Up
Previous Next

Sheriff CSM™

Create a New Cross-Correlation Rule

In this example, we explain how to create a cross-correlation rule to detect a MySQL authentication bypass attempt with an empty password.

To create a new cross-correlation rule
  1. Go to Configuration > Threat Intelligence > Cross Correlation, and then click New.

  2. In Data Source Name, select "Sheriff NIDS".

    Sheriff CSM loads the Event Type list for Sheriff NIDS.

  3. In Reference Data Source Name, select "nessus-detector", which represents the Sheriff Vulnerability Scanner.

    Sheriff CSM loads the Reference SID Name list for the Vulnerability Scanner.

  4. In Event Type, select "MYSQL client authentication bypass attempt”.

    Note: It takes a while for the list to display because it is long.

  5. In Reference SID Name, select "nessus: MySQL Authentication bypass through a zero-length password".

  6. Click Create Rule.

Insert New Cross Correlation Rule from Threat Intelligence.

This topic: Sheriff > UserGuides > SheriffCSMDocumentation > UserGuide > EventCorrelation > CrossCorrelation > CreateANewCrossCorrelationRule
Topic revision: 18 Dec 2021, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.