2.e: Configuring the OSSIM correlation engine

Correlation is a large part of security event monitoring.

https://alienvault.bloomfire.com/search?value=correlation&search-type=all

https://encrypted.google.com/search?q=correlation+inurl%3Awww.alienvault.com%2Fwiki%2Fdoku.php%3Fid%3Duser_manual%3Aintelligence

https://encrypted.google.com/search?q=correlation+inurl%3Awww.alienvault.com%2Fwiki%2Fdoku.php&oq=correlation+inurl%3Awww.alienvault.com%2Fwiki%2Fdoku.php

Types of correlation:
“Logical correlation: Using pre-defined and customized correlation rules.
Inventory correlation: Through inventory look ups the system is able to determine the validity of an event by simply checking the platform and applications running on the attacked machine. If the attacked system is not vulnerable to such type of attacks, the event is simply discarded. For e.g. An event announcing attack against IIS, won’t be relevant if the device is running Apache.
Cross correlation: If the event announces an event trying to exploit a previously detected vulnerability on a device, the reliability of the attack is raised up.”

你可能感兴趣的:(2.e: Configuring the OSSIM correlation engine)