Building Collector Plugins 1.1 - AlienVault

More documents

Recommendations

Info

Building Collector Plugins - Admin Guide [config] type: enable: source: location: create_file: process: start: stop: startup: shutdown: exclude_sids=SID List Example (hp-eva): detector process=snmptrapd start=yes stop=yes startup=/etc/init.d/snmpd start shutdown=/etc/init.d/snmpd stop exclude_sids=404,200,403 Enable or Disable the plugin (It must be enabled in config.cfg) Source of the events (log, mssql, mysql, wmi) The file(s) where the logs can be found - can contain multiple comma-separated files Create the log file in case it does not exist Name of the process generating logs (If on the same system) Start the process when the agent starts (yes/no) Stop the process when the agent stops (yes/no) Command that starts the process Command that stops the process Use this option to exclude SIDs [translation] string=value Used to map strings to their corresponding values Example (Postfix): [translation] sent=10 bounced=11 [Rule IDs – Specific Rules] Here are the events collected and normalized. event_type=event regexp=Regular Expression plugin_sid=Plugin SID Event_Field=Value Example(ssh): [01 - Failed password] event_type=event regexp="(\SYSLOG_DATE)\s+(?P[^\s]*).*?ssh.*?Failed password for inval user (?P\S+)\s+from\s+.*?(?P\IPV4).*?port\s+(?P\PORT)" plugin_sid=1 date={normalize_date($1)} Page 14 Copyright © Alienvault 2010
Building Collector Plugins - Admin Guide src_ip={$src} dst_ip={resolv($sensor)} src_port={$sport} username={$user} [Rule IDs – Specific Rules] [Rule ID – Generic Rule] Example (ssh): [99 - Generic rule] # Nov 15 11:55:35 11.1.4.9 sshd[1769702]: ********** event_type=event regexp="(\SYSLOG_DATE)\s+(?P[^\s]*).*?ssh.*" plugin_sid=99 date={normalize_date($1)} dst_ip={resolv($sensor)} Note: As rules are ordered alphabetically the Generic Rule has to have the highest Rule ID . 2.3.4 Using Local (Plugin) Variables The different configuration variables defined in the plugin configuration file can be used with the following syntax: %()s Example: process=pads shutdown=killall -9 %(process)s 2.3.5 Using Global (Agent) Variables \_CFG() Example: In the agent configuration file (/etc/ossim/agent/config.cfg): [watchdog] restart_interval=3600 ; seconds between plugin process restart In the plugin configuration file(/etc/ossim/agent/plugins/*.cfg): restart_interval=\_CFG(watchdog,restart_interval) Page 15 Copyright © Alienvault 2010
Page 1 and 2: Building Collector Plugins Admin Gu
Page 3 and 4: Building Collector Plugins - Admin
Page 13: Building Collector Plugins - Admin
Page 31 and 32: 5.2.10 Check whether the plugin was

Building Collector Plugins 1.1 - AlienVault

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?