AlienVault Plugin User Guide

AlienVault Plugin Documentation
AUTHOR: Blueliv
DATE: April 16, 2015
Restricted access document
Contents
1 Installation 2
1.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Related files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.4 Activate/Deactivate plugin . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Getting started 5
2.1 CrimeServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Bot Ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Annexes 9
A Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Plugin code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Plugin Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
AlienVault Configuration File . . . . . . . . . . . . . . . . . . . . . . 17
AlienVault SQL Script . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Installation
1.1 Requirements
This plugin has been tested on a 4.6.1 version of AlienVault OSSIM. For
the full functionality of this plugin, a standalone install of python 2.7 must be
present.
An internet connection is required in order to download the data feed from

bluelivs API. Also note that the machine from where you are going to execute
the plugin must see the AlienVault machine through the port 515.
1.2 Related files
blueliv.cfg [3]: Basic configuration for AlienVault to be able to enable the

custom plugin and parse the logs.
blueliv.sql [4]: SQL script to add the required entries to enable the plugin.
BluelivAlienVaultPlugin.py [1]: Python script to feed AlienVault with Blue-

livs data.
config.cfg [2]: Configuration file to set-up the access to Bluelivs data feeds.
1.3 Installation
1. Add your api-key at config.cfg (Listing 2) under section [blueliv] property

token.
[ b lueliv ]
token =
host = https : / / api . blueliv .com
2. Add your OSSIM host at config.cfg (Listing 2) under section [alienvault]

property host.
2
[ alienvault ]
host =
port = 514
3. Edit blueliv.cfg (Listing 3) to set your desired plugin id (defaul 9002) under
section [DEFAULT] property plugin_id.
[DEFAULT]
plugin_id=9002
4. Make sure that the plugin_id on blueliv.cfg is the same as the plugin_id in
blueliv.sql (Listing 4).
5. Create a file called blueliv.conf at /etc/rsyslog.d with the following content:

i f $fromhostip==yourpluginiphere then / var / log / b l u e l i v . log
&~
Replace your-plugin-ip-here with the IP from where you are going to ex-
ecute your plugin. In order to not over populate this log file, configure
a rotation rule for this file at /etc/logrotate.d/rsyslog by including the file
/var/log/blueliv.log. This will force all logs coming from the specified IP to
write at /var/log/blueliv.log.
6. Save blueliv.cfg at /etc/ossim/agent/plugins
7. Execute
> cat blueliv.sql | ossim-db
and
> /etc/init.d/ossim-server restart
8. Enable blueliv plugin, either by console or web UI.
9. Execute
> python BluelivAlienVaultPlugin.py -feed FEED_NAME
from where you saved the plugin. Replace FEED_NAME with the feed that
you want to activate (botips, crimeservers or all).
Once everything is set, check if /var/log/blueliv.log at your specified location

is filled with lines like the one below.
3
Apr 14 03:55:27 192.168.3.72 crimeservers http : / /mstone . co . jp / i n s t a l l /

FlashFXP5_3822_Setup . exe |MALWARE| 211.125.81.112 |mstone . co . jp | JP |GMO Internet
, Inc |ONLINE|UNCLASSIFIED|20150324T18:50:57+0000 |20150325T01:17:08+0000
1.4 Activate/Deactivate plugin
In order to activate/deactivate this plugin. Go to Configuration Deploy-

ment.
Go to Sensor Configuration.
Search for blueliv in Plugins available list, add it to Plugins enabled and
apply changes.
4
Getting started
2.1 CrimeServer
A CrimeServer is an entity that stores relevant data (hosts, IPs, geolocation

