UpPrevious Next
Sheriff CSM™
Correlation Directives
Sheriff CSM provides over 4,500 built-in directives and adds more every week through the AT&T Alien Labs™ Threat Intelligence Update. The directives are grouped into different categories.
Sheriff CSM correlation directive categories
Category Name
| Explanation
| Example
|
User Contributed | A placeholder for user created and/or modified directives. By default, this category is empty.
|
|
Sheriff Attacks
| Directives to detect various attacks against vulnerable services and applications.
| AV Attacks, Successful OpenSSL HeartBeat attack
|
Sheriff BruteForce | Directives to detect brute force attacks on services that require authentication.
| AV Bruteforce attack, SSH authentication attack against DST_IP (destination IP)
|
Sheriff DoS
| Directives that detect Denial of Service (DoS) attacks on different applications and services.
| AV Service attack, successful denial of service against IIS web server on DST_IP (MS07-041)
|
Sheriff Malware
| Directives to detect malware.
| AV Malware, botnet Koobface activity detected on SRC_IP (source IP)
|
Sheriff Misc | Directives to detect activities that do not fall into any other category.
| AV Misc, suspicious executable download from a dynamic domain on SRC_IP
|
Sheriff Network
| Directives detect network related anomalies and attacks.
| AV Network attack, too many dropped inbound packets from DST_IP
|
Sheriff Policy
| Directives to detect policy violations.
| AV Policy violation, vulnerable Java version detected on SRC_IP
|
Sheriff Scada
| Directives to detect attacks on industrial supervisory control and data acquisition (SCADA) systems. | AV SCADA attack, Modbus scanning or fingerprinting against DST_IP |
Sheriff Scan | Directives to detect scanning activities. | AV Network scan, Nmap scan against DST_IP |
Sheriff CSM provides a web interface,
Configuration > Threat Intelligence > Directives, for you to examine, modify, or create new correlation directives.
To display a directive
- Click the black triangle to the left of the category name.
- Click the black triangle to the left of the directive.
Each directive consists of the following
Sheriff Vigilante Limitations: Sheriff CSM includes a faster and more robust correlation section with more complex correlation directives. Sheriff Vigilante has a smaller number of correlation directives, but you are allowed to customize and build your own directives based on your needs.
Sheriff Vigilante Limitations: In the Sheriff Vigilante environment, the following directives are inactive
- Sheriff DoS
- Sheriff Network
- Sheriff Scada