0 Replies Latest reply on Sep 12, 2014 7:16 PM by mtorres_optimiti

    [SIEM/NGFW/Arbor] DDoS Correlation Rule

    mtorres_optimiti

      Hi,

       

      A customer has installed SIEM 9.4 (combo box ESM/ELM/RCV) and has integrated initially 2 devices:  NGFW infrastructure (SMC/Stonesoft) and Arbor Pravail APS.

       

      So, as part of the correlated events (Incidents dashboard) there is an event generated from the NGFW called:

       

      Attack - Network DoS Activity Detected that is originated from 2 source events:

       

      • Unanswered commands remained at end of SMTP session
      • Detects IBM Lotus Notes HTML Speed Reader Long Url Buffer Overflow exploits

       

      If I see the Arbor events, effectively I see many events classified according to the Pravail taxonomy:

       

      1) Invalid Packets

      2) TCP connection resets

      3) TCP SYN Flood detection

      4) Block Malformed DNS Traffic

      5) Malformed HTTP Filtering

       

      Q: What would be the best way to "try" to correlated that the events generated from the FW corresponds to the same event in the Arbor device?

       

      Thanks so.

       

      Marco.