AlienVault Building Collector Plugins

5/23/2018 AlienVault Building Collector Plugins

Building Collector Plugins

Admin Guide

C Aa 2010

A . N a a b c a a b

a a, cc caca, c c, c, b a

a a a ,

c a b.

A aa c a c .


B Cc P A G

Pa 2 C Aa 2010

1 O ..................................................................................................................................................... 4

1.1 OSSIM A R ............................................................................................................................... 4

1.1.1 E Cc .......................................................................................................................... 4

1.1.2 E Naa ................................................................................................................... 41.2 OSSIM S R .............................................................................................................................. 6

1.2.1 E Ec ....................................................................................................................... 6

1.2.2 Pc a Ac .................................................................................................................... 7

1.3 T Ca W .............................................................................................................. 8

2 C Dc P .................................................................................................................... 10

2.1 R .............................................................................................................................................. 10

2.1.1 Ca F ..................................................................................................................... 10

2.1.2 L Ca .............................................................................................................. 10

2.1.3 F ........................................................................................................................................10

2.2 OSSIM A Ca .............................................................................................................. 11

2.2.1 Ca F ..................................................................................................................... 11

2.2.2 Paa ............................................................................................................................... 11

2.3 Dc P Ca .......................................................................................................... 13

2.3.1 Ca F .................................................................................................................... 13

2.3.2 C E T ............................................................................................................... 13

2.3.3 Paa ............................................................................................................................... 13

2.3.4 U Lca (P) Vaab ................................................................................................... 15

2.3.5 U Gba (A) Vaab ................................................................................................. 15

2.4 Aa ............................................................................................................................................... 16

2.4.1 Pa ...........................................................................................................................................16

2.4.2 P Ra E ............................................................................................... 16

2.5 Fc .......................................................................................................................................... 16

2.5.1 Pa ...........................................................................................................................................16

2.5.2 C .............................................................................................................................. 16

2.5.3 Aca Scc Taa .............................................................................................. 17

2.5.4 U D Taa ........................................................................................................ 17

2.6 E F ....................................................................................................................................... 18

2.7 R ................................................................................................................................................. 19

2.7.1 Eaa O....................................................................................................................... 19


B Cc P A G

Pa 3 C Aa 2010

2.7.2 Sc ................................................................................................................................... 19

2.8 La P ................................................................................................................................. 21

2.8.1 P a Rab a ................................................................................................... 21

2.8.2 SQL Sa .......................................................................................................................... 21

2.9 P Aca ............................................................................................................................... 22

2.9.1 Aca P S S ..................................................................................... 22

2.9.2 Aca P A S ...................................................................................... 22

3 L ..................................................................................................................................................... 22

4 Db ................................................................................................................................................. 22

5 A ................................................................................................................................................... 23

5.1 Ra E .......................................................................................................................... 23

5.2 Ca Ea ..................................................................................................................... 25

5.2.1 Sca .................................................................................................................................... 25

5.2.2 W a c a a .................................................... ........................... 25

5.2.3 L a ................................................................................................................................ 25

5.2.4 Cc a ............................................................................................... 25

5.2.5 Ra ....................................................................................................................... 26

5.2.6 Cc a ............................................... 26

5.2.7 Ca a .................................................................................................................... 26

5.2.8 R P OSSIM A ............................................................................... 29

5.2.9 R P OSSIM S ...................................................... ........................ 30

5.2.10 Cc a cc ............................................................31

5.2.11 Ra OSSIM S ......................................................................................................... 31

5.2.12 Ra OSSIM A .......................................................................................................... 31

5.2.13 Cc E a Aa a c ...................................................................... 32


B Cc P A G

Pa 4 C Aa 2010

1 Overview

1.1 OSSIM Agent Role

1.1.1 Event Collection

T cc c ac aa c (Sc, OS,

RDBMS, c.) a a . A a ca b c a

b a b OSSIM A a a b ca b a a ac

ac.

B a a ac c a c b c:

- Maa a aca a aa c

- F b a a

- U Pca ca (S, Tc...)

- I a b a aa aa, a aca

b b

o

G acc ca ac. Ha

c , a a a a c

cac a .

U b cc ba a.

