Testing/Developping/Debugging Correlation rules
Is there a mechanism available that can allow quicker development of correlation rules than restarting views and reemitting messages into the envision after every edit? For example, something like the UDS console that could analyze a message dump and tell if the messages will trigger a specific correlation rule?
I would like to see something like this, as well...it would also give us an ability to check a new correlation rule against old data (say that you've just created an alert and want to check to see if it happened last week). Also, since the alerts we create are normally the result of a new traffic pattern that we've identified from our logs, it would be nice to have that comfort level that the alerts would have triggered (without having to inject the data again).
Just wonder if enVision can re-play historical events to test new correlation rules?
How do you test rules in general? Some events are easy to re-produce like invalid logon. But what if you see something rarely happen on the IDS which you want to track it as it seems critical enough. You don't have an easy way to trigger it again or even don't have the necessary information to do so.
Thanks for the information. I was not able to find the description of the two utilities you mentioned in your reply. Where are their information hiding?
I just hope that information for these useful utilies could be found in the admin documentation of the system. It will be very handy.
Appreciate your input.