AlienVault Data SourcesOSSIM Made Simple Webinar Series Joe Schreiber Solutions Architect
A Note About Data… New Analyst SIEM Logs, Events...
Two Types of DS Connectors DETECTORS: They offer events (Snort, Firewalls, Antivirus, Web servers, OS events..) MONITORS: They offer indicators (Ntop, Tcptrack, Nmap...)
Collection and Flow What methods can we use to retrieve data ?
Normalization ...or why do we do this? plugin_id=4003 plugin_sid=2 username=root date="1295472603"Authentication Failed for user root from src_ip=192.168.2.219188.8.131.52 12.02.2009 12:02:21DROP 192.168.1.1 184.108.40.206Dec 02 2009 12:02:21 plugin_id=4503 plugin_sid=21 date="1295472603" src_ip=192.168.1.1 dst_ip=220.127.116.11
Plugins Rules Rules define the format of each event and how they are normalized It is composed by a regular expression and the list of fields that the event will include when once it is sent to the AlienVault SIEM or Logger In some cases only one regular expression will collect every event coming from one application, in some other cases more than one rule will be required