Create a New Cross-Correlation Rule

Applies to Product: USM Appliance™ LevelBlue OSSIM®

In this example, we explain how to create a cross-correlation rule to detect a MySQL authentication bypass attempt with an empty password.

To create a new cross-correlation rule

  1. Go to Configuration > Threat Intelligence > Cross Correlation, and then click New.

  2. In Data Source Name, select "LevelBlue NIDS".

    USM Appliance loads the Event Type list for LevelBlue NIDS.

  3. In Reference Data Source Name, select "nessus-detector", which represents the LevelBlue Vulnerability Scanner.

    USM Appliance loads the Reference SID Name list for the Vulnerability Scanner.

  4. In Event Type, select "MYSQL client authentication bypass attempt”.

    Note: It takes a while for the list to display because it is long.

  5. In Reference SID Name , select "nessus: MySQL Authentication bypass through a zero-length password".
  6. Click Create Rule.

Insert New Cross Correlation Rule from Threat Intelligence.