Building Collector Plugins 1.1 - AlienVault

More documents

Recommendations

Info

Building Collector Plugins - Admin Guide 1.2 OSSIM Server Role 1.2.1 Event Enrichment The OSSIM server enriches the received normalized event with the metadata stored in the OSSIM Database. o Enriched Event The OSSIM Server enriches the event with the Priority and Reliability values, which are specific to the event type (plugin_id) and subtype (plugin_sid), as well as with the Asset Value which is specific to the Source (asset_src) and the Destination (asset_dst) hosts. Example: ossim:/var/log/ossim/server.log: 2010-05-30 06:48:41 OSSIM-Message: Event received: event id="0" alarm="0" type="detector" fdate="2010-05-30 13:15:52" date="1275239752" tzone="0" plugin_id="4003" plugin_sid="7" src_ip="192.168.178.20" src_port="4445" dst_ip="192.168.178.200" dst_port="22" sensor="192.168.178.201" interface="eth0" protocol="TCP" asset_src="2" asset_dst="2" log="May 30 13:15:52 dmz01 sshd[12980]: Accepted password for root from 192.168.178.20 port 4445 ssh2" username="root" o Priority The priority is related to threats and it reflects the importance of a specific attack, having nothing to do with a specific host or environment. It only measures the relative importance of the attack itself. Range: 0 - 5 Default value: 1 Example: A Unix server running Samba gets attacked by the Sasser worm . Apart from the fact that the attack won’t have an impact on the given environment, it has the potential to exploit a big security hole and for that reason the priority is considered as being high. o Reliability Classical risk-assessment would refer it as "probability ". Since it's quite difficult to determine how probable it is for a network to be exposed to certain vulnerabilities, the IDS related “reliability” approach was considered more appropriate. Range: 0 - 10 Default value : 1. Example: If a host connects to 5 different hosts in the same subnet using port 445, could be a normal behavior, unreliable for IDS purposes. If connecting to 15 hosts would be Page 6 Copyright © Alienvault 2010
Building Collector Plugins - Admin Guide suspicious, with 500 connections to different hosts in less than an hour the attack would get more and more reliable. o Asset Value It is assigned to both the Source and the Destination Hosts and represents the importance the host has to the enterprise. Range: 0 - 5 Default value: 1 (also used for hosts not being defined in the asset database) Example: A database server can have an asset value of 5, a development test server an asset value of 2 and an unknown host in the Internet causing a portscan event would just have an asset value of 1. o Alarm Based on the Event Priority (0-5), Event Reliability (0-10) and the Asset Value (0-5), a Risk Value (0-10) is calculated and for values equal or greater than 1 Alerts are generated. The Risk is calculated based on the following formula: Risk = (Priority * Reliability * Asset) / 25 1.2.2 Policies and Actions Policies are defined in order to define what has to be done with the events as they reach the OSSIM Server: Correlation (i.e. checked against the correlation directives) Forwarding (i.e. one copy is sent to the forensic storage) Actions (i.e. send an email) Discard - the last filter possibility before saving the event in the database, although it is recommended to filter the events as close to the source as possible. Policies can make decisions on which events are going to be filtered based on: Source and Destination Assets (Hosts, Networks, ANY...) Ports Plugin Group Time Range Page 7 Copyright © Alienvault 2010
Page 1 and 2: Building Collector Plugins Admin Gu
Page 3 and 4: Building Collector Plugins - Admin
Page 5: Building Collector Plugins - Admin
Page 31 and 32: 5.2.10 Check whether the plugin was

Building Collector Plugins 1.1 - AlienVault

Create successful ePaper yourself

Delete template?

Save as template?