Mumbai Security and Compliance User Group

 View Only

  • 1.  Threshold EPS Alert

    Posted Apr 09, 2012 07:03 AM

    Hi All,

    I wanted to have the alert from SSIM whenever any device EPS reaches some pre-defined threshold value.

    How can i achieve this?

    Is it necessary to write correlation rule for this??

    Or

    is there any other way to do this??



  • 2.  RE: Threshold EPS Alert

    Posted Apr 10, 2012 10:58 AM
    Hi, Try something like this: - Rule Type = Many to One - Criteria may be very different, for testing purposes you can use Product = Generic Syslog Event Collector - One-Many Fields = Collector Sensor - Many-One Fields = Unique Event ID - Tracking Fields = Collector Sensor - Event Count = 500 - Time Span = 1 sec - Table Size = 1000 - Correlate by Resource and Conclusion Type - Resource Field = Collector Sensor It's only an example of rule which can provide information about high EPS rate. In this case incident (or alert) will be created if SSIM receives at least 500 events within 1 second from single sensor. Regards


  • 3.  RE: Threshold EPS Alert

    Posted Apr 10, 2012 06:35 PM

    There is already a rule ? In your system rules that can do that. Forgot exact name.



  • 4.  RE: Threshold EPS Alert

    Posted Apr 11, 2012 07:55 AM
    There is a rule 'Sensor EPS Monitor' that can generate alert if statistics events contain information about high EPS, but it's based on SIM Statistics Events which provide some kind of average EPS rate using stat_eps field. My example has a little bit different approach because the rule counts actual events within defined time interval. I used 500 events within 1 seconds, but the rule can me modified in following way: 5000 events within 10 seconds - both cases can be interpreted as EPS = 500. Main disadvantage of my rule is that very long time span can have impact on SSIM correlation performance. Ultimately, both rules can be used in the same environment but against different sensors, with different time spans etc... everything depends on what situation exactly should be monitored :)


  • 5.  RE: Threshold EPS Alert

    Posted Apr 12, 2012 01:51 AM

    Thank you guys for such a helpfull responses.

     

    Actually i am trying to monitor my firewall EPS, if some high traffic hit my firewalls then i wanted a notification through SSIM.

     

    Problem is that i don't have individual sensors for all of my firewalls, due to some firewall management servers.

    So i guess, in this case Sensor EPS monitor will not work for me...

    but i will try both the ideas and will check the output & performance.

     

    Thanks again Antilles & Laurent.