There are relationships among the total correlation rule to be executed, complexity of the rules and EPS values together with CPU, RAM, Disk speed. Also one other important issue is the easy of developing complex rules with wizards and executing them with high EPS values.

1. Log Correlation/SIEM Rule Examples and Correlation Engine
Performance Data
Dr. Ertuğrul AKBAŞ
eakbas@gmail.com
ertugrul.akbas@anetyazilim.com.tr
The correlation capability is one of the most important features of a SIEM product. The correlation capabilities
of SIEM products differ [1].
The correlation rules examples are listed below with a SIEM product which has average correlation capability.
1. Warn if 5 failed logon attempts are tried with different usernames from the same IP to the same
machine in 15 minutes and after that, if a successful login occurs from the same IP to any machine.
2. Warn if a host scan is made by an IP and then if a successful connection is established by the same IP
and then backward connection is established from connected IP to connecting IP.
3. Warn if more than 100 connections are established from the different external IPs to the same
destination IP in one minute.
4. Warn if 100 connections are established from the same external IP through different ports to the same
destination IP in one minute.
5. Warn if the same user tries more than three failed logon attempts to the same machine in an hour.
6. Warn if a user can’t log into any server and caused failed authentication and in two hours if that user
can’t log into the same server.
7. Warn one if more than 100 packets are blocked by UTM/FireWall from the same source IP and don’t
warn within an hour. (Millions of packets are blocked in case of DDOS attack. If email is sent for each,
you are exposed yo yourself DDOS attack.)
8. Report the source IP which causes UnusualUDPTraffic.
9. Warn if a traffic is occurred to a source or from a source in IPReputation list.
10. Warn if network traffic occurs from the source or to a source in malicious link list published by
TRCERT - Turkey - Computer Emergency Response Team
11. If someone sets up DHCP server in your network or if a different gateway broadcasts, to find out this:
Warn if a traffic occurs from inside to outside or from outside to inside whose protocol is UDP,
destination port is 67, and destination IP is not in registered IP list.
12. Warn if an IP scan occurs.
13. Warn if SQL attack occurs via web server.
14. Warn if the servers are accessed out of hours.
15. Warn if the same user tries more than three failed logon attempts to different machines in an minute.
16. Warn If an attack followed by account change
17. Warn If scan followed by an attack
18. Detects An Unusual Condition Where A Source Has Authentication Failures At A Host But That Is Not
Followed By A Successful Authentication At The Same Host Within 2 Hours
19. Look for a new account being created followed by immediate authentication activity from that same
account would detect the backdoor account creation followed by the account being used to telnet
back into the system
20. Monitor same source having excessive logon failures at distinct hosts,
21. Check whether the source of an attack was previously the destination of an attack (within 15 minutes)
22. Check whether there are 5 events from host firewalls with severity 4 or greater in 10 minutes between
the same source and destination IP

2. 23. Look for a new account being created, followed shortly by access/authentication failure activity from
the same account
24. Monitor system access outside of business hours
The rules 1,7,11,12 numbered shown above require Taxonomy capability. Therefore, The correlation capability
in each SIEM product is different [1].
To develop such rules; although developing such rules using a wizard is a distinguishing feature in SIEM
products. The required CPU and RAM resources for correlation are important parameters in terms of the
number of such rules [2].
If these parameters are not determined accurately in the project; log loses, problems in alarm identification
generation, and such cases are encountered [3].
For example, the suggested physical server specifications of Sentinel 6.1 product for 20 correlation rules are 2
core 3 Ghz CPU and 4 GB RAM [2]. This server neither collects logs nor makes normalization process. It is a
physical server used for only log correlation [2]. The manufacturer suggests to add a new physical correlation
server in case of need rather than specifying net 20 figures in the latest version [3].
The manufacturers such as HP, IBM also suggest to add physical resource instead of giving a net figure
depending on the situation.
There are relationships among the total correlation rule to be executed and EPS values together with CPU,
RAM, Disk speed and how many physical or virtual correlation servers [7].
References:
1. http://www.slideshare.net/anetertugrul/gerek-siem-nedir-olmazsa-olmazlar-ve-gerek-siem-rn-ile-
gvenlik-analiz-senaryolar
2. http://www.slideshare.net/NOVL/how-to-architect-a-novell-sentinel-implementation
3. http://www.slideshare.net/anetertugrul/log-ynetimi-sisteminizin-log-karp-karmadn-test-etmek-ister-
misiniz
4. https://www.netiq.com/documentation/sentinel-73/s73_install/data/b19meos5.html#b12e1bcy
5. http://www.slideshare.net/anetertugrul/siniflandirma-temell-korelasyon-yaklaimi
6. http://www.slideshare.net/anetertugrul/threat-intelligence-ve-siem
7. http://www.slideshare.net/anetertugrul/siem-sure-log-arcsight-qradar-alienvault-solarwinds-
performans-verileri