Building Collector Plugins 1.1 - AlienVault
20.06.2015 Views
Share Embed Flag

Building Collector Plugins 1.1 - AlienVault

Building Collector Plugins 1.1 - AlienVault

Building Collector Plugins 1.1 - AlienVault

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
alienvault.com

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />

4) Save & Exit<br />

5.2.9 Register the Plugin with the OSSIM Server<br />

Copy an existing SQL script to build the new one on the existing structure<br />

opensourcesim:/usr/share/doc/ossim-mysql/contrib/plugins# cp syslog.sql example.sql<br />

Get a list of the rules defined in the Plugin configuration file.<br />

opensourcesim:~# grep '^\[' /etc/ossim/agent/plugins/example.cfg<br />

[Rule 01 - Console Session Open]<br />

[Rule 02 - Console Session Closed]<br />

[Rule 03 - New User Session - IP]<br />

[Rule 04 - New User Session - hostname]<br />

[Rule 05 - User Session Closed - IP]<br />

[Rule 06 - User Session Closed - hostname]<br />

[Rule 07 - Reboot Detected]<br />

[Rule 99 - Catch all]<br />

Rules having the same plugin_sid will only require one SQL statement and plugin_sid defined on the<br />

OSSIM server. Different rules where used just because both IP addresses and hostnames are<br />

returned as sources by the “last” command.<br />

-- plugin_id: 9001<br />

DELETE FROM plugin WHERE id = "9001";<br />

DELETE FROM plugin_sid where plugin_id = "9001";<br />

INSERT INTO plugin (id, type, name, description) VALUES (9001, 1, 'Example', 'User logons based on the last output');<br />

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9001, 1, NULL, NULL, 'Login: System<br />

console' , 5, 5);<br />

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9001, 2, NULL, NULL, 'Logout: System<br />

console' , 5, 5);<br />

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9001, 3, NULL, NULL, 'Login: Pseudo<br />

terminal' , 3, 5);<br />

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9001, 4, NULL, NULL, 'Logout: Pseudo<br />

terminal' , 3, 5);<br />

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9001, 5, NULL, NULL, 'System reboot:<br />

Restarted' , 5, 5);<br />

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9001, 99, NULL, NULL, 'Last: Generic<br />

messages' , 1, 1);<br />

After changing the script to reflect the Plugin IDs and SIDs, load the changes with the command:<br />

opensourcesim:/usr/share/doc/ossim-mysql/contrib/plugins# cat example.sql | ossim-db<br />

Page 30 Copyright © Alienvault 2010

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!