ANET SURELOG International Edition has many advantages compared to its rivals in terms of the speed of log collection, big data infrastructure, compliance reports, its speed, ease of use, user interface, the number of devices supported, distributed architecture, taxonomy and correlation features.
The most important feature of SIEM products is correlation. It analyzes too many different logs and makes correlation to get the exact result.
2. TABLE OF CONTENTS
THE CORRELATION ADVANTAGES OF ANET SURELOG INTERNATIONAL EDITION SIEM PRODUCT..... 1
The advantages of SureLog correlation engine:...................................................................................... 3
The taxonomy:..................................................................................................................................... 3
Logs and detected taxonomy examples:......................................................................................... 5
The scenario based rules:.................................................................................................................... 7
Correlating more than one rules by order or time.......................................................................... 8
The logical independence.............................................................................................................. 10
The thrashold rules:....................................................................................................................... 10
Threat Intelligence:............................................................................................................................ 11
Example correlation rules: ................................................................................................................ 12
IntelligentResponse........................................................................................................................... 14
ANET SURELOG International Edition has many advantages compared to its rivals in terms of the
speed of log collection, big data infrastructure, compliance reports, its speed, ease of use, user
interface, the number of devices supported, distributed architecture, taxonomy and correlation
features.
The most important feature of SIEM products is correlation. It analyzes too many different logs and
makes correlation to get the exact result.
Before we mention about the correlation advantages of ANET SURELOG International Edition
product, to explain the main features of the correlation:
SureLog is fast -Supports 50,000 EPS with thousands of rules
Rule Chains.
Advanced correlation rules
SureLog supports rule suspending. Preventing rule firing for a defined time period. Suspend
Rule A 1 hour after fire
Compression-based correlation. Monitors multiple occurrences of the same event, removes
redundancies and reports them as a single event.Time-based correlation
Has a visual user interface for writing correlation rules.
Has TAG feature which doesn’t exist even in many global products (Adding fields
automatically or manually by the user).
Threshold-based correlation. Has a threshold to trigger a report when a specified number of
similar events occur.
Filter-based correlation. Inspects each event to determine if it matches a pattern defined by
a regular expression. If a match is found, an action may be triggered as specified in the rule.
3. Sequence-based correlation. Helps to establish causality of events. Events can be correlated
based on specific sequential relationships. For example, synchronizing multiple events such
as event A being followed by event B to trigger an action.
Time-based correlation
Supports non-negative case rules which doesn't exist event in many global products
Supports Context base correlation which doesn’t exist even in many global products.
Supports hierarchical correlation which doesn’t exist even in many global products.
Supports dynamic correlation list management which doesn’t exist even in many global
products.
It has a wide support of operators. For example:
The advantages of SureLog correlation engine:
The advantages of SureLog product compared to existing SIEM products are explained in this part.
These advantages are divided into four main categories:
The taxonomy
The scenario based rules
Threat Intelligence
IntelligentResponse
The taxonomy:
The taxonmy is defined as grouping in the simplest way. To give an example:
A Router login process
A switch login process
A Firewall login process
A Windows server login process
A Linux login process
4. All these login processes are handled to be grouped as login process under a single group and then it
both enables to report with one single click “Report all login processes in my network” and write
correlation rule such as After UTM device blocks 15 packets from the same IP as infected and in 5
minutes if login attempt to network occurs, mail the machine information which makes this login
attempt and the machine information exposed to this login attempt.
Taxonomy is a mapping of information from heterogeneous sources to a common classification. A
taxonomy aids in pattern recognition and also improves the scope and stability of correlation rules.
When events from heterogeneous sources are normalized they can be analyzed by a smaller number
of correlation rules, which reduces deployment and support labor. In addition, normalized events are
easier to work with when developing reports and dashboards
Taxonomy is the process of creating and adding precious log type (group) information into the
normalized event with the result of evaluation of the signature database of the source, pointers in
log (like system-alert-00016), and the direct meanings(zone untrust, int untrust contained in the log.
