Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Configuring Data Sources in AlienVault

AlienVault
AlienVault

This document discusses data sources in AlienVault OSSIM. There are two types of data source connectors: detectors, which provide event data from systems like firewalls and antivirus software, and monitors, which provide indicators from tools like Ntop and Nmap. It describes how OSSIM normalizes data through plugins and rules to extract fields from raw logs and events. The document provides a practical exercise on adding SSH logs to OSSIM and connecting a Windows machine via OSSEC. It encourages using the collected data in a SIEM for security information and event management rather than just logging.

1 of 12
AlienVault Data Sources OSSIM Made Simple Webinar Series Joe Schreiber Solutions Architect
A Note About Data… New Analyst SIEM Logs, Events...
Two Types of DS Connectors DETECTORS: They offer events (Snort, Firewalls, Antivirus, Web servers, OS events..) MONITORS: They offer indicators (Ntop, Tcptrack, Nmap...)
Collection and Flow What methods can we use to retrieve data ?
Normalization ...or why do we do this? plugin_id=4003 plugin_sid=2 username=root date="1295472603" Authentication Failed for user root from src_ip=192.168.2.2 192.168.2.2 12.02.2009 12:02:21 DROP 192.168.1.1 21.2.2.2 Dec 02 2009 12:02:21 plugin_id=4503 plugin_sid=21 date="1295472603" src_ip=192.168.1.1 dst_ip=21.2.2.2
Plugins Rules Rules define the format of each event and how they are normalized It is composed by a regular expression and the list of fields that the event will include when once it is sent to the AlienVault SIEM or Logger In some cases only one regular expression will collect every event coming from one application, in some other cases more than one rule will be required
Practical Exercise Adding SSH logs to OSSIM
Practical Exercise Adding a Windows Machine to OSSIM via OSSEC +
Tips and Tricks Tools you can use Network • tcpdump, ngrep, etc.. Application • logger Log files to consult Agent logs
We Have Events! So what? This is a SIEM not a logger - we can do more! What can you do with all this data?
Questions?
Want more? Attend OSSIM Made Simple

More Related Content

Configuring Data Sources in AlienVault

  • 1. AlienVault Data Sources OSSIM Made Simple Webinar Series Joe Schreiber Solutions Architect
  • 2. A Note About Data… New Analyst SIEM Logs, Events...
  • 3. Two Types of DS Connectors DETECTORS: They offer events (Snort, Firewalls, Antivirus, Web servers, OS events..) MONITORS: They offer indicators (Ntop, Tcptrack, Nmap...)
  • 4. Collection and Flow What methods can we use to retrieve data ?
  • 5. Normalization ...or why do we do this? plugin_id=4003 plugin_sid=2 username=root date="1295472603" Authentication Failed for user root from src_ip=192.168.2.2 192.168.2.2 12.02.2009 12:02:21 DROP 192.168.1.1 21.2.2.2 Dec 02 2009 12:02:21 plugin_id=4503 plugin_sid=21 date="1295472603" src_ip=192.168.1.1 dst_ip=21.2.2.2
  • 6. Plugins Rules Rules define the format of each event and how they are normalized It is composed by a regular expression and the list of fields that the event will include when once it is sent to the AlienVault SIEM or Logger In some cases only one regular expression will collect every event coming from one application, in some other cases more than one rule will be required
  • 7. Practical Exercise Adding SSH logs to OSSIM
  • 8. Practical Exercise Adding a Windows Machine to OSSIM via OSSEC +
  • 9. Tips and Tricks Tools you can use Network • tcpdump, ngrep, etc.. Application • logger Log files to consult Agent logs
  • 10. We Have Events! So what? This is a SIEM not a logger - we can do more! What can you do with all this data?
  • 12. Want more? Attend OSSIM Made Simple