Correlating multiple snort IDS with ospatrolΒΆ

I was asked recently what is the best way to correlate multiple snort events with OSPatrol. The idea would be to generate an ospatrol alert (by e-mail and possible an active response) if a specific number of snort rules are fired from the same source IP address (in any order)..

The easiest way to solve this is by creating a local ospatrol rule (inside local_rules.xml) to match if any of the desired snort signatures are fired:

<rule id=”100015” level=”6”>
<if_sid>20101</if_sid> <decoded_as>snort</decoded_as> <id>1:xx|1:yy|1:zz</id> <description>Watched snort ids</description>

</rule>

Note that 1:xx, 1:yy are the snort ids that you are interested to watch. We use the <if_sid> to make sure that this rule is only tested if it is an IDS event (see rule 20101).

Now, we create another ospatrol rule with a higher severity that will only be fired if the above rule (100015) is generated at least 4 times from the same source ip within 3 minutes (180 seconds):

<rule id="100016" frequency="4" level="10" timeframe="180">
  <if_matched_sid>100015</if_matched_sid>
  <same_source_ip />
  <description>Multiple snort alerts with the watched ids</description>
</rule>

This idea can be extended to any other log format that you want to monitor.