[Os-sim-support] Documentation about Correlation...

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

how are you ?

I'm reading the 2 docs about the correlation engine... I found a strange
explication in
http://www.ossim.net/docs/correlation_engine_explained_rpc_dcom_example.pdf=
 and http://www.ossim.net/docs/correlation_engine_explained_worm_example.pd=
f
In the information about the "from" attribute of "rule", i can read as
exemple: 2:DST_IP means use the destination ip referenced two rules
below as source address. Isn't it two rules on top (befor the current
rule) ??

I still have a question about the relative referencing. In the
"port_from" and "port_to" attributes explication in
http://www.ossim.net/docs/correlation_engine_explained_worm_example.pdf,
you say that "1:DST_PORT" mean level 1 source address and "2:DST_PORT"
mean level 2 source addresss. Isn't it one previous level and 2 previous
level address (relative from the current rule) ?

Thanks for your help and read you soon ...

Jo=EBl.W

[Os-sim-support] Documentation about Correlation...

Open Source SIEM

[Os-sim-support] Documentation about Correlation...