But there must be set of Threats that people are working to. I cannot
believe that people are not able to share this.
Please reply in private if you can provide/share a sanitised version
of your threats...
On 9 July 2012 08:53, Uzair Hashmi <uzair.hashmi (at) kse.com (dot) pk [email concealed]> wrote:
> It's usually called "Event Correlation", Read on this specific topic on the manual of your SIEM being implemented.
>
> Regards,
> Uzair
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Thugzclub Thugzclub
> Sent: Monday, July 09, 2012 6:36 AM
> To: listbounce (at) securityfocus (dot) com [email concealed]; security-basics (at) securityfocus (dot) com [email concealed]; pen-test (at) securityfocus (dot) com [email concealed]; discussion (at) siemusers (dot) org [email concealed]
> Subject: SIEM Use Cases
>
> Hi,
>
> This may not be the right forum ( if so please point me to the right
> location) but here goes:
>
> I am working on a project where we are integrating a SIEM into our
> environment and I need to create a monitoring and alerting standard.
>
> If I can explain some more:
> - There are specific "isolated" suspicious behaviour that we would
> want the SIEM to alert on e.g e.g Admin logon at specific times of
> the day, mid night for instance.
> - There are also specific "combination" of suspicious behaviour that
> we should alert on: e.g
>
> I have a simple 3-tier web app behind a firewall, and four event
> sources for SIEM: a firewall, system events from
> whatever daemon running on your servers and an (D)IDS
>
> Event 1 : IDS says I have an SQL injection. Taken alone, this is
> false, it's just an attempt at an SQLi and I have no idea whether or
> not it has succeeded.
> Event 2 : system daemon says I have a file creation on a temp folder
> in your DB server
> Event 3 : system daemon says said dropped file is ran under the DBserver user
> Event 4 : firewall says I have outbound connection created to blah
> server on port 80
> Event 5 : IDS says blah server is hosted on an IP with a bad
> reputation (I assume that's the D in DIDS)
>
> Based on the above, I would say that i have been hacked.
>
> The query that I have is: are there specific set of malicious
> behaviour or "use cases" similar to the above that I can use as the
> basis for configuring my SIEM to detect against malicious patterns of
> behaviour.
>
>
>
> Thanks in advance.
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
believe that people are not able to share this.
Please reply in private if you can provide/share a sanitised version
of your threats...
On 9 July 2012 08:53, Uzair Hashmi <uzair.hashmi (at) kse.com (dot) pk [email concealed]> wrote:
> It's usually called "Event Correlation", Read on this specific topic on the manual of your SIEM being implemented.
>
> Regards,
> Uzair
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Thugzclub Thugzclub
> Sent: Monday, July 09, 2012 6:36 AM
> To: listbounce (at) securityfocus (dot) com [email concealed]; security-basics (at) securityfocus (dot) com [email concealed]; pen-test (at) securityfocus (dot) com [email concealed]; discussion (at) siemusers (dot) org [email concealed]
> Subject: SIEM Use Cases
>
> Hi,
>
> This may not be the right forum ( if so please point me to the right
> location) but here goes:
>
> I am working on a project where we are integrating a SIEM into our
> environment and I need to create a monitoring and alerting standard.
>
> If I can explain some more:
> - There are specific "isolated" suspicious behaviour that we would
> want the SIEM to alert on e.g e.g Admin logon at specific times of
> the day, mid night for instance.
> - There are also specific "combination" of suspicious behaviour that
> we should alert on: e.g
>
> I have a simple 3-tier web app behind a firewall, and four event
> sources for SIEM: a firewall, system events from
> whatever daemon running on your servers and an (D)IDS
>
> Event 1 : IDS says I have an SQL injection. Taken alone, this is
> false, it's just an attempt at an SQLi and I have no idea whether or
> not it has succeeded.
> Event 2 : system daemon says I have a file creation on a temp folder
> in your DB server
> Event 3 : system daemon says said dropped file is ran under the DBserver user
> Event 4 : firewall says I have outbound connection created to blah
> server on port 80
> Event 5 : IDS says blah server is hosted on an IP with a bad
> reputation (I assume that's the D in DIDS)
>
> Based on the above, I would say that i have been hacked.
>
> The query that I have is: are there specific set of malicious
> behaviour or "use cases" similar to the above that I can use as the
> basis for configuring my SIEM to detect against malicious patterns of
> behaviour.
>
>
>
> Thanks in advance.
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]