Building Collector Plugins 1.1 - AlienVault

More documents

Recommendations

Info

Building Collector Plugins - Admin Guide 2.6 Event Fields Mandatory – no default values, have always to be set when creating a new plugin plugin_id plugin_sid Event Type Event Subtype Mandatory – default values are assigned by the OSSIM Agent Optional date sensor interface protocol src_ip src_port dst_ip dst_port username password filename The time the event has been collected from the device The IP Address of the sensor collecting the event The interface where the event has been collected IP Protocol (see /etc/protocols) The Source IP Address The Source Port The Destination IP Address The Destination Port The User referred in the event The Password referred in the event The Filename referred in the event userdata1 – userdata9 User defined fields that could be used in custom reports, correlation directives, etc. Special types of events and the list of fields that can be used in each event type: Host-os-event Host-mac-event Host-service-event host host host os mac sensor sensor vendor interface interface sensor port date interface protocol date service application date Page 18 Copyright © Alienvault 2010
Building Collector Plugins - Admin Guide 2.7 Rules The Rules define the format of each event and how they are normalized. It is composed by a regular expression and the list of fields that the event will include once it is sent to the OSSIM Server. In some cases only one regular expression will collect every event coming from one application, in some other cases more than one rule will be required. 2.7.1 Evaluation Order Rules are loading in alphabetical order based on the name given to each rule (Rule ID). Once the log matches the regex of one rule the ossim agent stops processing the event, therefore generic rules must be the last to be evaluated. 2.7.2 Structure o Name / Rule ID The name of the rule is mandatory o Regular Expression The regexp field contains the regular expression that defines the format of the events, and extracts the information to normalize the event. The regular expression has to be written following Python regular expression syntax: http://docs.python.org/library/re.html The information extracted by the regular expression from the log can be accessed by: Position: (\d\d):(\d\d):(\d\d) hour={$1} minutes ={$2} seconds={$3} Tags: (?P\d\d):(?P\d\d)(?P\d\d) hour={$hour} minutes ={$minutes} seconds={$seconds} o Normalized Fields As the server must receive normalized events, where IP addresses for instance are using the IPV4 format and the date uses the format YYYY-MM-DD HH:MM:SS (2010-12-31 22:57:00) To simplify the process of normalizing events functions are defined (more details on functions can be found in the “Functions” section of this document): resolv() Translates hostnames into IPV4 addresses (DNS queries) Page 19 Copyright © Alienvault 2010
Page 1 and 2: Building Collector Plugins Admin Gu
Page 3 and 4: Building Collector Plugins - Admin
Page 17: Building Collector Plugins - Admin
Page 31 and 32: 5.2.10 Check whether the plugin was

Building Collector Plugins 1.1 - AlienVault

Create successful ePaper yourself

Delete template?

Save as template?