0 Replies Latest reply on Sep 12, 2014 7:16 PM by mtorres_optimiti

    [SIEM/NGFW/Arbor] DDoS Correlation Rule




      A customer has installed SIEM 9.4 (combo box ESM/ELM/RCV) and has integrated initially 2 devices:  NGFW infrastructure (SMC/Stonesoft) and Arbor Pravail APS.


      So, as part of the correlated events (Incidents dashboard) there is an event generated from the NGFW called:


      Attack - Network DoS Activity Detected that is originated from 2 source events:


      • Unanswered commands remained at end of SMTP session
      • Detects IBM Lotus Notes HTML Speed Reader Long Url Buffer Overflow exploits


      If I see the Arbor events, effectively I see many events classified according to the Pravail taxonomy:


      1) Invalid Packets

      2) TCP connection resets

      3) TCP SYN Flood detection

      4) Block Malformed DNS Traffic

      5) Malformed HTTP Filtering


      Q: What would be the best way to "try" to correlated that the events generated from the FW corresponds to the same event in the Arbor device?


      Thanks so.