Sometimes, you may find that none of the built-in directives work in your environment, because they do not have the correct conditions defined. In this case, you can create a new directive from scratch.
Let’s see how it works by going through an example.
In this example, we create a custom directive to detect a Denial of Service (DoS) attack that seeks to exhaust a service running on TCP port 139 on a specific server. Many connections from a single host (possibly with bad reputation) to the destination server on port 139 may indicate such an attack. We can check firewall events for connections to the server. After the correlation engine detects that the number of connections is dangerously high, we can also use a monitor plugin to discover if the service on the server is up or down.
The following diagram shows the four correlation levels we plan to use in the directive. The first three correlation rules check for the number of connections to the server using a detector plugin. The last correlation rule checks if the service is up on the server by using a monitor plugin. Every time a rule in the correlation directive identifies an event, the reliability of the directive event increases, thus
increasing the risk of the event.
Correlation levels used by the sample directive
Creating this directive involves 6 tasks:
Process: creating a directive from scratch
Task 1: Create a New Directive
To create a new directive
1. Navigate to Configuration > Threat Intelligence, and then click Directives.
2. Click New Directive.
A pop-up window appears displaying the global properties of the directive.
3. Fill out the form as below:
l In Name for the directive, Type "DoS Attack at NetBIOS".
l In Intent select "Delivery & Attack".
l In Strategy select "Denial of Service – Resource exhaustion".
l In Method, type "Attack".
l Leave the Priority at the default value: 3.
4. Click Next.
The New Directive window displays.
5. Proceed toTask 2: Add a Level 1 Rule, on page 180.
Task 2: Add a Level 1 Rule
This task adds a level 1 rule for the directive created inTask 1: Create a New Directive, on page 179.
In this rule, we try to match one Cisco ASA Access Permitted event on a particular server on port 139.
To add a level 1 rule
1. In Name for the Rule, type "Established connections", and then click Next.
2. In Rule name > Plugin, type "cisco-asa" in the search box, and then click Cisco-ASA.
3. In Rule name > Plugin > Event Type, a. Type "permitted" in the search box.
106102–ASA: A packet was either permitted or denied by an acces… and 710002–ASA:
Access Permitted display in the right column.
b. To select the event types identified, click the plus (+) sign to the right of the event types.
c. Click Next.
4. In Rule name > Plugin > Event Type > Network,
a. Select your server from the Assets list under Destination Host / Network.
The server appears in Destination.
Note: Leave Source Host / Network and Source Port(s) empty, which meansany asset.
b. In Destination Port(s), type "139".
c. (Optional) To specify IP reputation parameters, click the green triangle next to Reputation options, change No to Yes, and then select the Min Priority and Min Reliability values.
Note: For details on IP reputation, seeAbout OTX IP Reputation, on page 16.
d. Click Next.
5. In Rule name > Plugin > Event Type > Network > Reliability, click 1.
Note: We choose a low reliability value because typically the level 1 rule detects that a certain event occurs, but it is not necessary to generate an alarm.
6. Click Finish.
The New Directive window closes.
7. Proceed toTask 3: Add a Level 2 Rule, on page 181.
Task 3: Add a Level 2 Rule
In this task, we try to match the same events selected inTask 2: Add a Level 1 Rule, on page 180.
We want to use the
n same event types
n same source and destination IP addresses
n same destination port
But we want to detect 100 such events this time.
To add a level 2 rule
1. Click the green plus (+) sign at the right side of the first rule, under the Action heading.
The New Rule window displays.
2. Follow step #1 and #2 inTask 2: Add a Level 1 Rule, on page 180.
3. In Rule name > Plugin > Event Type, click Plugin SID from rule of Level 1.
This selects the same event types as in the level 1 rule.
4. In Rule name > Plugin > Event Type > Network,
a. In Source Host/Network, select "Source IP from level 1" from the From a parent rule list.
b. Leave the Source Ports empty.
c. In Destination Host/Network, select "Destination IP from level 1" from the From a parent rule list.
d. In Destination Port(s), select "Destination Port from level 1" from the From a parent rule list.
5. In Rule name > Plugin > Event Type > Network > Reliability, click +2.
Note: In this step, you can either choose an absolute value (left column) or a relative value (right column). If you select a relative value, as we did, USM adds the value to the reliability set in the previous rule.
6. Click Finish.
The New Directive window closes.
7. In the Timeout column, click "None" in the second rule, type "30" (seconds), and then click OK.
8. In the Occurrence column, click "1" in the second rule, type "100", and then click OK.
9. Proceed toTask 4: Repeat Task 3 as Needed, on page 182orTask 5: Add the Last Rule, on page 182.
Task 4: Repeat Task 3 as Needed
You can repeat this task as many times as necessary. In this example, we want to add another rule (level 3) to detect the same events as in the previous rule but with 1000 occurrences.
To add the level 3 rule
1. Click the green plus (+) sign at the right side of the second rule, under the Action heading.
The New Rule window displays.
2. Follow step #2 to #7 inTask 3: Add a Level 2 Rule, on page 181.
3. In the Occurrence column, click "1" in the second rule, type "1000", and then click OK.
4. Proceed toTask 5: Add the Last Rule, on page 182.
Task 5: Add the Last Rule
In the last rule for this example, we use a monitor type plugin to check whether the service is still up after a suspected attack.
To add the last rule
1. Click the green plus (+) sign at the right side of the third rule, under the Action heading.
The New Rule window displays.
2. In Name for the Rule, type "Service Up", and then click Next.
3. In Rule name > Plugin, type "nmap" in the search box, and then click NMAP-Monitor.
4. In Rule name > Plugin > Event Type, select nmap-monitor: TCP Port closed.
It checks whether a TCP port on the destination server is closed or not responding to requests.
5. In Rule name > Plugin > Event Type > Network,
a. In Source Host/Network, select "Source IP from level 1" from the From a parent rule list.
b. Leave the Source Ports empty.
c. In Destination Host/Network, select "Destination IP from level 1" from the From a parent rule list.
d. In Destination Port(s), select "Destination Port from level 1" from the From a parent rule list.
6. In Rule name > Plugin > Event Type > Network > Reliability, click +6.
7. Click Finish.
The New Directive window closes.
8. In the Timeout column, click "None" in the last rule, type "1" (second), and then click OK.
9. In the Occurrence column, click "1" in the last rule, type "3", and then click OK.
The directive looks similar to this one:
10. Proceed toTask 6: Restart Server, on page 184.
Task 6: Restart Server
To apply all the changes made
1. Click Restart Server. The text displays in red, suggesting an action.
2. Click Yes to confirm when prompted.
This does not restart the appliance, instead, it restarts the ossim-server process running on the USM Server.