Ossim plug-in development combat (with video)

Ossim Plugin Development Combat

because of the existing security equipment generated log format is not uniform, it can not be directly related analysis, in Ossim The system adopts the method of filter based on plug-in to collect the log of heterogeneous security equipment, Ossim plug-in development, is the necessary skill of the developer, the following will explain it in detail.

First, the plug-in configuration steps

after above description, everyone Understand the process of collecting logs, the next step is to create a script , the steps are as follows:

( 1 ) to create a new plug-in file usually Copy an existing script file and modify its contents to conform to the new application requirements.

( 2 defines a general rule, which is the final rule to evaluate, which captures all events and cannot be grouped according to specific rules.

( 3 ) to remove noise, Ossim events that can exclude some unrelated event subtypes are considered noise, and the simple point is to ids/ips and so on security equipment, the massive duplicate alarm is the noise .

( 4 ) by Ossim The agent registers the plug-in in order to send events to the Ossim server, the plugin's path must be specified in the agent configuration file to activate the plug-in.

5 ) by Ossim Server registering a plugin to let the server know the event's priority and the value of its reliability must be Server plug-in is also registered.

( 6 ) in Server -side activation plugin, reboot Ossim Server Process .

#/etc/init.d/ossim-server restart

( 7 ) in Agent agent-side activation plugin, reboot Ossim Agent Process .

#/etc/init.d/ossim-agent restart

Second, Plugin Import

Assumptions there is an export of SQL file, which contains an executable SQL statement. For example , to back up the MySQL database to a test.sql file, you can restore it in the following ways:

#mysql < Test.sql

can be in MySQL prompt with the SOURCE command to load SQL file. But how do you restore a SQL file If it is compressed ? Do you want to unzip the load first? For example:

#gunzip –c test.sql.gz |mysql

ossim in the post-installation pass some statement import plug-in, import finished placed in /usr/share/ doc/ossim-mysql/contrib./plugins/ directory, with the extension sql.gz gunzip command decompression sql.gz file, then use " ossim-db<file.sql sql code, in the import database. Perhaps think, if only to restore a separate table (such as table asset

#grep ' INSERT into ' asset ' Test.sql |mysql test

Or the file is compressed:

#gunzip –c test.sql.gz |grep ' INSERT into ' asset ' |mysql test

Note , Test represents the instance database name. Once MySQL has finished loading the data,gunzip will automatically exit.

according to the "Open source safe operation Dimensional plane-ossim best practices" seventh chapter plug-in registration explained content, We modify /etc/ossim/agent/config.cfg in the [Plugins] Add plugins in , under is shown.

Myexample=/etc/ossim/agent/plugins/myexample.cfg

most Open after Ossim-setup Configuration Program and Select : Configuresensor → Select datasources , find Myexample after the plugin is selected, save to exit.

650) this.width=650; "title=" 5-1.jpg "alt=" wkiom1clsw-sluagaaefmjbzdww299.jpg "src=" http://s1.51cto.com/wyfs02/M01 /7f/9e/wkiom1clsw-sluagaaefmjbzdww299.jpg "/>

650) this.width=650; "title=" 5-2.jpg "alt=" wkiol1clsnuw4jrsaaclyyjrd9y274.jpg "src=" http://s4.51cto.com/wyfs02/M01 /7f/9c/wkiol1clsnuw4jrsaaclyyjrd9y274.jpg "/>

When you see the above information to indicate that the plugin has been successfully added, the following restart the service to take effect.

#/etc/init.d/ossim-server restart \ \ Restart Ossim Server End

#/etc/init.d/ossim-agent restart \ \ Restart Agent End

Finally, you can go to SIEM View under Console logs collected by the plugin , in order to make everyone have a more intuitive experience special in the latest version Ossim in a quarter of an hour of video commentary .

Video Address: http://edu.51cto.com/index.php?do=lesson&id=99668

This article is from the "Lee Chenguang Original Technology blog" blog, please be sure to keep this source http://chenguang.blog.51cto.com/350944/1769287

Ossim plug-in development combat (with video)