Menu
▾
▴
Re: [Os-sim-support] OSSIM alerts:
|
From: DK <dk...@os...> - 2004-06-15 08:52:08
|
Hi Mel, I'm a bit in a hurry so excuse me if I write it up fast. Alarm == anything with risk > 1. Risk = (priority * asset * reliability) / 10 There are three common ways an alert (or group of) can become an alarm: - Directives. They usually have an initial priority of 2-4, raising reliability as the attack advances. Have a look at the worm directive (id=4) for example. Initial priority is 2 and initial reliability 1. At level 2 (15 connections with same source_ip & same dest_port) the reliability raises to 3. So we get 6 * asset at level 2. In case the asset is 3 we would already get an alarm (6 * 3) / 10 = 1.8, rounded = 2. - Snort-nessus correlation. When an ids event arrives then the priority & reliability of the alert and the nessus vuln are added. So, by default, the resulting alert would have at least priority 2 & reliability 2 resulting in an alarm (1.6, rounded = 2) for even the least important correlated event if the asset is 4. - High priority & reliability. Since you can tweak individual events updating the plugin_sid table, if you raise priority and reliability values for an event you can get alarms with single events. Greetings, Dominique PD: Hope you didn't mind I post this reply to os-sim-support too, this could interest other people too. Am 14.06.2004 um 19:31 schrieb mel: > Hi DK, > > Thanks, for the explaination - the problem is, I've been > trying to generate alarms (by performing scans and all sorts > of things on a test host). You've mentioned that alarms > are correlated and reprioritized events - how exactly does > this process work? To be specific, how do groups of > alerts/an alert become an alarm? > > Pardon me if my question aren't clear - I'm trying to > clear the air myself :) > > --mel > >> >> We consider alarms != alerts. Alerts are low level events while >> alarms are those correlated or repriorized events whose total risk > >> 1. >> >> Regarding db insertions, snort inserts it's own events into the >> snort_db and ossim-server updates those events with >> risk,asset,priority & reliability information. If the event isn't a >> snort event, it gets inserted into the snort db structure by >> ossim-server. >> >> Ah, one last one. Alerts are shown within acid and alarms appear on >> the alarm_console. >> >> Hope this helps. >> >> Dominique > |
