Building Collector Plugins 1.1 - AlienVault
Building Collector Plugins 1.1 - AlienVault
Building Collector Plugins 1.1 - AlienVault
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
1.3 The Configuration Workflow<br />
o<br />
Collect a Log Sample<br />
First thing to start with is checking which log messages the application generates and eventually<br />
identify sets of logs having a similar structure. Those logs having a similar structure will be where<br />
possible covered by a single collector rule.<br />
o<br />
Create a Plugin File<br />
Best is to copy one existing file and modify its content to match the new application. Should a plugin<br />
exist for a similar application, it is recommended to copy such a file, as there is a good chance that<br />
rules have a similar content and are grouped in a similar way - a generic HTTP-Proxy log will always<br />
contain a URL, a generic Firewall log will contain a Source IP Address and Source Port as well as a<br />
Destination IP Address and Destination Port. Some user defined fields might be defined for a specific<br />
application and the correlation at the server level can be simplified if similar applications use the<br />
same user defined fields.<br />
o<br />
Define a Generic Rule<br />
This is the last Rule to evaluate, which catches all the events that cannot be grouped under specific<br />
rules.<br />
o<br />
Define Specific Rules<br />
The Specific rules are defined for specific error conditions or categories of events. There might also<br />
be that one single rule is used to generate different types or subtypes of events.<br />
o<br />
Discard Noise<br />
Events that are considered noise can be discarded by OSSIM by excluding certain event subtypes<br />
(Plugin_SIDs) in the plugin file, by the way the regular expressions are defined or by using policies.<br />
However, the best way to discard events is by filtering them on the monitored device or at syslog<br />
level on the host running the OSSIM Agent.<br />
o<br />
Review the Evaluation Order<br />
The rules are evaluated alphabetically, which means that all it counts is the name of a rule and not<br />
the position in the plug-in file. The Generic Rule might even be on the first position if the name is<br />
properly chosen. Having rules alphabetically placed after the Generic Rule will have as effect that<br />
the corresponding logs will be evaluated as generic events instead of having the proper event type<br />
and subtype assigned.<br />
o<br />
Register the Plugin with the OSSIM Agent<br />
In order to have a Plugin activated and sending events to the OSSIM server, the path to the plugin file<br />
has to be specified in the Agent configuration file.<br />
Page 8 Copyright © Alienvault 2010