what rules would you like to see?
Could you ad rules to detect portscans and network sweeps ?
Also, it would be nice to have a correlated rule that can trigger an alert when it sees the vulnerability value of a device increase.
Other examples for correlated rules would be to have a rule that detects common P2P traffic activity.
It looks like a common request from multiple boards now is the ability to identify when a monitored device has not sent messages within a period of time (somewhat like the NIC heartbeat message, but not message specific).
I think we need rules that address each stage of a common attack lifecycle. I will refer to the methodology used in "Hacking Exposed,4th ed."
Footprinting - Scanning - Enumeration - Gaining Access - Escalating privilege - Pilfering - Covering tracks - creating back doors - Denial of Service
Using these steps as a guideline, I think that most attacks follow a pattern of probe (Footprinting - Scanning - Enumeration) - attack (Gaining Access - Escalating privilege - Pilfering) - response (Covering tracks - creating back doors, maybe acommand and control response) in general Using these as flexible rule templates, we can build rules that allow for a wide range of activities.
Other interesting rules would be around wireless attacks, PCI incidents, DLP incidents, and change control incidents.
If there are useful rules from other event correlation systems, we should also replicate the functionality we find to be useful.
We are mainly focused on insider threats so everything abnormal that the administrators are doing is of interest. I guess baselining would be an interesting way forward here:
-First define what is normal behaviour, for example logons to the system is ok between 08-17, and everything besides that should be alerted on. I know this can be achived with sceduling the alert to have it enabled non-office hours, so this is how we will do it now.
-More baselining regarding logons would be of interest, for example persons logging on to sensitive systems they have not logged on to before could be interesting.
-I think the rules for example addition/deletion of an account within an hour are great rules to build further upon, so more rules like that is of interest for us.
Thanks for the input. FYI, if you see a feature request that you'd like to "second", you can give it Kudos instead of creating a new post. We just turned Kudos on, so I think people aren't aware of how they work. The customer mailing this month indicates how to use them.