Issue
If you are using McAfee SIEM (previously Nitro SIEM) and don't have Nitro IPS then you might face issues with correlating IPS events. This is because McAfee SIEM doesn't automatically normalize other IPSs data and label IPS events as uncategorized.
Solution
A work around to this is to manually normalize your IPS events in categories e.g. exploit, p2p etc and then use these normalization rules in correlation rules. However, this is not a permanent solution as IPS signatures are constantly updated and new attacks signature will be added from time to time.
Example scenario
You have a set of critical servers for which you want to see exploit attacks. The first step would be to select your IPS in "physical display" and select "Normalized dashboard" from the list of available dashboards. Next select an exploit event in the "Event Summary" sub-group and go to rule definition by selecting "Show rule" option.
Policy editor window will be opened showing the rule definition you selected previously. Double click on the rule definition and click on the green button next to "Normalized ID". Next you can move this rule to the exploit category in normalization taxonomy.
Once you normalize all your exploit events, you are ready to proceed with writing correlation rule to see all exploit events to your critical servers. First create a variable rule defining IP addresses of all your critical servers.
Next create a correlation rule as following.
You can further reduce resultant events by excluding all events that are blocked by your IPS as shown in the above rule.
If you are using McAfee SIEM (previously Nitro SIEM) and don't have Nitro IPS then you might face issues with correlating IPS events. This is because McAfee SIEM doesn't automatically normalize other IPSs data and label IPS events as uncategorized.
Solution
A work around to this is to manually normalize your IPS events in categories e.g. exploit, p2p etc and then use these normalization rules in correlation rules. However, this is not a permanent solution as IPS signatures are constantly updated and new attacks signature will be added from time to time.
Example scenario
You have a set of critical servers for which you want to see exploit attacks. The first step would be to select your IPS in "physical display" and select "Normalized dashboard" from the list of available dashboards. Next select an exploit event in the "Event Summary" sub-group and go to rule definition by selecting "Show rule" option.
Policy editor window will be opened showing the rule definition you selected previously. Double click on the rule definition and click on the green button next to "Normalized ID". Next you can move this rule to the exploit category in normalization taxonomy.
Next create a correlation rule as following.
You can further reduce resultant events by excluding all events that are blocked by your IPS as shown in the above rule.
No comments:
Post a Comment
Please Use Good Leanguage