1.1.2 Event Normalization

I aa a a c a aa ac c

a a c OSSIM a.

o

T a b a c a, a aca , a SNMP a,

a SNMP SQL Q a a

c a a a .

01///.

Ma 30 13:15:52 01 [12980]: Acc a

192.168.178.20 4445 2


B Cc P A G

Pa 5 C Aa 2010

o

T a ca c a a c aa

a ca b OSSIM . T ca b a

a a aca .

////.

20100530 13:15:49,441 O [INFO]: ="c" ="1275239752"

="192.168.178.201" ="0" ="4003" ="7"

="192.168.178.20" ="4445" ="192.168.178.200" ="22"

="" ="Ma 30 13:15:52 01 [12980]: Acc a

192.168.178.20 4445 2" ="20100530 13:15:52" ="0"


B Cc P A G

Pa 6 C Aa 2010

1.2 OSSIM Server Role

1.2.1 Event Enrichment

T OSSIM c c a aaa OSSIM

Daaba.

o

T OSSIM S c P a Rab a, c a

cc (_) a b (_), a a A

Va c cc Sc (a_c) a Da (a_) .

Ea:

:/a///.:

20100530 06:48:41 OSSIMMa: E c: ="0" aa="0"

="c" a="20100530 13:15:52" a="1275239752" ="0"

_="4003" _="7" c_="192.168.178.20" c_="4445"_="192.168.178.200" _="22" ="192.168.178.201" ac="0"

c="TCP" ="2" ="2" ="Ma 30 13:15:52 01

[12980]: Acc a 192.168.178.20 4445 2"

a=""

o

T a a a c ac a cc aac, a

a cc . I a a ac

aac .

Ra: 0 5

Da a: 1

Ea:

A U Saba aac b Sa .

Aa ac a aac a a ac ,

a a a b c a a a

c a b .

o

Caca a a "bab ". Sc ' c bab a b ca ab, IDS

a ab aac a c aa.

Ra: 0 10

Da a : 1.

Ea:

I a cc 5 a b 445, c b a

a ba, ab IDS . I cc 15 b


B Cc P A G

Pa 7 C Aa 2010

c, 500 cc a a aac

a ab.

o

I a b Sc a Da H a ac

a .

Ra: 0 5

Da a: 1 (a b a aaba)

Ea:

A aaba ca a a a a 5, a a a

a 2 a a I ca a ca

a a a a 1.

o

Ba E P (05), E Rab (010) a A Va (05), a RVa (010) caca a a a a a 1 A a a.

T R caca ba a:

R = (P * Rab * A) / 25

1.2.2 Policies and Actions

Pc a a a b a ac OSSIM

S:

Ca (.. cc aa ca c)

Fa (.. c c a)Ac (.. a a)

Dca a b b a aaba, a

c a c c a b.

Pc ca a c c a b ba :

Sc a Da A (H, N, ANY...)

P

P G

T Ra


B Cc P A G

Pa 8 C Aa 2010

1.3 The Configuration Workflow

o

F a cc c a aca a a a

a a a c. T a a a c b

b c b a cc .

o

B c a c ac aca. S a

a a aca, c c c a , a a cac a

a a a c a a a a a a c HTTPP aa

ca a URL, a c Fa ca a Sc IP A a Sc P a a a

Da IP A a Da P. S b a cc

aca a ca a ca b a aca

a .

o

T a R aa, c cac a a ca b cc

.

o

T Scc a cc c ca . T a

b a a b .

o

E a a c ca b ca b OSSIM b c ca b

(P_SID) , b a a a b c.

H, b a ca b c a

OSSIM A.

o

T a aa aabca, c a a a c a a a

. T Gc R b a

c. Ha aabca ac a Gc R a a c a

c b aa a c a a

a b a.

o

I a a P aca a OSSIM , a

a b c A ca .


B Cc P A G

Pa 9 C Aa 2010

o

T c b c a c

a ab a a.

o

Ra OSSIM S c.

o

Ra OSSIM A c.

o

U ca a ca b a a OSSIM

A S.


B Cc P A G

Pa 10 C Aa 2010

2 Configuring Detector Plugins

2.1 Rsyslog

R S a OSSIM a a c a

a a a a a ca caca a. S a c

a c .

