The correlation systems consist of two parts.
1. Detection
2. Response
The response part is divided in two sub-parts as alarm and taking action.
The detection module, the response module if it detects an event.
• Sending email
• Executing a script
o Visual basic
o Batch file
o Perlscript
o Phytonscript
• Executing java code
• Running application
• Updating dynamic list. For example adding or removing IP address in forbidden IP address list. Dynamically updating this list for those who try more than 3 failed logon accesses in last week, or adding a benign IP or URL that triggered an alarm to a Whitelist so that false positives aren’t generated in the future
1. ANET SureLog SIEM IntelligentResponse Feature
The correlation systems consist of two parts.
1. Detection
2. Response
The response part is divided in two sub-parts as alarm and taking action.
ANET Surelog SIEM Product developed by ANET software has many advantages in the detection side
compared to its rivals [1,2,3,4].
The following cases and the similar cases can be detected with the detection module:
Warn if an insider PC makes a DNS query for a potentially malicious domain name. Afterwards,
the same PC tries to access to internet within 24 hours over TCP ports which are bigger than 1024
and/or the same PC makes internet requests outside of business hours within a week.
Warn for a traffic whose protocol is UDP and target port is 67 is destined from inside to outside
or from outside to inside and whose target IP is not registered DHCP servers list.
Warn if the same user logs into Linux server, afterwards logs into Windows server and any service
in either of these two servers is stopped.
Detects An Unusual Condition Where A Source Has Authentication Failures At A Host But That Is
Not Followed By A Successful Authentication At The Same Host Within 2 Hours
Warn once, if more than 100 packets are blocked by UTM/FireWall device from the same source
IP in one minute and don't warn again within an hour. ( Millions of packets are blocked in case of
DDOS attack. If mails are sent for all those warnings, you are exposed to yourself DDOS attack.)
Warn the source IP which causes UnusualUDPTraffic.
Warn if network traffic occurs from the source or to a source in IPReputation List.
2. Warn, if network traffic occurs from the source or to a source in "malicious links" list published by
National Cyber Response to Events (NCRE) Center.
After the detection module has handled the necessary tasks, the alarm and actions are as important as
the detection. ANET SureLog SIEM product can handle those alerts and actions in smart way through
intelligent response system. The power of this modele called Intelligent Response in fact emerges the
power of correlation engine. Although SureLog product’s correlation engine is built upon fully visual
wizards and drag & drop, the easily created rules through visual wizards are converted to JAVA [5] codes
in the bacground and is run as a program thread. In this way, the users who know JAVA can create
correlation rules by writing JAVA codes with the expertmode feature included in only SureLog product in
the world and thereby all kinds of logic with either visual wizards or java codes can be run without any
limit.
The system also have a capability to produce SureLog Correlation rules files from the java codes
generated.
The sample java code is shown in Appendix 1.
The detection module, the response module if it detects an event.
Sending email
Executing a script
o Visual basic
o Batchfile
o Perlscript
o Phytonscript
Executing java code
Running application
Updating dynamic list. For example adding or removing IP address in forbidden IP address list.
Dynamically updating this list for those who try more than 3 failed logon accesses in last week, or
3. addinga benignIPor URL that triggeredanalarmto a Whitelist so that false positives aren’t
generated in the future
Performs one or more actions pointed out above. This is an another advantage of ANET SureLog
correlation module. The one or more responses specified above can be defined by using the following
screen.
As seen in the following screen, the attributes or parameters can be given to mail sending or
executing script or dynamic list management module. For example:
Event source
Event destination ip
Username
ComputerName
ProcessName
Software Name
…….
4. One or more parameters can be added (Source IP, Username,etc.) to the response defined in the Add
Alert screen of Intelligent Response module shown above. In this way
The machine attacked can be shutdown by using the necessary scripts or the list defined before can be
updated or a new list can be defined and these lists are used automatically by the other rules or the rules
added newly or get done another process requested.
Dynamic list updating and defining is a feature of SureLog which are not provided by any other product in
the world. This feature allows incredible flexibility and wide range of uses for the Detection module. For
example, Warn if a user in Administrator group tries failed logon attempt. Here, Administrator group is
kept up to date dynamically with the other rules. For example, if a user is added in Admin group, update
Administrator user list.
References:
1. http://www.slideshare.net/anetertugrul/surelog-international-edition
2. http://www.slideshare.net/anetertugrul/gerek-siem-nedir-olmazsa-olmazlar-ve-gerek-siem-rn-
ile-gvenlik-analiz-senaryolar
3. http://www.slideshare.net/anetertugrul/log-korelasyon-siem-kural-ornekleri-ve-korelasyon-
motoru-performans-verileri
4. http://www.slideshare.net/anetertugrul/log-yonetimi-ve-siemkontrol-listesi
5. https://www.java.com/tr/