Home page logo
/

basics logo Security Basics mailing list archives

Re: SIEM Use Cases
From: Thugzclub Thugzclub <thugzclub () googlemail com>
Date: Tue, 10 Jul 2012 01:29:27 +0100

But there must be set of Threats that people are working to. I cannot
believe that people are not able to share this.

Please reply in private if you can provide/share a sanitised version
of your threats...

On 9 July 2012 08:53, Uzair Hashmi <uzair.hashmi () kse com pk> wrote:
It's usually called "Event Correlation", Read on this specific topic on the manual of your SIEM being implemented.

Regards,
Uzair

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Thugzclub Thugzclub
Sent: Monday, July 09, 2012 6:36 AM
To: listbounce () securityfocus com; security-basics () securityfocus com; pen-test () securityfocus com; discussion 
() siemusers org
Subject: SIEM Use Cases

Hi,

This may not be the right forum ( if so please point me to the right
location) but here goes:

I am working on a project where we are integrating a SIEM into our
environment and I need to create a monitoring and alerting standard.

If I can explain some more:
- There are specific "isolated" suspicious behaviour that we would
want the SIEM to alert on e.g  e.g Admin logon at specific times of
the day, mid night for instance.
- There are also specific "combination" of suspicious behaviour that
we should alert on: e.g

I have a simple 3-tier web app behind a firewall, and four event
sources for  SIEM: a firewall, system events from
whatever daemon running on your servers and an (D)IDS

Event 1 : IDS says I have an SQL injection. Taken alone, this is
false, it's just an attempt at an SQLi and I have no idea whether or
not it has succeeded.
Event 2 : system daemon says I have a file creation on a temp folder
in your DB server
Event 3 : system daemon says said dropped file is ran under the DBserver user
Event 4 : firewall says I have outbound connection created to blah
server on port 80
Event 5 : IDS says blah server is hosted on an IP with a bad
reputation (I assume that's the D in DIDS)

Based on the above, I would say that i have been hacked.

The query that I have is: are there specific set of malicious
behaviour  or "use cases" similar to the above that I can use as the
basis for configuring my SIEM to detect against malicious patterns of
behaviour.



Thanks in advance.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]