data, etc) about a given server that is used to perform some kind of malicious
activity. An example of a Crime Server is shown below:
{
" _id " : "5698945b43fe63f4caa3d2aef42b690
aa6fd3979f905d89f97c5d792fbd4f2b6" ,
" url " : " http : / / 0 rrkut2012 . j e . ro " ,
" type " : "C_AND_C" ,
"subType" : "ZEUS" ,
" country " : "KR" ,
"countryName" : " Republic of Korea" ,
" status " : "ONLINE" ,
"domain" : " je . ro " ,
" host " : "0rrkut2012 . je . ro " ,
" latitude " : 37 . 57 ,
" longitude " : 126 . 98 ,
" ip " : "66.232.140.226" ,
" createdAt " : "20110119T21:34:59+0100" ,
"updatedAt" : "20141125T13:53:25+0100" ,
"asnDesc" : " Enterprise Networks" ,
" firstSeenAt " : "20110119T21:34:59+0100" ,
" lastSeenAt " : "20110119T21:34:59+0100"
}
This data provide Indicators of Compromise (IoC) keys such as domain, ip

address, url, etc. That allow you to correlate with your logs to identify and block
any potential risk.
All this parameters are mapped into a syslog event that will be parsed by a
regexp from the OSSIM. This mapping is described below.
src_ip: CrimeServer IP
5
hostname: CrimeServer hostname
userdata1: CrimeServer Type
userdata2: CrimeServer url
userdata3: CrimeServer Country
userdata4: CrimeServer ASN
userdata5: CrimeServer Status [ONLINE/OFFLINE]
userdata6: CrimeServer SubType
date: CrimeServer last seen date.
2.2 Bot Ips
A Bot IP is an entity that stores relevant data about a given IP infected by

malicious software that is part of a botnet. An example of a Bot Ip is shown
below:
{
" botnetFamily " : [
" Trojan Banker"
],
" ip " : " 220.89.127.42 " ,
" country " : "AU" ,
"countryName" : " Australia " ,
" latitude " : 37 . 7833 ,
" longitude " : 144 . 9833 ,
"seenAt" : "20150601T04:35:16+0000" ,
" botnetUrl " : " http ://89.110.147.222 " ,
" botnetIp " : "89.110.147.127 " ,
"botnetType" : "DRIDEX" ,
"operatingSystem" : "Windows 7 , x64 , SP 1" ,
" botId " : "
e280f9ff322e54b81af1ae238b47d9858205be7b7ee1566dc5af8fb9746a80ca" ,
" botVersion " : "131151" ,
" c i t y " : " Fitzroy " ,
" createdAt " : "20150601T12:41:40+0000" ,
" botnet : "245"
}
6
This data allows you to detect infected hosts inside your networks and ana-
lyze the level of compromise thanks to the context provided such as the Operat-
ing System, BotNet, portal domain, etc.
All this parameters are mapped into a syslog event that will be parsed by a
regexp from the OSSIM. This mapping is described below.
src_ip: Bot IP
hostname: BotNet Type
userdata1: Portal Url
userdata2: Portal Domain
userdata3: Bot Country
userdata4: Bot City
userdata5: Bot ASN
userdata6: Bot Operating System
dst_ip: BotNet IP
userdata8: BotNet Port
userdata9: BotNet url
date: Seen at date.
2.3 Events
This is a sample of a CrimeServer event sent it to OSSIM. Each event is a

group of parameters separated by pipes ordered as follow.
Apr 14 03:55:27 192.168.3.72 crimeservers http : / /mstone . co . jp / i n s t a l l /
FlashFXP5_3822_Setup . exe |MALWARE| 211.125.81.112 |mstone . co . jp | JP |GMO Internet
, Inc |ONLINE|UNCLASSIFIED|20150324T18:50:57+0000 |20150325T01:17:08+0000
7
Processed events can be shown at ANALYSIS SECURITY EVENTS

(SIEM) filtering by plugin blueliv.
8
Annexes
9
A Files
Plugin code
1 #! / usr / bin / python

2 # * coding : utf 8 *
3
4 import argparse
5 import u r l l i b
6 import sys
7 import json
8 import ConfigParser
9 import socket
10 import datetime
11 import logging
12 import logging . handlers
13 import time
14 import threading
15 from BotIps import BotIps
16 from CrimeServers import CrimeServers
17 from l i b . dateutil import parser
18 from SyslogConverter import SyslogConverter
19
20 class AlienVaultPlugin ( ) :
21
22 __RESERVED_CHARACTERS = [ " | " , " \ \ " , "=" ]

