AlienVault Unified Security Management Solution

Complete. Simple. Affordable

Customizing Correlation Directives or

Cross Correlation Rules

AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX,
Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM and
OSSIM are trademarks or service marks of AlienVault.

AlienVault Unified Security Management Solution

Customizing Correlation Directives or Cross Correlation Rules

Introduction
In Correlation Reference Guide we explain what correlation is and how it works in AlienVault
Unified Security ManagementTM (USMTM). We also describe the AlienVault USM web interfaces for
Correlation directives and Cross Correlation rules. In this document, we will focus on how to
customize Correlation directives or Cross Correlation rules in USM.

Customizing Correlation Directives

Customizing Cross Correlation Rules

Customizing Correlation Directives

Modifying a Built-in Directive
By default, AlienVault USM comes with over 2,000 built-in directives. They are written by the
researchers in AlienVault Labs, who research global threats & vulnerabilities every day. It is highly
recommended that you learn how these directives are configured first, and then tailor them to your
specific needs.
For example, you might want to detect dropped packets going to a single host on a firewall. If you
take a look at the built-in directives, you will see that such a directive exists, which detects dropped
packets on the Cisco PIX firewall. However, in order to detect dropped packets on a different
firewall, for instance, the Fortinet FortiGate firewall, you will need to customize the directive.
In this section, we will use this example to show the steps required to modify a built-in directive. It
involves the following 4 tasks:

Figure 1. Procedures for modifying a built-in directive.

DC-00164

Edition 01

Copyright 2015 AlienVault. All rights reserved.

Page 2 of 12

AlienVault Unified Security Management Solution

Customizing Correlation Directives or Cross Correlation Rules

Task 1: Clone an existing directive

Task 2: Edit directive global properties
Task 3: Edit correlation rules
Task 4: Restart Server

Task 1: Clone an existing directive

To clone an existing directive,
1. Navigate to Configuration > Threat Intelligence > Directives.
2. Type packets in the search box to search for the appropriate directive.
3. Scroll down on the page to find the directive titled AV Network attack, too many
dropped inbound packets from DST_IP
4. Click the Clone icon to clone the directive.
5. Confirm that you wish to clone the directive by clicking YES when prompted.
6. The cloned directive in the User Contributed category.

Figure 2. Cloning a directive.

Note: By default, USM disables the built-in directive automatically once it is cloned. If you want
both to be working at the same time, make sure to enable the built-in directive as well.

Task 2: Edit directive global properties

To edit the cloned directive,
1.
2.
3.
4.
5.

DC-00164

Click the Edit icon to the left of the directive.

A new window appears displaying the global properties of the directive.
Change the name to AV Network attack, too many dropped on Fortigate.
Optionally, modify the taxonomy and priority of the directive as well.
Click SAVE. You may need to scroll down to reveal the button.

Edition 01

Copyright 2015 AlienVault. All rights reserved.

Page 3 of 12

AlienVault Unified Security Management Solution

Customizing Correlation Directives or Cross Correlation Rules

Figure 3. Editing a directive's global properties.

Task 3: Edit correlation rules

Now, you need to edit the correlation rules so that they match events from the Fortinet FortiGate
firewall. To do so,
1. Click the black triangle to the left of the directive to display the correlation rules.
2. In the first rule (first line in the table), under the Data Source column, click the green +
(plus) sign to the left of cisco-pix. The Rule Data Source Configuration window displays.
3. Type fortigate in the search box to find the Fortigate plugin.
4. Click the blue Fortigate box to select that plugin. The Plugin Signatures screen displays.
5. Type drop to search for the event type(s) that detects dropped packets. You should see
3 - Fortigate: Drop Forbidden Traffic listed in the right column.
6. Click the + (plus) sign to the right of the event type, or click Add all, to confirm your
selection. The event type will move to the left column instead.
7. Click Finish.
Repeat step #2 to #6 for all the rules in the directive. Notice that there is no Finish button as stated
in step #7. Click the Selected from List button instead. The final directive should look like Figure 4:

Figure 4. Custom directive AV Network attack, too many dropped on Fortigate.

DC-00164

Edition 01

Copyright 2015 AlienVault. All rights reserved.

Page 4 of 12

AlienVault Unified Security Management Solution

Customizing Correlation Directives or Cross Correlation Rules

You may edit other attributes of the correlation rules. Some attributes, such as NAME,
RELIABILITY, TIMEOUT, and OCCURRENCE are changed by clicking the value, making the
changes inline, and then clicking OK. Other attributes, such as FROM, TO, DATA SOURCE, and
EVENT TYPE, are changed by clicking the green + (plus) sign, then making the selection from the
resulting screen.

Task 4: Restart Server

Restart the ossim-server process by clicking the Restart Server button. Confirm the restart by
clicking YES when prompted.

Figure 5. Restart Server would restart the ossim-server process.

