cancel
Showing results for 
Search instead for 
Did you mean: 

IPS Signature-based Correlation Rule

Jump to solution

I'm looking for some suggestions as I'm going completely blank on how to approach the creation of a correlation rule. The rule I'm trying to define is to alert our team in the event one IP address has attempted 3+ different attacks as if they're attempting to scan our environment for attack vectors (with the exception of vulnerability scanners). I was attempting to do something with Standard Deviation, but I'm just not able to logically formulate a way to detect this without causing an extreme amount of false positives. Does anyone have any suggestions on how to implement this logic into a correlation rule or alarm?

1 Solution

Accepted Solutions
Highlighted
McAfee Employee mherr
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: IPS Signature-based Correlation Rule

Jump to solution

Since you identified the threshold of 3+, I wouldn't venture down the standard deviation path.

I don't know the IPS you are working with and what the events actually look like, but you could do something like this:

Group by: Source IP
AND(

Normalization Rule IN Exploit, Recon, DOS, Suspicious Activity   
Device Type ID IN <Device Type ID for your IPS>
)
Advanced Options of Filter:
Check the Distinct Values box
Distinct Values: 3
Monitored Fields: Signature ID

Number of Events: 1
Time Window: 10 mins (Whatever makes sense for your environment and your testing)

You are basically looking for someone probing, which I think there is a rule for that, but this could be a little more focused based on your criteria.  You can adjust the normalization values and/or the filter based on the activity you see in the SIEM. 

 

1 Reply
Highlighted
McAfee Employee mherr
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: IPS Signature-based Correlation Rule

Jump to solution

Since you identified the threshold of 3+, I wouldn't venture down the standard deviation path.

I don't know the IPS you are working with and what the events actually look like, but you could do something like this:

Group by: Source IP
AND(

Normalization Rule IN Exploit, Recon, DOS, Suspicious Activity   
Device Type ID IN <Device Type ID for your IPS>
)
Advanced Options of Filter:
Check the Distinct Values box
Distinct Values: 3
Monitored Fields: Signature ID

Number of Events: 1
Time Window: 10 mins (Whatever makes sense for your environment and your testing)

You are basically looking for someone probing, which I think there is a rule for that, but this could be a little more focused based on your criteria.  You can adjust the normalization values and/or the filter based on the activity you see in the SIEM. 

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community