23
24 def _ _ i n i t _ _ ( self ) :
25 #LOGGER
26 self . logger = logging . getLogger ( "MainApp" )
27 self . logger . setLevel ( logging .INFO)
28 # Create the logging f i l e handler
29 l o g f i l e = " blueliv . log "
30 fh = logging . handlers . RotatingFileHandler ( l o g f i l e , maxBytes=2097152,
backupCount=5)
31 formatter = logging . Formatter ( %(process )d %(asctime ) s %(name) s %(
levelname ) s %(message) s )
32 fh . setFormatter ( formatter )
33 # Add handler to logger object
34 self . logger . addHandler ( fh )
35 #CONFIG FILE
36 self . config = ConfigParser . SafeConfigParser ( )
37 self . config . read ( config . cfg )
38
10
39 try :
40 AlienVaultHost = self . config . get ( alienvault , host )
41 AlienVaultPort = self . config . getint ( alienvault , port )
42 i f AlienVaultHost == :
43 raise
44 except Exception as e :
45 self . logger . error ( " AlienVault Host and Port must be set in b l u e l iv . cfg " )
46 print " AlienVault Host and Port must be set in b l u e l iv . cfg "
47 sys . e x i t ( 1)
48
49 #SYSLOG
50 self . loggerlt = logging . getLogger ( " alienvault " )
51 self . loggerlt . setLevel ( logging .DEBUG)
52 ce = logging . handlers . SysLogHandler ( address=(AlienVaultHost , AlienVaultPort ) )
53 formatter = logging . Formatter ( %(message) s )
54 ce . setFormatter ( formatter )
55 self . loggerlt . addHandler ( ce )
56
57 try :
58 token = self . config . get ( b l u el i v , token )
59 apiHost = self . config . get ( b l u e li v , host )
60 i f token == or apiHost == :
61 raise
62 except Exception as e :
63 self . logger . error ( " Blueliv Host and token must be set in b l u e l iv . cfg " )
64 print " Blueliv Host and token must be set in b l u e l iv . cfg "
65 sys . e x i t ( 1)
66 try :
67 self .__SCHEDULER_TIME_CS_SECONDS = self . config . getint ( crimeservers , t t l )
*60
68 except :
69 self . logger . warning ( "No scheduler configured , using default 15 minutes" )
70 self .__SCHEDULER_TIME_CS_SECONDS = 15*60
71
72 try :
73 self .__SCHEDULER_TIME_BOTIPS_SECONDS = self . config . getint ( botips , t t l )
*60
74 except :
75 self . logger . warning ( "No scheduler configured , using default 10 minutes" )
76 self .__SCHEDULER_TIME_BOTIPS_SECONDS = 10*60
77
78 try :
79 i f self . config . getboolean ( proxy , enable ) is True :
80 i f not self . config . get ( proxy , host ) :
11
81 self . logger . error ( "Proxy host must be set in b l u e l iv . cfg or disable