B a ca c cc b

a a a a a a ca b b

ac .

2.1.1 Configuration File

/c/.c

2.1.2 Listener Configuration

$MLa

$UDPSR 514

$MLa c

$ITCPSR 514

2.1.3 Filters

Fa ca a ca

$ ca '' /a//

$ac == 'ca0' a $ a 'DEVNAME' a ($ ca '1'

$ ca '0') /a//

S c

$ ca ''

R R

://..c/.


B Cc P A G

Pa 11 C Aa 2010

2.2 OSSIM Agent Configuration

2.2.1 Configuration File

/c//a/c.c

2.2.2 Parameters

[a]

a: Da (T Fa)

: Pa PID (Pc )

[ca]

Eab ca a a . I c c a

a a ca a a ac ca c.

b_: L a b ca

ab: Eab ab (T Fa)

: Wa c ca b

Ea:

[ca]

b_=10011150,15011550,40014010

ab=Fa

=10

[]

C b a a

: F c b

: F c a a b

a: F c a a b (E 5 )

b: C b (Db, I, Wa, E

Cca)

[a]

W a a b OSSIM S (U b a

)

ab: Eab ab (T Fa)

: F c a b

[]

C c a

ab: Eab ab (T Fa)

: IP a OSSIM S

: L OSSIM S


B Cc P A G

Pa 12 C Aa 2010

[a]

I ca aab ca b b ca.

Ea:

[a]

a_a=%Y%% %H:%M:%S

ac=0

=192.168.178.201

[]

D c (c a ) a ab

a___=a____c_

Ea:

[]

=/c//a//.c

=/c//a//.c

[ac]

M c aca ac (I ca a ac)

ab: Eab ab (T Fa)

a: Wa X c b cc

a_a: Ra c X c (T a b ab ac

)


B Cc P A G

Pa 13 C Aa 2010

2.3 Detector Plugin Configuration

2.3.1 Configuration Files

/c//a//*.c

2.3.2 Common Event Types

C a ca .

a. Ra

b. Ra aaba

Mc SQL

MSQL

c. Cc c

. S

. W Maa Ia

2.3.3 Parameters

[DEFAULT]

A aab ca b OSSIM S b

a . U a b 9000 a 10000.

_: Nca OSSIM

Ea:

_=4003


B Cc P A G

Pa 14 C Aa 2010

[c]

: c

ab: Eab Dab (I b ab c.c)

c: Sc (, , , )

ca: T () ca b ca ca

caaa

ca_: Ca ca

c: Na c a (I a )

a: Sa c a a (/)

: S c a (/)

a: Ca a a c

: Ca a c

c_=SID L U c SID

Ea (a):

c=a

a=

=

a=/c/./ a

=/c/./

c_=404,200,403

[aa]

=a U a c a

Ea (P):[aa]

=10

bc=11

[R ID Scc R]

H a cc a a.

_=

=Ra E

_=P SID

E_F=Va

Ea():

[01 Fa a]

_=

="(\SYSLOG_DATE)\+(?P[^\]*).*?.*?Fa a a

(?P\S+)\+\+.*?(?P\IPV4).*?\+(?P\PORT)"

_=1

a=a_a($1)


B Cc P A G

Pa 15 C Aa 2010

c_=$c

_=($)

c_=$

a=$ [R ID Scc R]

[R ID Gc R]

Ea ():

[99 Gc ]

# N 15 11:55:35 11.1.4.9 [1769702]: **********

_=

="(\SYSLOG_DATE)\+(?P[^\]*).*?.*"

_=99

a=a_a($1)

_=($)

N: A a aabca Gc R a a R ID .

2.3.4 Using Local (Plugin) Variables

T ca aab ca ca b

a:

%()

Ea:

c=a

=a 9 %(c)

2.3.5 Using Global (Agent) Variables

\_CFG()

Ea:

I a ca (/c//a/c.c):

[ac]

a_a=3600 ; c b c a

I ca (/c//a//*.c):

a_a=\_CFG(ac,a_a)


B Cc P A G

Pa 16 C Aa 2010

2.4 Aliases

2.4.1 Path

/c//a/aa.c

2.4.2 Predefined Regular Expressions

T a ca b ca .

IPV4= \1,3\.\1,3\.\1,3\.\1,3

MAC= \1,2:\1,2:\1,2:\1,2:\1,2:\1,2

PORT= \1,5

TIME= \\:\\:\\

SYSLOG_DATE= \3\+\1,2\\\:\\:\\

SYSLOG_WY_DATE= \+\+\1,2\\4\\\:\\:\\

T a Aa a \IPV4, \MAC, \SYSLOG_DATE, c.

2.5 Functions

2.5.1 Path

//a/a/_a/PaU.

2.5.2 Conversions

(): aa a a a IP4 a_(a): aa a IP4 a a a

_(): aa a a b

a_a(a): c a a ( a a

: , , , , ,

a. T a

a a a DATE_REGEXPS aa.

a_c(): aa c c b, ba

PROTO_TABLE

5(aa): caca 5 cc

(): a ca

(): a a aca b


B Cc P A G

Pa 17 C Aa 2010

2.5.3 Application Specific Translations

_(): a 1000 S ID

_(,a): a McA I ID a b b 256, a

' OSSIM ab ( ca_ =

(ca_)/256)

c__(): aa Nc a ba

NETSCREEN_IDP_SID_TRANSLATION_TABLE aa ab

( PaU.)

_c_(): aa ISS_SPc a ba

ISS_SITEPROTECTOR_SID_TRANSLATION_MAP aa ab

( PaU.)

_ac(ac): a ac a

2.5.4 User Defined Translations

aa(): aa ba [aa]

c .

( ab ):

# T aa c ca

[aa]

ACCEPT=1

REJECT=2

DROP=3

DENY=3

Ib=4

Ob=5

# R ID

[0 ab]

# L a

# Oc 31 08:59:25 M2600001 : RULE 0 ACCEPT IN= OUT= SRC=127.0.0.1

DST=127.0.0.1 LEN=60

# TOS=000 PREC=000 TTL=64 ID=8437 DF PROTO=TCP SPT=57275 DPT=836

SEQ=2806649400

# ACK=0 WINDOW=32767 RES=000 SYN URGP=0

# L Pa

=(\S+\+\+\+\\:\\:\\)\+(\S*) (\S*):.*?(\S+)\+IN=(\S*) OUT=(\S*) SRC=(\S+)

DST=(\S+) LEN=(\+) \S+ \S+ TTL=(\+) .*? PROTO=(\S*) SPT=(\*) DPT=(\*)

# _ 1, aa a ACCEPT

_=aa($4)


B Cc P A G

Pa 18 C Aa 2010

2.6 Event Fields

a a, a aa b ca a

_ E T

_ E Sb

a a a a b OSSIM A

a T a b cc c

T IP A cc

ac T ac a b cc

c IP Pc ( /c/c)

c_ T Sc IP A

c_ T Sc P

_ T Da IP A

_ T Da P

a T U

a T Pa

a T Fa

aa1 aa9 U a c b c ,

ca c, c.

Sca a a ca b ac :

ac

ac

ac

a ac c

a c

aca

a


B Cc P A G

Pa 19 C Aa 2010

2.7 Rules

T R a ac a a a. I c b a a

a a c c OSSIM S.

I ca a cc c aca,

ca a b .

2.7.1 Evaluation Order

R a a aabca ba a ac (R ID).

Oc ac a c ,

c b a b aa.

2.7.2 Structure

o /

T a aa

o

T ca a a a , a

ac a a .

T a a b P a a:

://c../ba/.

T a ac b a ca b acc b:

(\\):(\\):(\\)

=$1

=$2

c=$3

(?P\\):(?P\\)(?P\\)

=$

=$

c=$c

o

A c a , IP a ac a

IPV4 a a a a YYYYMMDD HH:MM:SS (20101231 22:57:00)

T c a c a ( a

c ca b Fc c c):

()

Taa a IPV4 a (DNS )


B Cc P A G

Pa 20 C Aa 2010

()

T a_a c aa a a a a

acc b OSSIM S.

o

U ac E ID c, b _ a b c.