Creating a New Directive

In Modifying a Built-in Directive, we describe how to modify an existing Correlation Directive
provided by AlienVault Labs. But sometimes, you may find that none of the built-in directives work
in your environment because they do not have the correct condition defined. In this case, you can
create a new directive from scratch. Lets see how it works by going through an example.
In this example, we will create a custom directive to detect a Denial of Service (DoS) attack that
seeks to exhaust a service running on TCP port 139 on a specific server. Such an attack may be
indicated by many connections from a single host (possibly with bad reputation) to the destination
server on port 139. Firewall events can be checked for connections to the server by using a
detector type data source plugin. Once the correlation engine detects that the number of
connections is dangerously high, you can also use a monitor type data source plugin to discover if
the service on the server is still up.
Figure 6 shows the four correlation levels that will be used by the directive. The first three
correlation rules will check for the number of connections to the server using a detector type data

DC-00164

Edition 01

Copyright 2015 AlienVault. All rights reserved.

Page 5 of 12

AlienVault Unified Security Management Solution

Customizing Correlation Directives or Cross Correlation Rules

source plugin. The last correlation rule will check if the service is still up on the server by using a
monitor type data source plugin. Every time a rule in the correlation directive is met, the reliability of
the directive event will increase, thus increasing the risk of the detected event.

Correlation Level 1

1 ACCEPT CONN event from the rewall

Port 139
Source: A

Correlation Level 2

100 ACCEPT CONN events from the rewall

Port 139
Source: A

Correlation Level 3

1,000 ACCEPT CONN events from the rewall

Port 139
Source: A

Correlation Level 4

Is the service still up?

Figure 6. Correlation levels used by the sample directive.

Creating this directive involves the following 6 tasks:

Task 1: Create a new directive
Task 2: Add a level 1 rule
Task 3: Add a level 2 rule
Task 4: Repeat task 3 as needed
Task 5: Add the last rule
Task 6: Restart Server

DC-00164

Edition 01

Copyright 2015 AlienVault. All rights reserved.

Page 6 of 12

AlienVault Unified Security Management Solution

Customizing Correlation Directives or Cross Correlation Rules

Figure 7. Procedures for creating a new directive.

Task 1: Create a new directive

To create a new directive:
1.
2.
3.
4.
5.

6.
7.
8.
9.

DC-00164

Navigate to Configuration > Threat Intelligence > Directives.

Click the New Directive button.
A new window displays as shown in Figure 8.
For Name for the directive, enter DoS Attack at NetBIOS.
Enter the Taxonomy:
a. For Intent, select Delivery & Attack.
b. For Strategy, select Denial of Service Resource exhaustion.
c. For Method, enter Attack.
Leave the Priority at the default value: 3.
Click Next.
The New Directive window displays.
Proceed to Task 2.

Edition 01

Copyright 2015 AlienVault. All rights reserved.

Page 7 of 12

AlienVault Unified Security Management Solution

Customizing Correlation Directives or Cross Correlation Rules

Figure 8. Creating a new directive.

Task 2: Add a level 1 rule

This task is to add a level 1 rule, where we try to match one Cisco ASA access permitted event on
a particular server on port 139. To add this rule, continue from Task 1 in the New Directive
window.
1. On the Rule name screen, enter a name for the rule. For example, Established
connections. Click NEXT.
2. On the Rule name > Plugin screen,
a. Type cisco-asa in the search box to find the Cisco-ASA plugin.
b. Click the blue Cisco-ASA box to select that plugin.
3. On the Rule name > Plugin > Event Type screen,
a. Type permitted to search for access permitted events, such as 106102
ASA: A packet was either permitted or denied by an acces and
710002 ASA: access permitted.
b. Click the + (plus) sign next to the individual event types. They will move to the left
column instead.
c. Click NEXT.
4. On the Rule name > Plugin > Event Type > Network screen,
a. Leave Source Host / Network and Source Port(s) empty, which means ANY asset.
b. In the Destination Host / Network area, choose your server from the Assets list by
clicking it. It will appear in the Destination box.
c. In the box for Destination Port(s), enter 139.
d. Click NEXT.
5. On the Rule name > Plugin > Event Type > Network > Reliability screen,

DC-00164

Edition 01

Copyright 2015 AlienVault. All rights reserved.

Page 8 of 12

AlienVault Unified Security Management Solution

Customizing Correlation Directives or Cross Correlation Rules

a. Select a Reliability value (from 0 to 10) by clicking the blue square with the
appropriate number. In this example, we use 1. The reliability value is low because
you dont want to generate false alarms.
b. Click Finish.
c. The New Directive window closes.

Task 3: Add a level 2 rule

In this task, we try to match the same events matched by the level 1 rule. We want to make sure to
use 1) the same event types; 2) the same source and destination IP addresses; and 3) the same
destination port that were used in the level 1 rule. The difference is that we want to detect 100 such
events this time.
To do that, we add a level 2 rule.
1.
2.
3.
4.