proxy" )
82 sys . e x i t ( "Proxy host must be set in b l u el i v . cfg or disable proxy" )
83 else :
84 host = self . config . get ( proxy , host )
85 i f not self . config . get ( proxy , port ) :
86 self . logger . error ( "Proxy host must be set in b l u e l iv . cfg or disable
proxy" )
87 sys . e x i t ( "Proxy port must be set in b l u el i v . cfg or disable proxy" )
88 else :
89 port = self . config . get ( proxy , port )
90 i f self . config . get ( proxy , user ) and self . config . get ( proxy , password
):
91 self . logger . info ( "Using proxy with credentials " )
92 user = self . config . get ( proxy , user )
93 password = self . config . get ( proxy , password )
94 proxies = {" http " : " http ://{0}:{1}2:3".format(user, password, host,port),
"https" : "http://0:1{2}:{3}" . format( user , password , host , port )}
95 else :
96 self . logger . info ( "Using proxy without credentials " )
97 proxies = {" http " : " http ://{0}:{1} " . format( host , port ) , " https " : " http
://{0}:{1} " . format( host , port )}
98 else :
99 proxies = None
100 except :
101 self . logger . error ( " Error getting proxy settings . Check b l u e l iv . cfg " )
102 sys . e x i t ( " Error getting proxy settings . Check b l u el i v . cfg " )
103
104 cs_mapping = [
105 url ,
106 type ,
107 ip ,
108 host ,
109 country ,
110 asnDesc ,
111 status ,
112 subType ,
113 firstSeenAt ,
114 lastSeenAt
115 ]
116
117 bots_mapping = [
118 ip ,
119 botnetType ,
120 portalUrl ,
12
121 portalDomain ,
122 countryName ,
123 city ,
124 asnDesc ,
125 operatingSystem ,
126 botnetIp ,
127 destinationPort ,
128 botnetUrl ,
129 seenAt ,
130 ]
131
132 self . cs_converter = SyslogConverter (

133 cs_mapping
134 )
135 self . bots_converter = SyslogConverter (
136 bots_mapping
137 )
138 self .__BOTIPS_OUT_OF_DATE_TIME = self . config . getint ( botips , nupdates )
139 self .__CRIMESERVERS_OUT_OF_DATE_TIME = self . config . getint ( crimeservers ,
nupdates )
140 self .__BOTIPS_SCHEDULER_TIME_SECONDS = self .__SCHEDULER_TIME_BOTIPS_SECONDS
*1000
141 self .__CRIMESERVERS_SCHEDULER_TIME_SECONDS = self .__SCHEDULER_TIME_CS_SECONDS
*1000
142 self . botsIpsFeed = BotIps ( https : / / api . b l u e l iv .com , token , self .
__BOTIPS_SCHEDULER_TIME_SECONDS, self .__BOTIPS_OUT_OF_DATE_TIME, 60, proxies )
143 self . crimeServersFeed = CrimeServers ( https : / / api . b l u e l iv .com , token , self .
__CRIMESERVERS_SCHEDULER_TIME_SECONDS, self .__CRIMESERVERS_OUT_OF_DATE_TIME,
60, proxies )
144
145 def __cs_to_event ( self , apiDict ) :

146 severity = 3
147 try :
148 i f apiDict [ " type " ] == "C_AND_C" :
149 severity = 5
150 else :
151 severity = 3
152 event = self . cs_converter . convert ( apiDict , crimeservers , severity )
153 except Exception , err :
154 self . logger . error ( " Impossible to translate info : {0}" . format( err ) )
155 event = None
156
157 return event

158
159 def __botips_to_event ( self , apiDict ) :
13
160 severity = 5
161 try :
162 i f "seenAt" not in apiDict :
163 apiDict [ "seenAt" ] = apiDict [ " createdAt " ]
164 event = self . bots_converter . convert ( apiDict , botips , severity )
166 self . logger . error ( " Impossible to translate info : {0}" . format( err ) )
167 event = None
168
169 return event

170
171 def pushDataBotIps ( self ) :

172 while True :
173 config_updatedAt = self . config . get ( botips , updatedat )
174 config_updatedAt = None i f config_updatedAt == else config_updatedAt
175 self . logger . info ( " Starting getting bot ips from Blueliv " )
176 bots , updatedAt = self . botsIpsFeed . update ( last_updated_date=
config_updatedAt , pos=False )
177 try :
178 i f updatedAt :
179 self . logger . info ( "Sending data to AlienVault " )
180 try :
181 for bot in bots :
182 event = self . __botips_to_event ( bot )
183 i f event :
184 self . loggerlt . info ( event )
185 except Exception as msg:
186 self . logger . error ( " Error : {}" . format(msg) )
187 print " Error pushing data to AlienVault : {}" . format(msg)
188 raise Exception
189 finally :
190 bots = None
192 print " Error while pushing data : {0}" . format( err )
193 self . logger . error ( " Error while pushing data : {0}" . format( err ) )
194 else :
195 self . logger . info ( "Saving l a s t updated At : {}" . format( updatedAt ) )
196 self . setLastExecutionDate ( " botips " , updatedAt = updatedAt )
197 finally :
198 print " Waiting for more updates botips "
199 time . sleep ( self .__SCHEDULER_TIME_BOTIPS_SECONDS)
200
201 def pushDataCrimeServers ( self ) :

