• Save
Configuring Data Sources in AlienVault
Upcoming SlideShare
Loading in...5
×
 

Configuring Data Sources in AlienVault

on

  • 2,012 views

Get the most from your SIEM! Learn how to configure data sources in a few simple steps.

Get the most from your SIEM! Learn how to configure data sources in a few simple steps.

Statistics

Views

Total Views
2,012
Slideshare-icon Views on SlideShare
2,005
Embed Views
7

Actions

Likes
1
Downloads
0
Comments
0

2 Embeds 7

http://www.docshut.com 4
http://www.linkedin.com 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Configuring Data Sources in AlienVault Configuring Data Sources in AlienVault Presentation Transcript

    • AlienVault Data SourcesOSSIM Made Simple Webinar Series Joe Schreiber Solutions Architect
    • A Note About Data… New Analyst SIEM Logs, Events...
    • Two Types of DS Connectors DETECTORS: They offer events (Snort, Firewalls, Antivirus, Web servers, OS events..) MONITORS: They offer indicators (Ntop, Tcptrack, Nmap...)
    • Collection and Flow What methods can we use to retrieve data ?
    • Normalization ...or why do we do this? plugin_id=4003 plugin_sid=2 username=root date="1295472603"Authentication Failed for user root from src_ip=192.168.2.2192.168.2.2 12.02.2009 12:02:21DROP 192.168.1.1 21.2.2.2Dec 02 2009 12:02:21 plugin_id=4503 plugin_sid=21 date="1295472603" src_ip=192.168.1.1 dst_ip=21.2.2.2
    • Plugins Rules Rules define the format of each event and how they are normalized It is composed by a regular expression and the list of fields that the event will include when once it is sent to the AlienVault SIEM or Logger In some cases only one regular expression will collect every event coming from one application, in some other cases more than one rule will be required
    • Practical Exercise Adding SSH logs to OSSIM
    • Practical ExerciseAdding a Windows Machine to OSSIM viaOSSEC +
    • Tips and Tricks Tools you can use Network • tcpdump, ngrep, etc.. Application • logger Log files to consult Agent logs
    • We Have Events! So what? This is a SIEM not a logger - we can do more! What can you do with all this data?
    • Questions?
    • Want more?Attend OSSIM Made Simple