[netsa-tools-discuss] Planning to offload Qradar SIEM noisy rules to SILK

[asad]

Hello,

This is to update the community that the work was done using following
folders directories which makes job of "event-full" information a lot
easy for cisco asa. Below Is how silk identify nature of flows coming
to its pipeline.



in  innull  int2int  inweb  out  outnull  outweb

regards
asad

On 11/2/15, asad <a.alii85 at gmail.com> wrote:
> Hello,
>
> I have an interesting case, where the SIEM Qradar is busy 90% of time using
> information from traffic logs of different firewall e.g cisco asa. This was
> done before the introduction of SILK into the env.
>
> Now, these rules how the work are very useful for correlation itself, for
> e.g in 1 hour time 100 different destinations were communicated with the
> same dest port and from same source IP.
>
> Qradar has builtin-rules to use data from traffic log to detect these
> suspicious traffic which after analysis comes either as scanners, malware
> or just noisy servers i.e NMS.
>
> My plan is to transfer the logic behind these rules to SILK analysis
> pipeline , for start I'm using cisco asa since its the most nosiest of log
> source into SIEM.
>
> Most of the conditions in the logic are fairly easy to transfer into
> alerting parms provided with pipeline.conf, however I'm unable to know how
> can I reproduce the following. For e.g certain rules work in SIEM based
> upon event-name coming from cisco asa traffic log e.g "firewall accepts,
> firewall deny, session open and session close".
>
> I know that cisco asa nsel format is event driven, there is no information
> of FLAGS that goes into flow data from cisco asa. Thus, I want to know in
> the absence of FLAGS information does the SILK provide the ability to
> gather 'event-name" information e.g session created and can be used as part
> of filter or better alerting condition?
>
> As without the info of event-name its very difficult to replicate logic
> into SILK.
>
> Hoping for some assistance on the issue.
>
> regards
> asad
>