Imre Balazs

Quit from correlation evaluation?

Discussion created by Imre Balazs on Jun 7, 2010
Latest reply on Jun 8, 2010 by RSA Admin

Hi All,

 

I have run into the below situation during Correlation Rule creation.

 

Customer needs a correlation rule which detects if an event and its counterpart don’t arrive, and same time it makes some cache checks. It looks like this:

 

Error conditions:

1. if the second event does not follows the first one

2. if the cached values in the second message are differ from the first one

 

Issues:

The two messages can arrive

- in any combination of two sources (sx) devices (s1 > s2, s2 > s1)

- in any time sequence (e1, e2 or e2, e1)

 

So I did this:

 

Statement1: The first event comes in from any of the two FTP servers and says that someone downloaded a file:

1. I check the source device (must be any of the two FTP servers=ip1 or ip2)

2. I check the messageID (=file_downloaded)

3. and save username, filesize and filename in cache variables

 

AND

 

Statement2: the second event should come from the counterpart of the above FTP server(!)

1. Error condition1: NO Events within 120 secs

2. I check the source device (again, must be one of the two FTP servers = ip1 or ip2)

3. I check the messageID (=file_downloaded)

4. check if saved username, filesize and filename in the cache are identical to first event

 

I can detect if the second message is missing. The problem comes when -as expected- two messages received, because the second message also initiates a new correlation check and it produces an error = fires alarm, false alarm. So my question is, if it is possible to quit somehow from a correlation check or anyone has any other idea to solve this issue?

 

Thanks in advance,

Balazs

 

 

Outcomes