Taa a b c. T aca aa

b () c.

o

S ca b cc c ca

ac :

- U

-

M a a ac ca


B Cc P A G

Pa 21 C Aa 2010

2.8 Loading Plugins

2.8.1 Priority and Reliability values

F ac P_ID/P_SID a P a Rab a a b

OSSIM S.

2.8.2 SQL Statement

Sa c a a c ca a , a SQL

c ca b c a c P a aaba.

T a SQL c ca b :

//a/c//cb//*.

O a P ca , SQL c b ca a c

OSSIM S a OSSIM A .

T b SQL c:

- R P ID ab, c a aa

- R P SID _ ab, aa

- I P ID a ab

- I P SID _ ab

T c ca (a bcc c SQL c

a ca a b a ca aaba):

://a/c//cb/# b < .

Ea (//a/c//cb//.):

SSH

_: 4003

DELETE FROM WHERE = "4003";

DELETE FROM _ _ = "4003";

INSERT INTO (, , a, c) VALUES (4003, 1, '', 'SSH: Sc S

a');

INSERT INTO _ (_, , ca_, ca_, a, , ab) VALUES

(4003, 1, NULL, NULL, 'SSH: Fa a', 3, 2);

INSERT INTO _ (_, , ca_, ca_, a, , ab) VALUES

(4003, 2, NULL, NULL, 'SSH: Fa bc', 2, 2);

INSERT INTO _ (_, , ca_, ca_, a, ,ab) VALUES

(4003, 99, NULL, NULL, 'SSH: Gc SSH E', 1, 1);


B Cc P A G

Pa 22 C Aa 2010

2.9 Plugin Activation

2.9.1 Activate the Plugin on the Server Side

Ra OSSIM S c:

:#/c/./ a

2.9.2 Activate the Plugin on the Agent Side

Ra OSSIM A c:

:#/c/./a a

3 Log files

/a// (U)

/a/a/a (Sa)T cc aca ca a a, cc

/c/.c /c/.c .

/a///a.

/a///.

4 Debugging

N: D a a aca Db a c

a

D6


B Cc P A G

Pa 23 C Aa 2010

5 Appendix

5.1 Regular Expressions

c A ca caac ac

\c R ca a caac c; T RE \$ ac $

^ Ica b

$ Ica

. A a caac

[] O a caac ; acc a a, 09, AZ

[^] A ca ; Acc a a, 09, AZ

a.b ab aab abb aSb a#b ...

a..b ab aaab abbb a4$b ...

[abc] a b c ( caac )

[aA] a A ( caac )

[aA][bB] ab Ab aB AB ( caac )

[0123456789] 0 1 2 3 4 5 6 7 8 9

[09] 0 1 2 3 4 5 6 7 8 9

[AZa] A B C ... Z a b c ... Z

[09][09][09] 000 001 .. 009 010 .. 019 100 .. 999

[09]* _ca 0 1 9 00 99 123 456 999 9999 ...

[09][09]* 0 1 9 00 99 123 456 999 9999 99999 99999999 ...

^.*$ A


B Cc P A G

Pa 24 C Aa 2010

* 0 ccc RE

+ 1 ccc RE

? 0 a ccc RE , a

ccc RE

, 0 a ccc RE

, N ccc RE , b a

12 T RE 1 RE 2

[09]+ 0 1 9 00 99 123 456 999 9999 99999 99999999 ..

[09]? _ 0 1 2 .. 9

(ab)* _ ab ababab abababababab

([09]+ab)* _ 1234ab 9ab9ab9ab 9876543210ab 99ab99ab ...

\ A ca caac [09]\D A ca caac [^09]

\ A ac caac [ \\\\\]

\S A ac caac [^ \\\\\]

\ A aac caaca _

[aAZ09_]

\W A aac caac [^aAZ09_]

\Z E


B Cc P A G

Pa 25 C Aa 2010

5.2 Configuration Example

5.2.1 Scenario

I c a U , a ca b . T a

ca a c /a// , c a a

a a a a .

T ca a a, a b cc ca a ca

a a a .

T a a b b , ca.

5.2.2 Write a script to monitor the last status

#!/b/

# ca

c /a//a.

# a

a > /a//a.

#

/a//a. /a//a. '^>' LOGON_EXAMPLE ca2.

# . .

/a//a. /a//a.

