Tutorial: Create a New Directive to Detect DoS Attack

Applies to Product: USM Appliance™ LevelBlue OSSIM®

Sometimes, you may find that none of the built-in directives work in your environment because they do not have the correct conditions defined. In this case, you can create a new directive from scratch. Let’s see how it works by going through an example.

In this example, we create a custom directive to detect a Denial of Service (DoS) attack that seeks to exhaust a service running on TCP port 139 on a specific server. Many connections from a single host (possibly with bad reputation) to the destination server on port 139 may indicate such an attack. We can check firewall events for connections to the server and trigger an alarm after the correlation engine detects that the number of connections is dangerously high.

The following diagram shows the three correlation levels we plan to use in the directive. The three correlation rules check for the number of connections to the server using a detector plugin. Every time a rule in the correlation directive matches an event, the reliability of the directive event increases, thus increasing the risk of the event.

Correlation levels used by the sample directive.

Correlation levels used by the sample directive

Follow the tasks below to create this directive.