SSIM v4.7 Rule-Scan Followed by Exploit appears broken
I've pursued a solution to this problem in several areas, including Symantec solution without resolve. I will try to explain the scenario that causes this problem.
1. This issue did not appear to be present in version 4.6 and was first observed after upgrading several independent consoles to 4.7.
2. Observed this issue with many products, including:
- McAfee Intrushield (NIPS)
- ISS SiteProtector (as NIPS and/or HIDS)
- McAfee HIPS (as the exploit conditions, such as blocked intrusion)
Explanation of Issue:
Events come into the SSIM and are affixed with an "Event Date" timestamp. The rule template "X Followed by Y" is the foundation for the system rule "Scan Followed by Exploit" which requires both in order to correlate events. Across every SSIM we operate, we are seeing these conditions being evaluted backwards in terms of their timestamps. The "scan" event will have a date that takes place AFTER the "exploit" event.
To complicate the issue further, many of the "scan" events will have timestamps that are weeks or months old. The default configuration of this rule specifies that both conditions must be met within a 10-minute window. This begs the question, what field is utilized to determine which event has arrived first when evaluated by the correlation engine, and why does it "appear" to be evaluating events that bear no resemblance to the required constraints.
Lastly, if this issue is solely a problem with the collectors (sending events that are old), what causes it and are there any ways we can mitigate this problem. As it stands, we cannot utilize this rule in its current state due to prevalence of false positives.