We just uploaded a snippet written earlier this year, it requires regexp.py and can automatically identify the log type a certain IP is sending via syslog.
New section: feature focus. Today: ip reputation and voice control
October 6th, 2011 | Posted by in Blog | Tutorials - (Comments Off)
Hey all,
today I’m proud to introduce the first voice controlled SIEM. One step closer to the war against the machines.
I hope to be doing a lot of these and also to be expanding the tutorials with some videos and such.
Any critics and feedback, be it positive or negative is welcome. The video quality is a bit bad I think and my acting really sucks but it’s the first one, so hey, what do you expect :-)
We’re proud to announce the immediate availability of our newest release. This release has huge improvements, but the best way to check it out is:
- Check out the slideshare slides.
- Read the release notes.
- Download it!
Enjoy :-)
A quick saturday update. We just released OSSIM 2.2 with a ton of new features, have a look here. New screenshots and videos up on AlienVault too.
This release is quite complex featuring a whole lot of new features as well as a rewrite of old ones. Please don’t hesitate posting on the forums if you’ve got any doubt or catch any bug.
I know I haven’t been very active on the forums myself (what the heck, weren’t able to answer during the last months) but the whole devel team @Alienvault will make an extra effort there too in order to make this the best release we had so far. At a technical level it is without a doubt.
I for myself am very excited, RSA and BSidesSF next week :-))).
Ossim: Using Cisco SDEE Protocol to collect security events
October 29th, 2009 | Posted by in Alienvault OSSIM - (Comments Off)We added support to collect events via Security Device Event Exchange (SDEE) Protocol that lets us capture events from:
- Cisco Network Prevention Systems (IPS)
- Cisco Network Detection Systems (IPS)
- Cisco Switch IDS
- Cisco IOS routers with Inline Intrusion Prevention System (IPS) functions
- Cisco IDS modules for routers
- Cisco PIX Firewalls
- Cisco Catalyst 6500 Series firewall services modules (FWSMs)
- Cisco Management Center for Cisco security agents
- CiscoWorks Monitoring Center for Security servers
This protocol replaces Remote Data Exchange Protocol (RDEP).
Ossim has the possibility of collecting via SDEE and supports inventory correlation (OS Correlation).
Configuration:
- Updating plugin sids with the latest IPS signature update package:
If you have your own update package from your vendor, you can populate the Ossim database with the new signatures.
To update plugin sid information, go to /usr/share/ossim/scripts/:
mac-jaime:scripts$ python createCiscoIPSSidmap.py IOS-S416-CLI.pkg.xml DELETE FROM plugin WHERE id = "1597"; DELETE FROM plugin_sid where plugin_id = "1597"; INSERT INTO plugin (id, type, name, description) VALUES (1597, 1, 'Cisco-IPS', 'Cisco Intrusion Prevention System'); INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 5986, NULL, NULL, 'Cisco-IPS: Microsoft GDI+ GIF Parsing Vulnerability', 3, 4); INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 5984, NULL, NULL, 'Cisco-IPS: IE COM Object Code Execution', 3, 4); INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 5985, NULL, NULL, 'Cisco-IPS: Quicktime RTSP Content-Type Excessive Length', 3, 4); INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 19159, NULL, NULL, 'Cisco-IPS: Green Dam Youth Escort Software Update Check', 1, 4); INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 19401, NULL, NULL, 'Cisco-IPS: Microsoft Publisher File Parsing Vulnerability', 3, 4); ... ...
This script will generate the needed SQL information to update Ossim database, to insert the information:
mac-jaime:scripts$ python createCiscoIPSSidmap.py IOS-S416-CLI.pkg.xml > sdee.sql mac-jaime:scripts$ ossim-db < sdee.sql
If you want to update cross-correlation information:
mac-jaime:scripts$ python ciscoIPSOsMap.py IOS-S416-CLI.pkg.xml replace into plugin_reference values (1597, 1109, 3001, 3); replace into plugin_reference values (1597, 1109, 3001, 3); replace into plugin_reference values (1597, 1109, 3001, 3); replace into plugin_reference values (1597, 1109, 3001, 3); replace into plugin_reference values (1597, 2156, 3001, 1); replace into plugin_reference values (1597, 2157, 3001, 3); replace into plugin_reference values (1597, 2157, 3001, 3); replace into plugin_reference values (1597, 2157, 3001, 3); ... ... mac-jaime:scripts$ python ciscoIPSOsMap.py IOS-S416-CLI.pkg.xml > sdee-os.sql mac-jaime:scripts$ ossim-db < sdee-os.sql
Remember to restart ossim-server in order to update Ossim server cache.
- Configuring Ossim Agent to collect from SDEE capable device:
Add sdee reference to /etc/ossim/agent/config.cfg
Edit /etc/ossim/agent/plugins/cisco-ips.cfg:
[DEFAULT] plugin_id=1597 [config] type=detector enable=yes source=sdee source_ip= user= password= sleep=5 process= start=no stop=no
Insert your source_ip, user and password data.
Restart the ossim agent and it should begin receiving data from the SDEE device.
- Common problems:
When you begin a session with a SDEE device, it will provide you with a Subscription ID. Sometimes if the device close the connection or you loss connectivity you have to close the session in order to continue collecting from the device.
Ossim Agent will automatically do it but if for some reason it can’t, you should manually close the session.
You will find the latest Subscription ID provided in /etc/ossim/agent/sdee_sid.data
Configure your device credentials on /usr/share/ossim/scripts/closeSDEEsession.py and execute:
mac-jaime:scripts$ python /usr/share/ossim/scripts/closeSDEEsession.py SubscriptionID
This should close the last session. If you still have problems you can execute:
mac-jaime:scripts$ grep subs /var/log/ossim/agent.log
To obtain a list of the last Subscription ID’s used.
jaime.blasco
At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.
Follow Me:
