Open alisle opened 11 years ago
Start by using the AV Taxonomy:
Exploit-Shellcode Exploit-SQL_Injection Exploit-Browser Exploit-ActiveX Exploit-Command_Execution Exploit-Cross_Site_Scripting Exploit-FTP Exploit-File_Inclusion Exploit-Windows Exploit-Directory_Traversal Exploit-Attack_Response Exploit-Denial_Of_Service Exploit-PDF Exploit-Buffer_Overflow Exploit-Spoofing Exploit-Format_String Exploit-Misc Exploit-DNS Exploit-Mail Exploit-Samba Exploit-Linux Authentication-Bruteforce Authentication-Bypass Authentication-Login Authentication-Failed Authentication-Cleartext Authentication-Logout Authentication-Disclosure Authentication-Default_Credentials Access-Web_Application_Access Access-File_Access Access-Misc Malware-Spyware Malware-Adware Malware-Fake_Antivirus Malware-KeyLogger Malware-Trojan Malware-Virus Malware-Worm Malware-Generic Malware-Backdoor Policy-Porn Policy-P2P Policy-Instant_Messaging_Chat Policy-Anonymity Policy-Games Policy-Other Denial_Of_Service-Web_Application Denial_Of_Service-Application Denial_Of_Service-Flood Denial_Of_Service-DDoS Suspicious-Blacklist_Address Suspicious-Web_Attack_or_Scan Suspicious-Bad_Traffic Suspicious-Network_Activity Suspicious-Scada_Activity Suspicious-DNS_Activity Suspicious-SSH_Activity Suspicious-NFS_Activity Suspicious-Database_Activity Suspicious-Netbios_Activity Suspicious-RPC_Activity Suspicious-Mail_Activity Network-TFTP_Activity Network-FTP_Activity Network-SNMP_Activity Network-SMTP_Activity Network-Telnet_Activity Recon-Misc Recon-Scanner Info-Misc Network-NTP_Activity Network-SIP_Activity Network-DHCP_Activity Access-Firewall_Permit Access-Firewall_Deny Access-ACL_Permit Access-ACL_Deny Authentication-Policy_Added Authentication-Policy_Changed Authentication-Policy_Deleted Authentication-FTP_Login_Succeeded Authentication-FTP_Login_Failed Authentication-Password_Change_Failed Authentication-Password_Change_Succeeded Authentication-User_Created Authentication-User_Deleted Authentication-User_Changed Authentication-Admin_Access Authentication-Group_Added Authentication-Group_Deleted Authentication-Group_Changed Authentication-Auth_Required Authentication-Account_Lockout Authentication-Account_Unlocked Malware-Virus_Detected Antivirus-Virus_Detected Antivirus-Virus_Quarantine Antivirus-Virus_Quarantine_Failed System-Configuration_Error Antivirus-Definitions_Updated Antivirus-Definitions_Updated_Failed Antivirus-Unknown_Event Antivirus-Started Antivirus-Disabled Antivirus-Scan_Started Antivirus-Scan_Finished Antivirus-Error Application-Web_Opened Application-Web_Closed Application-Web_Reset Application-Web_Terminated Application-Web_Denied Application-Web_Redirected Application-Web_Proxy Application-Web_Error Application-Web_Misc Application-Web_Not_Found Access-Traffic_Inbound Access-Traffic_Outbound Access-Firewall_Misc_Event Suspicious-Network_Anomaly Suspicious-DNS_Protocol_Anomaly Suspicious-SSH_Protocol_Anomaly Suspicious-Telnet_Protocol_Anomaly Suspicious-HTTP_Protocol_Anomaly Suspicious-Mail_Protocol_Anomaly Suspicious-FTP_Protocol_Anomaly Suspicious-Threshold_Exceeded Denial_Of_Service-Other Access-File_Blocked Access-Tunnel_Connection Access-Tunnel_Closed System-Warning System-Emergency System-Critical System-Error System-Notification System-Information System-Debug System-Alert Access-Connection_Opened Access-Connection_Closed Access-Timeout System-Service_Started System-Service_Stopped System-Process_Started System-Process_Stopped Application-Spam_Detected Application-Mail_Dropped System-Restart System-Started System-Stopped System-Locked System-Unlocked Network-IKE_Activity Network-H.323_Activity Network-PPP_Activity Network-OCSP_Activity Network-L2TP_Activity Network-RIP_Activity Network-PPTP_Activity Network-SSL_Activity Network-IGMP_Activity Network-IPSEC_Activity Network-PKI_Activity Voip-Call_Started Voip-Call_Ended Voip-Misc Network-BOOTP_Activity Alert-IDS_Alert Alert-IPS_Alert Alert-HostIDS_Alert Application-Mail_Sent Application-Mail_Server_Misc Application-Mail_Received Availability-State_Up Availability-State_Down Availability-State_Critical Availability-State_Warning Availability-State_Unknown Availability-State_Unreachable Application-VPN_Opened Application-VPN_Closed Application-VPN_Denied Application-VPN_Misc System-Configuration_Changed Network-Misc Policy-Phishing Wireless-New_Network Wireless-Client_Associated Wireless-Flood Wireless-Disassociation Wireless-Deauthentication Wireless-Anomaly Wireless-Spoofing Wireless-Scanner_Detected Wireless-Misc Wireless-Probe Inventory-Service_Detected Inventory-Service_Change Inventory-Service_Misc Inventory-Operating_System_Detected Inventory-Operating_System_Change Inventory-Operating_System_Misc Inventory-Mac_Detected Inventory-Mac_Change Inventory-Mac_Misc Policy-Check_Failed Policy-Check_Passed Network-High_Load Authentication-Error Application-Web_Modified Authentication-Misc Application-DHCP_Release Application-DHCP_Misc Application-DHCP_Request Application-DHCP_Lease Application-DHCP_Pool_Exhausted Application-DHCP_Error System-Software_Installed Honeypot-Connection_Opened Honeypot-Attack_Detected Honeypot-Connection_Closed Honeypot-Misc Application-DNS_Succesful_Zone_Tranfer Application-DNS_Zone_Transfer_Failed Application-DNS_Misc Application-FTP_Command_Executed Application-FTP_Error Application-FTP_Connection_Opened Application-FTP_Connection_Closed Application-FTP_Misc Database-Login Database-Login_Failed Database-Query Database-Logout Database-Stop Database-Start Database-Error Database-Misc
However this doesn't seem complete.
The taxonomy needs to be defined and be fairly complete before the correlation engine can be worked on.