AlienVault Creating a Data Source Plugin

May 26, 2018 | Author: AndreaJaneth | Category: Secure Shell, Computer Keyboard, Databases, Command Line Interface, World Wide Web
Share Embed Donate


Short Description

crear plugins...

Description

AlienVault Unified Security Management™ Solution Complete. Simple. Affordable

How to create a data source plugin

Copyright© 2014 AlienVault. All rights reserved.

 AlienVault™, AlienVault AlienVault Unified Security Management™, Management™, AlienVault USM™, AlienVault AlienVault Open Threat Exchange™, AlienVault AlienVault OTX™, Open Threat Exchange™, Exchange™, AlienVault OTX Reputation Reputation Monitor™, AlienVault OTX Reputation Monitor Alert™, AlienVault OSSIM™ and OSSIM™ are trademarks or service marks of AlienVault.

 AlienVault™, AlienVault AlienVault Unified Security Management™, Management™, AlienVault USM™, AlienVault AlienVault Open Threat Exchange™, AlienVault AlienVault OTX™, Open Threat Exchange™, Exchange™, AlienVault OTX Reputation Reputation Monitor™, AlienVault OTX Reputation Monitor Alert™, AlienVault OSSIM™ and OSSIM™ are trademarks or service marks of AlienVault.

 AlienVault Unified Security Management ™ Solution How to create a data source plugin

CONTENTS 1.

INTRODUCTION....................... ................................................ .................................................. .................................................. ............................ ... 4

2.

TYPES OF DATA SOURCE S OURCE PLUGINS ........................................................... .................................................................. ....... 4 2.1. Detector Plugins ....................................................................................................... 5 2.2. Monitor Plugins ...................................................................................................... 23

3.

HOW TO CREATE A CUSTOM DATA D ATA SOURCE PLUGIN ........................ .................................. .......... 23 3.1. Exchange Web W eb SMTP server logs .......................................................................... 24 3.2. Creation of the plugin configuration file exchangews.cfg  ........................................  ........................................ 24 3.3. Create the database file exchangews.sql  ...............................................................  ............................................................... 26 3.4.  Activate data source plugins................................................................................... 26 3.5. Files .local .............................................................................................................. .............................................................................................................. 32

5.

HOW TO USE CUSTOM FUNCTION IN DATA SOURCE PLUGINS .................. 33

APPENDIX A - RECOMMENDATIONS BEFORE CREATING A NEW PLUGIN ......... 35

APPENDIX B - LIST OF DATA D ATA SOURCE PLUGINS ................................................... ................................................... 37 B.1. Database Plugins ................................................................................................... 37 B.2. Log Plugins ............................................................................................................ 37 B.3. Monitor Plugins ...................................................................................................... 38 B.4. Remote Plugins ...................................................................................................... 39 B.5. SDEE Plugins ........................................................................................................ 39 B.6. WMI Plugins ........................................................................................................... 39

DC-00138

Edition 03

Copyright© 2014 AlienVault. All rights reserved.

Page 3 of 39

 AlienVault Unified Security Management ™ Solution How to create a data source plugin

1.

INTRODUCTION The objective of this document is to explain how to create plugins supported by AlienVault USM.  A plugin is a software component that adds a specific feature to AlienVault USM. Plugins are used to improve the collection capabilities of the AlienVault Sensors and to indicate to the system, how to understand and to collect events generated by each application and device. Sensors receive events from remote hosts using the Syslog, WMI or any other protocols. The sensors use the Collection Plugins (also called Data Source connectors) in ord er to support the maximum possible number of applications and devices. For any system that consumes logs, it is needed a parser to read those logs and extract information from them into standard information fields (u sername, IP addresses, etc.).  AlienVault does this via Agent plugin that defines how to collect events from the application or device as well as how events should be normalized before sending them to the AlienVault USM central Server. Log Normalization is essentially breaking down a log message into common fields. It is necessary to enable a plugin in order to indicate to the system that must collect events generated by an application or device. Plugins may be pre-configured by AlienVault or defined by users.  AlienVault plugins are text configuration files and have the extension *.cfg. These files are located in /etc/ossim/agent/plugins  in the Sensor’s file system.

2.

TYPES OF DATA SOURCE PLUGINS There are 2 types: monitor and detector: 

Detector. These plugins receive logs, information and extract events from them. They process text log information from log files created by RSyslog collection system; and from log data retrieved from remote systems via one of the remote collection protocols such as SDEE and SFTP. These plugins can be: 

Database. They monitor a file in external databases.



Logs. They monitor a file, usually receiving data through syslog.



Remote Logs. They monitor a file in a remote appliance.



SDEE (Security Device Event Exchange). CISCO device logs.





DC-00138

WMI (Windows Management Instrumentation). They collect remotely Microsoft Windows events and data in an agent -less way.

Monitor. These plugins request information from systems, checking the status of the things they monitored at the time of the request. They generate text logs that are fed into the

Edition 03

Copyright© 2014 AlienVault. All rights reserved.

Page 4 of 39

 AlienVault Unified Security Management ™ Solution How to create a data source plugin

syslog like normal logs and they are often used to correlate log events into alarms by matching events against the current status of systems.

2.1.

Detector Plugins

2.1.1.

DATABASE PLUGINS It is easier to understand how this type of plugin works by means of an example: "" #$% &'()*

+,-./01&2 34567897:;?

+)@8A762 BC3*;:*B*)B@' *8(D4*;C*E

E@5')*;:(B(D(E* E@5')*9BC3*;FEEG4 E@5')*973; E@5')*93@'B;HHI= 5E*'; 3(EEJ@':; :D; E4**3;=I

3'@)*EE; EB('B;8@ EB@3;8@

+EB('B9G5*'C2

DC-00138

Edition 03

Copyright© 2014 AlienVault. All rights reserved.

Page 5 of 39

 AlienVault Unified Security Management ™ Solution How to create a data source plugin

G5*'C;KE*4*)B &L# < 3)7MN@JO5FD*' A'@F 3)7B'()* (E 3)7 LN,-N PQ 3)7MN@JO5FD*' :*E)K '*6*R3; 5E*':(B( m ,*E)'73B7@8Z m m gEY bg*)5'* gY*44i 7E ( 3'@6'(F A@' 4@66786 78B@ ( '*F@B* F()Y78* m (8: A@' *R*)5B786 )@FF(8:E @8 ( '*F@B* F()Y78*M m 0N1Z YBB3Z__JJJM@3*8EEYM)@F m m

T%:Z EEYM)A6X]
View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF