Configuring Data Sources in AlienVault

3,573 views

Published on

Get the most from your SIEM! Learn how to configure data sources in a few simple steps.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,573
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Configuring Data Sources in AlienVault

  1. 1. AlienVault Data SourcesOSSIM Made Simple Webinar Series Joe Schreiber Solutions Architect
  2. 2. A Note About Data… New Analyst SIEM Logs, Events...
  3. 3. Two Types of DS Connectors DETECTORS: They offer events (Snort, Firewalls, Antivirus, Web servers, OS events..) MONITORS: They offer indicators (Ntop, Tcptrack, Nmap...)
  4. 4. Collection and Flow What methods can we use to retrieve data ?
  5. 5. Normalization ...or why do we do this? plugin_id=4003 plugin_sid=2 username=root date="1295472603"Authentication Failed for user root from src_ip=192.168.2.2192.168.2.2 12.02.2009 12:02:21DROP 192.168.1.1 21.2.2.2Dec 02 2009 12:02:21 plugin_id=4503 plugin_sid=21 date="1295472603" src_ip=192.168.1.1 dst_ip=21.2.2.2
  6. 6. Plugins Rules Rules define the format of each event and how they are normalized It is composed by a regular expression and the list of fields that the event will include when once it is sent to the AlienVault SIEM or Logger In some cases only one regular expression will collect every event coming from one application, in some other cases more than one rule will be required
  7. 7. Practical Exercise Adding SSH logs to OSSIM
  8. 8. Practical ExerciseAdding a Windows Machine to OSSIM viaOSSEC +
  9. 9. Tips and Tricks Tools you can use Network • tcpdump, ngrep, etc.. Application • logger Log files to consult Agent logs
  10. 10. We Have Events! So what? This is a SIEM not a logger - we can do more! What can you do with all this data?
  11. 11. Questions?
  12. 12. Want more?Attend OSSIM Made Simple

×