Some of the existing 1537 taxonomy groups in SureLog:
Reconnaissance->Scan->Host
• TCPTrafficAudit->TCP SYN Flag
• ICMPTrafficAudit
• NamingTrafficAudit
• Malicious->Web->SQL
• Flow->Fragmentation
• httpproxy->TrafficAuditaccept
• HTTPDynamicContentAccess
• WebTrafficAudit.Web Content
• HealthStatus.Informational.Traffic.Start
• Malicious.BufferOverflow
• Malicious.Trojan
• PolicyViolation
• Malicious.Web.Attack
6. o Log:Aug 17 2011 15:04:42 212.109.105.1 : %PIX-6-302013: Builtinbound TCP
connection 2493108 for outside:78.187.203.198/16884 (78.187.203.198/16884) to
inside:192.168.147.2/80 (212.109.105.3/80}
o Taxonamy :HealthStatus.Informational.Traffic.Start
Snort
o Log:09/22-21:03:36.341625 [**] [1:12798:4] SHELLCODE base64 x86 NOOP [**]
[Classification: Executablecodewasdetected] [Priority: 1] {TCP} 188.72.243.72:80 ->
192.168.3.65:1035
o Taxonamy : Malicious.BufferOverflow
o Log:09/22-21:03:36.341958 [**] [1:2013976:10] ET TROJAN Zeus POST RequesttoCnC
- URL agnostic [**] [Classification: A Network Trojanwasdetected] [Priority: 1] {TCP}
192.168.3.65:1036 -> 188.72.243.72:80
o Taxonamy : Malicious.Trojan
o Log:09/22-21:03:36.306197 [**] [1:2014819:1] ET INFO PackedExecutableDownload
[**] [Classification: Miscactivity] [Priority: 3] {TCP} 188.72.243.72:80 ->
192.168.3.65:1033
o Taxonamy : PolicyViolation
o Log:09/22-21:03:36.306197 [**] [1:15306:12] FILE-IDENTIFY
PortableExecutablebinary file magicdetection [**] [Classification: Miscactivity]
[Priority: 3] {TCP} 188.72.243.72:80 -> 192.168.3.65:1033
o Taxonamy : Malicious.Web.Attack
The taxonomy module in the correlation wizard is shown in the following figure:
SureLog International Edition has about 3 million signatures for about 350 log types.
SureLog Taxonomy Examples:
7. “SuccessfulLogin”
“Malicious DNS Attack”
“CompromisedVirusAttachmentNotCleaned”
“Informational VPN TunnelFailed”
“Informational.Traffic.Start”
The taxonomy process:
Word bases, Word(s), service combinations,
System signatures (fingerprints) through which data is collected.
And such..
The taxonomy process is done in the result of various combinations and signification process
according to incoming data.
A sensor in sentence decides to examine which parts in the incoming data.
For more information about Taxonomy :
https://www.novell.com/developer/plugin-sdk/sentinel_taxonomy.html
http://www.slideshare.net/anetertugrul/sure-log-context-sensitive-scalable-siem-solution
http://www.slideshare.net/anetertugrul/siniflandirma-temell-korelasyon-yaklaimi
The scenario based rules:
Bring scenario-based approach to events. It just examines all rather than analyzing individual logs.
A sample rule:
1. Warn if user A can’t log into server X and caused failed authentication and in two hours if
that user A can’t log into the same server X
To develop scenario based rule:
Rule Severity: Running more than one rules by order or according to time relation among
them.
Another correlation rule should be created from more than one correlation.
The rule of realization of some parts of more than one different events during a certain
period of time sequentially, not realization of the others ( X ' not Y) should be written.
The rule of more than different events during a certain period of time sequentially ( X ' Y)
should be written.
The priority value should be given for each correlation rule.
8. Correlating more than one rules by order or time
It is possible to correlate and conclude any deduction for more than rules according to source IP,
destination IP, Computer name, and the source and destination ports are the same or not relation by
relating by order or time relation.
For example:
After 15 packets are blocked from the same IP in one minute, warn if successful login is occurred to
that IP.
After 15 packets are blocked from the same IP, warn if successful login is occurred to that IP in 5
minutes.
9. In the same way by following the logic above, the rule of realization of some parts of more than one
different events during a certain period of time sequentially, not realization of the others ( X ' not Y)
should be written.
As shown in the editor above
It is possible to create alarm in the form of first Part1_rule occurs, then not_port rule occurs and
then part_3 rule occurs.
10. The logical independence
It is necessary full flexibility when setting up the relations among logs for developing a scenario
based rule. Any property of any log normalized should be correlated with the property of another log
(For example: Source IP) and then logical operations should be done. SureLog.Int.Ed provides this.
Example: Warn if user A can’t log into server X and caused failed authentication and in two hours if
that user A can’t log into the same server X
As seen from the rule above, it is expected to be user (A) and server (X) at every two logs. It is also
expected to not occur the second event in the second step of the scenario during a specified time.
The threshold rules:
The threshold rules are used to detect the realization situation of one or many different events many
times within a specified time (time window). This rule development wizard is shown in the below.
TheSameEvents and DifferentEvents settings is an outstanding feature according to similar products
from which such rules are written. In addition, the result resulting in from this counting feature can
be connected to another rule.
For example: If 15 packets are blocked from the same source in the system for being infected from
virus, if successful login occurs to the same source in 5 minutes, detect the machine makes this
successful login attempt.
11. Threat Intelligence:
Threat Intelligence is integrated with different global sources (IP BlockList, Spammersetc.. )
and takes black lists from there and works as warning system by using these data.
12. Example correlation rules:
After the security device are blocked 15 packets from the same source, Detect if someone
log into the system from any point (Linux, Windows, router, switch, firewall,etc.)
A sample correlation rule/SIEM for Port/Network scan detection: Warn if port access
attempts are occurred to 100 different ports from the same source IP to the same
destination IP in one hour.
After any user tries 3 or more failed logon attempts to any system
(Firewall,Windows,Linux,Switch, etc.) in one hour, warn the all failed logon attempts of that
user during the next 7 (X day) days.
Warn if 60 connections are established from the different sources to the same IP and
destination port in one minute.
After 15 packets are blocked from the same IP in one minute, warn if successful login is
occurred to that IP.
Detect the IP address which makes 100 requests to port 22 of different IPs in one hour.
A sample correlation rule /SIEM for Fraud detection: If the same user tries to access your
system via different countries, probably fraud is done by that user.
If someone sets up DHCP server in your network or if a different gateway broadcasts, to find
out this: Warn if a traffic occurs from inside to outside or from outside to inside whose
protocol is UDP, destination port is 67, and destination IP is not in registered IP list.
13. Is there someone making RDP scan? A sample correlation rule for detecting this: Detect the
IP address which makes 100 requests to TCP port 3389 of different IPs in one hour.
Warn if 5 failed logon attempts are tried with different usernames from the same IP to the
same machine in 15 minutes and after that, if a successful login occurs from the same IP to
any machine.
After 15 packets are blocked from the same IP, warn if successful login is occurred to that IP
in 5 minutes.
If 15 packets are blocked from the same source in the system for being infected from virus, if
successful login occurs to the same source in 5 minutes, detect the machine makes this
successful login attempt.
Warn if a new user account is created and accessed to the system with this user and get
failed login.
Warn If the same user logs into Linux server and then logs into Windows server and then a
service is stopped in either of these two servers.
Your technical consultants connect to your company via RDP remotely and makes connection
to their consultancy system either with portal or using client. A special correlation rule which
you can use in such situations: Warn if a user logs into the system and then in 10 minutes if
that user can’t log in through portallogin.html or can’t run saplogon.exe.
A sample correlation rule for Brute-force attempt detection: If too many failed login
attempts ocur from the same IP for the same or different users in a short time, these logs
could be the sign of a brute-force attempt.
Warn if an IP which is reported by UTM/IDS/IPS as the source of an attack, becomes the
target of another attack in the last 15 minutes.
If the traffic of any user is blocked a firewall rule X times in one second, detect this user and
the rule blocking this.
Warn if user A can’t log into server X and caused failed authentication and in two hours if
that user A can’t log into the same server X or take action.
Warn if first event A, then if event B, if event C occurs in 5 minutes and then if event D
occurs.
Warn if first event A, then if event B, if event C doesn't occur in 5 minutes and then if event D
occurs.
Warn if cgi, asp, aspx, jar, php, exe, com, cmd, sh, bat dosyaları batch files are uploaded to be
executed to web server remotely.
W32.Blaster Worm: Warn 10 deny or successful anonymous login attempt occurs in one
minute.
Warn if a user can’t log into the system and caused failed authentication and in two hours if
email is sent from that user’s account despite that user doesn’t login into the system.
Warn if 5 failed logon attempts are tried with different usernames from the same IP to the
same machine in 15 minutes and after that, if a successful login occurs from the same IP to
any machine.
If a host scan is made by an IP and then if a successful connection is established by the same
IP and then backward connection is established from connected IP to connecting IP.
14. Warn if more than 100 connections are established from the different external IPs to the
same destination IP in one minute.
Warn if 100 connections are established from the same external IP through different ports to
the same destination IP in one minute.
Warn if the same user tries more than three failed logon attempts to the same machine in an
hour.
Warn once if more than 100 packets are blocked by UTM/FireWall from the same source IP
and don’t warn within an hour. (Millions of packets are blocked in case of DDOS attack. If
email is sent for each, you are exposed to yourself DDOS attack.)
Report the source IP which causes UnusualUDPTraffic.
Warn if a traffic is occurred to a source or from a source in IPReputation list.
Warn if network traffic occurs from the source or to a source in malicious link list published
by National Cyber Response to Events (NCRE) Center.
Warn if an IP scan occurs.
Warn if SQL attack occurs via web server.
Warn if the same user tries more than three failed logon attempts to different machines in
an minute.
IntelligentResponse
ANET SureLog SIEM product can handle correlation alerts and actions in smart way through
intelligent response system.
The power of this modele called Intelligent Response in fact emerges the power of correlation engine.
Although SureLog product’s correlation engine is built upon fully visual wizards and drag & drop, the
easily created rules through visual wizards are converted to JAVA [5] codes in the bacground and is run as
a program thread. In this way, the users who know JAVA can create correlation rules by writing JAVA
codes with the expertmode feature included in only SureLog product in the world and thereby all kinds of
logic with either visual wizards or java codes can be run without any limit.
http://www.slideshare.net/anetertugrul/anet-surelog-siem-intelligentresponse-54274144