202 while True :
203 config_updatedAt = self . config . get ( crimeservers , updatedat )
14
204 config_updatedAt = None i f config_updatedAt == else config_updatedAt

205 self . logger . info ( " Starting getting bot ips from Blueliv " )
206 crimeservers , updatedAt = self . crimeServersFeed . update ( last_updated_date=
config_updatedAt )
207 try :
208 i f updatedAt :
209 self . logger . info ( "Sending data to AlienVault " )
210
211 try :
212 for crimeserver in crimeservers :
213 event = self . __cs_to_event ( crimeserver )
214 i f event :
215 self . loggerlt . info ( event )
216 except Exception as msg:
217 self . logger . error ( " Error : {}" . format(msg) )
218 print " Error pushing data to AlienVault : {}" . format(msg)
219 raise Exception
220 finally :
221 crimeservers = None
223 self . logger . error ( " Error while pushing data : {0}" . format( err ) )
224 else :
225 self . logger . info ( "Saving l a s t updated At : {}" . format( updatedAt ) )
226 self . setLastExecutionDate ( " crimeservers " , updatedAt = updatedAt )
227 finally :
228 print " Waiting for more updates crimeservers "
229 time . sleep ( self .__SCHEDULER_TIME_CS_SECONDS)
230
231
232
233 def setLastExecutionDate ( self , feed , updatedAt = None) :

234 i f updatedAt is None:
235 return
236 else :
237 self . config . set ( feed , "updatedat" , updatedAt )
238 with open( config . cfg , wb ) as c o n f i g f i l e :
239 self . config . write ( c o n f i g f i l e )
240
241 i f __name__ == __main__ :

242 arg_parser = argparse . ArgumentParser ( )
243 arg_parser . add_argument( "feed " , help="Choose between Bot Ips feed or
CrimeServers Feed [ botips , crimeservers or a l l ] use a l l for both" )
244 args = arg_parser . parse_args ( )
245 i f args . feed == " botips " :
246 print " BotIps Feed has been activated "
15
247 AlienVaultPlugin ( ) . pushDataBotIps ( )

248 e l i f args . feed == " crimeservers " :
249 print "CrimeServers Feed has been activated "
250 AlienVaultPlugin ( ) . pushDataCrimeServers ( )
251 e l i f args . feed == " a l l " :
252 plugin = AlienVaultPlugin ( )
253 bots = threading . Thread ( target=plugin . pushDataBotIps , args=() )
254 bots .daemon = True
255
256 crimeservers = threading . Thread ( target=plugin . pushDataCrimeServers , args=() )

257 crimeservers .daemon = True
258
259 print " Starting Bot Ips Feed"

260 bots . s t a r t ( )
261 print " Starting CrimeServers Feed"
262 crimeservers . s t a r t ( )
263
264 bots . j o i n ( )
265 crimeservers . j o i n ( )
266
267 else :
268 sys . e x i t ( "Not a valid feed . Choose between botips or crimeservers by feed
botips or feed crimeservers " )
Listing 1: Plugin Code
Plugin Configuration
1 [ proxy ]
2 enable = False
3 host =
4 user =
5 password =
6 port =
7
8 [ b l u el i v ]
9 token =
10 host = https : / / api . blueliv .com
11
12 [ crimeservers ]
13 updatedat =
14 t t l = 15
15 nupdates = 96
16
17 [ botips ]
16
18 updatedat =
19 t t l = 10
20 nupdates = 6
21
22 [ alienvault ]
23 host =
24 port = 514
Listing 2: Plugin Configuration File
AlienVault Configuration File
1 # Blueliv Alienvault plugin

