Hola Aecio,
I wrote a updated howto for writing a plugin. Check it out
and if you
have questions, post and d I will update it. It's a very
simple plugin
that does pattern matching on a log file.
http://www.ossim.net/dokuwiki/doku.php?id=a
rchitecture:plugin_writing
If you follow my howto, you should be able to generate
events that feed
into the correlation engine.
At the moment, I am investigating the correlation engine and
attempting
to create a simple directive that I can trigger with my
events. Once I
do, this will verify a powerful feature within OSSIM. I
think to what
you are referring is very possible.
Once you install OSSIM, you will find the page detailing how
Directives
are constructed along with existing directives. One of the
easier
directives to trip is the arpwatch one.
http://192.168.1.120/ossi
m/
Correlation -> Directives
This directives are stored in an XML file. The file that
comes with OSSIM right
now seems to have some errors in it when I open it in
Firefox or XML
Copy Editor on Ubuntu.
/etc/ossim/server
generic.xml
Outside of the directives there is also Policy -> Hosts.
I am not
completely what all the attributes mean, but I found with
arpwatch if I
have a host with a certain asset number it will trigger an
alarm when
the MAC address changes for that host. See this message from
Dominique
regarding the correlation engine.
http://s
ourceforge.net/mailarchive/message.php?msg_name=18EBBE25-C8F
8-46CC-BA17-B6A3897BEF9A%40ossim.net
There are a couple older documents that might be of use too.
ht
tp://www.ossim.net/docs/A_Practice_for_Ossim.pdf
http://www.ossim.net/docs/correlation
_engine_explained_rpc_dcom_example.pdf
http://www.ossim.net/docs/correlation_eng
ine_explained_worm_example.pdf
brian
On Tue, Sep 18, 2007 at 10:30:06AM -0400, Aecio Neto wrote:
> Hello all.
>
> I was wondering about using OSSIM to deploy some
correlation rules (to be
> created) not related to networking events only.
> A customer would like to use the correlation engine to
trigger events
> related to application behavior and according to some
business rules.
>
> Due to this I am aware that some new plugins would have
to be created to
> generate some required events.
> Also, many correlation rules would have to be build.
>
> I know this topic is too generic, but I don't have much
details about what
> would be build for correlation.
>
> As far as I know now, it would be necessary to code
some business rules
> (correlation) about:
> - application servers
> - web servers
> - sql servers (oracle, mysql)
>
> Let me know your ideas about this topic.
>
> Regards.
>
------------------------------------------------------------
-------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Os-sim-support mailing list
> Os-sim-support lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport
--
Brian Lavender
http://www.brie.com/brian/
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Os-sim-support mailing list
Os-sim-supportlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport
|
