Quit from correlation evaluation?
I have run into the below situation during Correlation Rule creation.
Customer needs a correlation rule which detects if an event and its counterpart don’t arrive, and same time it makes some cache checks. It looks like this:
1. if the second event does not follows the first one
2. if the cached values in the second message are differ from the first one
The two messages can arrive
- in any combination of two sources (sx) devices (s1 > s2, s2 > s1)
- in any time sequence (e1, e2 or e2, e1)
So I did this:
Statement1: The first event comes in from any of the two FTP servers and says that someone downloaded a file:
1. I check the source device (must be any of the two FTP servers=ip1 or ip2)
2. I check the messageID (=file_downloaded)
3. and save username, filesize and filename in cache variables
Statement2: the second event should come from the counterpart of the above FTP server(!)
1. Error condition1: NO Events within 120 secs
2. I check the source device (again, must be one of the two FTP servers = ip1 or ip2)
3. I check the messageID (=file_downloaded)
4. check if saved username, filesize and filename in the cache are identical to first event
I can detect if the second message is missing. The problem comes when -as expected- two messages received, because the second message also initiates a new correlation check and it produces an error = fires alarm, false alarm. So my question is, if it is possible to quit somehow from a correlation check or anyone has any other idea to solve this issue?
Thanks in advance,
You should be able to reset the cache once all circuits have fired. So, that the cache get reset when you get the first instance of the second message...than if you get a second instance of that message it shouldn't fire an alert because the cache has been reset.