2 # Author : Blueliv Team
3 # Last modification : 20151401
4 #
5 #
6 #
7 #
8
9 [DEFAULT]
10 plugin_id=9002
11
12 [ config ]
13 type=detector
14 enable=yes
15
16 source=log
17 location=/var / log / blueliv . log
18 c r e a t e _ f i l e=yes
19
20 process=
21 s t a r t=no
22 stop=no
23 startup=
24 shutdown=
25
26 [ translation ]
27 C_AND_C=1
28 EXPLOIT_KIT=2
29 BACKDOOR=3
30 MALWARE=4
31 PHISHING=5
32 DEFAULT_=9999
33
17
34
35 [ botips Generic rule ]

36 event_type=event
37 regexp=" [^\|]+ botips (?P<src_ip >[\d \ . ] * ) \ | ( ? P<type >[^\|] * ) \ | ( ? P<userdata2
>[^\|] * ) \ | ( ? P<userdata3 >[^\|] * ) \ | ( ? P<userdata4 >[^\|] * ) \ | ( ? P<userdata5 >[^\|] * )
\ | ( ? P<userdata6 >[^\|] * ) \ | ( ? P<userdata7 >[^\|] * ) \ | ( ? P<dst_ip >[\d \ . ] * ) \ | ( ? P<
userdata8 >[^\|] * ) \ | ( ? P<userdata9 >[^\|] * ) \ | ( ? P<date>\d{4}\d{2}\d{2}T\ d{2}:\d
{2}:\d{2}\+\d{4})"
38 date={normalize_date ( $date )}
39 src_ip={resolv ( $src_ip )}
40 dst_ip={resolv ( $dst_ip )}
41 plugin_sid=6
42 userdata1={$type}
43 userdata2={$userdata2}
51
52 [ crimeservers Generic rule ]

53 event_type=event
54 regexp=" [^\|]+ crimeservers (?P<userdata1 >[^\|] * ) \ | ( ? P<type >[^\|] * ) \ | ( ? P<
src_ip >[^\|] * ) \ | ( ? P<hostname>[^\|] * ) \ | ( ? P<userdata3 >[^\|] * ) \ | ( ? P<userdata4
>[^\|] * ) \ | ( ? P<userdata5 >[^\|] * ) \ | ( ? P<userdata6 >[^\|] * ) \ | ( ? P<date1>\d{4}\d
{2}\d{2}T\ d{2}:\d{2}:\d{2}\+\d{4}) \ | ( ? P<date2>\d{4}\d{2}\d{2}T\ d{2}:\d
{2}:\d{2}\+\d{4})"
55 date={normalize_date ( $date2 )}
56 plugin_sid={translate ( $type )}
57 src_ip={resolv ( $src_ip )}
58 hostname={$hostname}
60 userdata2={$type}
Listing 3: AlienVault Configuration File
AlienVault SQL Script
18
1 INSERT OR IGNORE INTO plugin ( id , type , name, description ) VALUES (9002, 1 ,

b l u eliv , Add data from Blueliv BigData ) ;
2 INSERT OR IGNORE INTO plugin_sid ( plugin_id , sid , category_id , class_id , name,
pr io rity , r e l i a b i l i t y ) VALUES (9002, 1 , NULL, NULL, b lu e l i v : C & C Crime
Server , 5 , 5) ;
pr io rity , r e l i a b i l i t y ) VALUES (9002, 2 , NULL, NULL, b lu e l i v : Exploit Kit
Crime Server , 3 , 4) ;
pr io rity , r e l i a b i l i t y ) VALUES (9002, 3 , NULL, NULL, b lu e l i v : Backdoor Crime
Server , 3 , 4) ;
pr io rity , r e l i a b i l i t y ) VALUES (9002, 4 , NULL, NULL, b lu e l i v : Malware Crime
Server , 3 , 4) ;
pr io rity , r e l i a b i l i t y ) VALUES (9002, 5 , NULL, NULL, b lu e l i v : Phishing Crime
Server , 3 , 4) ;
pr io rity , r e l i a b i l i t y ) VALUES (9002, 6 , NULL, NULL, b lu e l i v : BotIp , 3 , 5) ;
pr io rity , r e l i a b i l i t y ) VALUES (9002, 9999, NULL, NULL, b lu e l i v : Not
c l a s s i f i e d event , 3 , 2) ;
Listing 4: AlienVault SQL Script
19
IMPROVE YOUR CYBER THREAT VISIBILITY
info@blueliv.com www.blueliv.com