5

5.2.3 Log sample

01:# a /a//a

J 14 19:21:32 01 LOGON_EXAMPLE: > /3 ca W J 14 18:49 19:21 (00:31)

J 14 19:23:28 01 LOGON_EXAMPLE: > ba /3 ca W J 14 19:23

J 14 19:23:59 01 LOGON_EXAMPLE: > /4 ca W J 14 19:23


J 14 19:24:09 01 LOGON_EXAMPLE: > ba /3 ca W J 14 19:23 19:24 (00:00)

J 14 19:24:09 01 LOGON_EXAMPLE: > /2 172.22.22.10 W J 14 18:38 19:24 (00:45)

J 14 19:24:54 01 LOGON_EXAMPLE: > /2 172.22.22.10 W J 14 19:24


J 14 19:26:20 01 LOGON_EXAMPLE: > /2 172.22.22.10 W J 14 19:26


5.2.4 Collect the logs in a new log file

A .c OSSIM A:

#

# LOGON_EXAMPLE

#

ca2. /a//a_.


B Cc P A G

Pa 26 C Aa 2010

5.2.5 Restart rsyslog

c:# /c/./ a

5.2.6 Check whether the new entries are written in the new log file

c:/c//a/# a /a//a_.

J 14 19:38:49 01 LOGON_EXAMPLE: > /2 ca W J 14 19:38 J 14 19:38:54 01 LOGON_EXAMPLE: > /2 ca W J 14 19:38 19:38 (00:00)

J 14 19:38:59 01 LOGON_EXAMPLE: > /2 ca W J 14 19:38


J 14 20:15:09 01 LOGON_EXAMPLE: > b b 2.6.31.6 W J 14 17:39 20:15 (02:35)

5.2.7 Create a plugin file

C a b c

c:/c//a/# c .c a.c

S cc aa

;; B P Ea

;; _: 9001

;; : c

[DEFAULT]

_=9001

[c]

=c

ab=

c=

# Eab . A a a.# c "*.* /a//a." >> /c/.c; a HUP

#ca=/a//a.

ca=/a//a_.

# ca ,

# c

ca_=

c=

a=

=

a=

=

##

[R 01 C S O]

# J 14 20:36:47 01 LOGON_EXAMPLE: > 1 W J 14 20:36

_=

="^(?P(\S+\+\+\+\\:\\:\\)\+(?P[^\]+)\+LOGON_EXAMPLE:

>\+(?P[^\]+)\+(?P\+)\+(?P.* .*))$"

=\_CFG(a,)


B Cc P A G

Pa 27 C Aa 2010

a=a_a($1)

_=1

a=$a

_=($)

aa1=$

aa2=5($)

aa3=$

aa4=$_

[R 02 C S C]

# J 14 20:35:46 01 LOGON_EXAMPLE: > 1 W J 14 20:18 20:35 (00:17)

_=


>\+(?P[^\]+)\+(?P\+)\+(?P.*))$"

=\_CFG(a,)

a=a_a($1)

_=2

a=$a

_=($)

aa1=$

aa2=5($)

aa3=$

aa4=$_

[R 03 N U S IP]

# J 14 20:21:49 01 LOGON_EXAMPLE: > /1 172.22.22.10 W J 14 20:21

_=


>\+(?P[^\]+)\+(?P[^\]+)\+(?P\IPV4)\+(?P.* .*))$"

=\_CFG(a,)

a=a_a($1)

_=3

a=$a

c_=$c

_=($)

aa1=$

aa2=5($)

aa3=$

aa4=$_

[R 04 N U S a]

# J 14 19:23:28 01 LOGON_EXAMPLE: > ba /3 ca W J 14 19:23

_=


>\+(?P[^\]+)\+(?P[^\]+)\+(?Pca)\+(?P.* .*))$"

=\_CFG(a,)a=a_a($1)

_=3

a=$a

c_=127.0.0.1

_=($)

aa1=$

aa2=5($)

aa3=$

aa4=$_


B Cc P A G

Pa 28 C Aa 2010

[R 05 U S C IP]

# J 14 19:26:25 01 LOGON_EXAMPLE: > /2 172.22.22.10 W J 14 19:26 19:26 (00:00)

_=


>\+(?P[^\]+)\+(?P[^\]+)\+(?P\IPV4)\+(?P.*))$"

