Create a New Cross-Correlation Rule

Applies to Product: USM Appliance™ AlienVault OSSIM®

In this example, we explain how to create a cross-correlation rule to detect a MySQL authentication bypass attempt with an empty password.

To create a new cross-correlation rule

  1. Go to Configuration > Threat Intelligence > Cross Correlation, and then click New.
  2. In Data Source Name, select "AlienVault NIDS".

    USM Appliance loads the Event Type list for AlienVault NIDS.

  3. In Reference Data Source Name, select "nessus-detector", which represents the AlienVault Vulnerability Scanner.

    USM Appliance loads the Reference SID Name list for the Vulnerability Scanner.

  4. In Event Type, select "MYSQL client authentication bypass attempt”.

    Note: It takes a while for the list to display because it is long.

  5. In Reference SID Name , select "nessus: MySQL Authentication bypass through a zero-length password".
  6. Click Create Rule.

Insert New Cross Correlation Rule from Threat Intelligence.