Click the green + (plus) sign at the right side of the first rule under the ACTION heading.
The New Rule window displays.
Follow step #1 and #2 in Task 2.
On the Rule name > Plugin > Event Type screen, click the button that reads Plugin SID
from rule of Level 1. This will select the same event types as in the level 1 rule.
5. On the Rule name > Plugin > Event Type > Network screen,
a. For Source Host / Network, in the From a parent rule dropdown, select Source
IP from level 1.
b. Leave the Source Port(s) empty.
c. For Destination Host / Network, in the From a parent rule dropdown, select
Destination IP from level 1.
d. For Destination Port(s), in the From a parent rule dropdown, select
Destination Port from level 1.
e. Click NEXT.

Figure 9. Selecting source and destination IP from level 1.

6. On the Rule name > Plugin > Event Type > Network > Reliability screen,

DC-00164

Edition 01

Copyright 2015 AlienVault. All rights reserved.

Page 9 of 12

AlienVault Unified Security Management Solution

Customizing Correlation Directives or Cross Correlation Rules

a. Either select an absolute (left column) or relative value (right column). If a relative
value is selected, the value is added to the reliability of the previous rule. In this
example, we use +2.
b. Click Finish.
c. The New Directive window closes.
7. Change the Timeout value. Click the original value to turn on editing. Enter 30 (seconds),
and click OK.
8. Similarly, change the Occurrence to 100.

Figure 10. Modifying the occurrence value to 100.

Task 4: Repeat step 3 as needed

This task can be repeated as many times as necessary. In this example, we want to add one more
rule (level 3) to detect the same events as in the previous rule but with 1000 occurrences.
Repeat Task 3. Except that in step #1, click the first + (plus) sign at the right side of the previous
rule under the ACTION heading. And in step #7, change the Occurrence to 1000 instead.

Task 5: Add the last rule

In the last rule for this example, we use a monitor type data source plugin to check whether the
service is still up after a suspected attack.
1. Click the + (plus) sign at the right side of the third rule to add a child rule.
2. Enter a name for this rule, such as Service Up
3. On the Rule name > Plugin screen,
a. Type nmap in the search box to find the NMAP-Monitor plugin.
b. Click the blue NMAP-Monitor box to select that plugin.
4. On the Rule name > Plugin > Event Type screen, choose TCP Port closed. It will
check whether a TCP port on a destination server is closed or not responding to requests.
5. Click SELECTED FROM LIST.
6. Repeat Step #4 to #7 in Task 3, but use +6 for reliability value, 1 for timeout and 3 for
occurrence.

DC-00164

Edition 01

Copyright 2015 AlienVault. All rights reserved.

Page 10 of 12

AlienVault Unified Security Management Solution

Customizing Correlation Directives or Cross Correlation Rules

In a rule that uses a monitor type data source plugin, the timeout and occurrence values have
different meanings. The timeout value defines how many seconds the plugin will wait to receive a
response from the destination to which the request was sent. Occurrence specifies how many times
the request will be sent.
In our example, the timeout is set to 1 second and the occurrence is set to 3. This means that three
(Is the TCP port closed?) requests will be sent to the destination server, and if a response to these
requests is not received within 1 second, the rule will be matched and the reliability of the directive
will be increased by 6.

Figure 11. The final directive will 4 rules.

Task 6: Restart Server

Restart the ossim-server process by clicking the Restart Server button. Confirm the restart by
clicking YES when prompted.

Customizing Cross Correlation Rules

Similar to Correlation Directives, you can customize Cross Correlation rules as well. Even though
the web interface gives an impression that you can cross-correlate events from any data source
with those from any other data source, in practice you can only correlate IDS events with
vulnerabilities that are detected by AlienVault Vulnerability Scanner.

Creating a Cross Correlation Rule

To create a new Cross Correlation rule,
1.
2.
3.
4.

DC-00164

Click NEW.
Select the Data Source Name, such as snort as shown in the example below.
Select the Reference Data Source Name, such as nessus-detector in the example.
Select the Event Type of the data source entered in step #2. For example, snort: MySQL
root login attempt.

Edition 01

Copyright 2015 AlienVault. All rights reserved.

Page 11 of 12

AlienVault Unified Security Management Solution

Customizing Correlation Directives or Cross Correlation Rules

5. Select the Reference SID Name of the reference data source entered in step #3. For
example, nessus: MySQL weak password.
6. Click CREATE RULE. Or, click BACK if you want to discard the changes.
This custom rule would be matched if AlienVault IDS Engine detected MySQL root login attempt to
a host that has MySQL weak password vulnerability.

Figure 12. Creating a Cross Correlation rule.

Modifying a Cross Correlation Rule

To edit an existing Cross Correlation rule,
1. Locate the desired Cross Correlation rule and click on it. The entire row will change to light
blue.
2. Click MODIFY.
3. Change any of the four fields as needed.
4. Click SAVE RULE to save the changes. Or, click BACK if you want to discard the changes.

Deleting a Cross Correlation Rule

To delete a Cross Correlation rule,
1. Locate the desired Cross Correlation rule and click on it. The entire row will change to light
blue.
2. Click DELETE SELECTED.

Important: Use this button with caution because the web interface will not ask you to
confirm the deletion.

DC-00164

Edition 01

Copyright 2015 AlienVault. All rights reserved.

Page 12 of 12