=\_CFG(a,)

a=a_a($1)

_=4

a=$a

c_=$c

_=($)

aa1=$

aa2=5($)

aa3=$

aa4=$_

[R 06 U S C a]

# J 14 19:33:56 01 LOGON_EXAMPLE: > /2 ca W J 14 19:33 19:33 (00:00)

_=


>\+(?P[^\]+)\+(?P[^\]+)\+(?Pca)\+(?P.*))$"

=\_CFG(a,)

a=a_a($1)

_=4

a=$a

c_=127.0.0.1

_=($)

aa1=$

aa2=5($)

aa3=$

aa4=$_

[R 07 Rb Dc]

# J 14 20:15:09 01 LOGON_EXAMPLE: > b b 2.6.31.6 M Ma 24 13:51 20:15 (51+06:23)

_=

="^(?P(\S+\+\+\+\\:\\:\\)\+(?P[ \]+)\+LOGON_EXAMPLE: >b.*))$"

=\_CFG(a,)

a=a_a($1)

_=5

aa1=5($)

aa2=$

aa3=$a

aa4=$_

[R 99 Cac a]

# Wa ' ac ab _=

="^(?P(?P\S+\+\+\+\\:\\:\\)\+(?P[^\]+)\+LOGON_EXAMPLE:.*))$"

=\_CFG(a,)

a=a_a($a)

_=99

aa1=5($)

aa2=$

aa3=$_


B Cc P A G

Pa 29 C Aa 2010

5.2.8 Register the Plugin with the OSSIM Agent

A a.c a ca

c:# /c//a/c.c

[]

=/c//a//.c

a=/c//a//a.c

=/c//a//.c

Aa ca b aca :

c:#

1) Ca S S

2) Sc Dc P

3) Sc a P


B Cc P A G

Pa 30 C Aa 2010

4) Sa & E

5.2.9 Register the Plugin with the OSSIM Server

C a SQL c b c

c://a/c//cb/# c . a.

G a P ca .

c:# '^\[' /c//a//a.c

[R 01 C S O]

[R 02 C S C]

[R 03 N U S IP]

[R 04 N U S a]

[R 05 U S C IP]

[R 06 U S C a]

[R 07 Rb Dc]

[R 99 Cac a]

R a a _ SQL a a _ OSSIM . D bca b IP a a a a

a c b a ca.

_: 9001

DELETE FROM WHERE = "9001";

DELETE FROM _ _ = "9001";

INSERT INTO (, , a, c) VALUES (9001, 1, 'Ea', 'U ba a ');

INSERT INTO _ (_, , ca_, ca_, a, , ab) VALUES (9001, 1, NULL, NULL, 'L: S

c' , 5, 5);

INSERT INTO _ (_, , ca_, ca_, a, , ab) VALUES (9001, 2, NULL, NULL, 'L: S

c' , 5, 5);

INSERT INTO _ (_, , ca_, ca_, a, , ab) VALUES (9001, 3, NULL, NULL, 'L: P

a' , 3, 5);

INSERT INTO _ (_, , ca_, ca_, a, , ab) VALUES (9001, 4, NULL, NULL, 'L: P

a' , 3, 5);

INSERT INTO _ (_, , ca_, ca_, a, , ab) VALUES (9001, 5, NULL, NULL, 'S b:

Ra' , 5, 5);

INSERT INTO _ (_, , ca_, ca_, a, , ab) VALUES (9001, 99, NULL, NULL, 'La: Gc

a' , 1, 1);

A ca c c P ID a SID, a ca ca:

c://a/c//cb/# ca a. b


B Cc P A G

Pa 31 C Aa 2010

5.2.10 Check whether the plugin was successfully registered

P ID

P SID

5.2.11 Restart the OSSIM Server

c:# /c/./ a

5.2.12 Restart the OSSIM Agent

c:# /c/./a a


B Cc P A G

Pa 32 C Aa 2010

5.2.13 Check whether Events and Alarms are received

E

Aa

AlienVault Building Collector Plugins

Documents

Transcript of AlienVault Building Collector Plugins