC Corporation. All rights reserved.

BEC - Analysis
thresh=op-string(assoc-key)>value[mb|kb|gb] timewin=value[min|hr|sec]
thresh=u_count(tcp.dstport)>10
Perform an analysis of the grouped, filtered sessions against the associate-key until the threshold is reached. Then trigger the creation of a meta session in this case and Alert.

Copyright 2012 EMC Corporation. All rights reserved.

Thresholds
For the threshold, you do not need to have an associate key, you can just count sessions that match the filter (e.g. thresh= count()>10). The threshold can be: sum, count and u_count (unique count).

Copyright 2012 EMC Corporation. All rights reserved.

10

Key Constraints
The primary key can only be: IPv4, IPv6 or UInt16 data types. You can only have 2 primary keys.
The associate key can only be: IPv4, IPv6, UInt16, UInt32, and UInt64 data types. The associate key cannot be IPv4 or IPv6 if you have a compound (two) primary keys.

Copyright 2012 EMC Corporation. All rights reserved.

11

Best Practices
Consider using meta generated by feeds and app rules rather than checking all sessions. Be Careful: Correlation Rules can have an impact on capture rates and performance. Always test their impact prior to pushing to production.

Copyright 2012 EMC Corporation. All rights reserved.

12

Questions?
Comments? Thank You.

Copyright 2012 EMC Corporation. All rights reserved.

13