AlienVault Plugin User Guide

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

AlienVault Plugin User Guide

Hochgeladen von

Copyright:

Verfügbare Formate

AlienVault Plugin Documentation

1.2 Related files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.4 Activate/Deactivate plugin . . . . . . . . . . . . . . . . . . . . . . . . 4

2.2 Bot Ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

AlienVault Configuration File . . . . . . . . . . . . . . . . . . . . . . 17

AlienVault SQL Script . . . . . . . . . . . . . . . . . . . . . . . . . . 18

An internet connection is required in order to download the data feed from

1.2 Related files

blueliv.cfg [3]: Basic configuration for AlienVault to be able to enable the

BluelivAlienVaultPlugin.py [1]: Python script to feed AlienVault with Blue-

1. Add your api-key at config.cfg (Listing 2) under section [blueliv] property

2. Add your OSSIM host at config.cfg (Listing 2) under section [alienvault]

5. Create a file called blueliv.conf at /etc/rsyslog.d with the following content:

6. Save blueliv.cfg at /etc/ossim/agent/plugins

8. Enable blueliv plugin, either by console or web UI.

Once everything is set, check if /var/log/blueliv.log at your specified location

Apr 14 03:55:27 192.168.3.72 crimeservers http : / /mstone . co . jp / i n s t a l l /

1.4 Activate/Deactivate plugin

In order to activate/deactivate this plugin. Go to Configuration Deploy-

A CrimeServer is an entity that stores relevant data (hosts, IPs, geolocation

This data provide Indicators of Compromise (IoC) keys such as domain, ip

hostname: CrimeServer hostname

userdata1: CrimeServer Type

userdata2: CrimeServer url

userdata3: CrimeServer Country

userdata4: CrimeServer ASN

userdata5: CrimeServer Status [ONLINE/OFFLINE]

userdata6: CrimeServer SubType

date: CrimeServer last seen date.

2.2 Bot Ips

A Bot IP is an entity that stores relevant data about a given IP infected by

hostname: BotNet Type

userdata1: Portal Url

userdata2: Portal Domain

userdata3: Bot Country

userdata4: Bot City

userdata5: Bot ASN

userdata6: Bot Operating System

userdata8: BotNet Port

userdata9: BotNet url

date: Seen at date.

This is a sample of a CrimeServer event sent it to OSSIM. Each event is a

Processed events can be shown at ANALYSIS SECURITY EVENTS

1 #! / usr / bin / python

22 __RESERVED_CHARACTERS = [ " | " , " \ \ " , "=" ]

81 self . logger . error ( "Proxy host must be set in b l u e l iv . cfg or disable

132 self . cs_converter = SyslogConverter (

145 def __cs_to_event ( self , apiDict ) :

157 return event

159 def __botips_to_event ( self , apiDict ) :

169 return event

171 def pushDataBotIps ( self ) :

201 def pushDataCrimeServers ( self ) :

204 config_updatedAt = None i f config_updatedAt == else config_updatedAt

233 def setLastExecutionDate ( self , feed , updatedAt = None) :

241 i f __name__ == __main__ :

247 AlienVaultPlugin ( ) . pushDataBotIps ( )

256 crimeservers = threading . Thread ( target=plugin . pushDataCrimeServers , args=() )

259 print " Starting Bot Ips Feed"

Listing 1: Plugin Code

Listing 2: Plugin Configuration File

AlienVault Configuration File

1 # Blueliv Alienvault plugin

35 [ botips Generic rule ]

241 i f name == main :