Showing results for 
Search instead for 
Did you mean: 

[SIEM/NGFW/Arbor] DDoS Correlation Rule


A customer has installed SIEM 9.4 (combo box ESM/ELM/RCV) and has integrated initially 2 devices:  NGFW infrastructure (SMC/Stonesoft) and Arbor Pravail APS.

So, as part of the correlated events (Incidents dashboard) there is an event generated from the NGFW called:

Attack - Network DoS Activity Detected that is originated from 2 source events:

  • Unanswered commands remained at end of SMTP session
  • Detects IBM Lotus Notes HTML Speed Reader Long Url Buffer Overflow exploits

If I see the Arbor events, effectively I see many events classified according to the Pravail taxonomy:

1) Invalid Packets

2) TCP connection resets

3) TCP SYN Flood detection

4) Block Malformed DNS Traffic

5) Malformed HTTP Filtering

Q: What would be the best way to "try" to correlated that the events generated from the FW corresponds to the same event in the Arbor device?

Thanks so.