This post we will going to genrate alarm from ossim when custom event (attack or interested event) is occurred in our system. I will be using custom plug that we built.
1. Go to the “Data source”
configuration -> threat_intelligence -> data_source
2. Then pick our custom data source (hello) which we created. (How to create OSSIM custom data source)
3. Create new Event type by click button ‘Insert new event type’
4. Fill the form for new event and pick ‘Alarm’ for Category
5. Then click on ‘Apply changes’
6. Let test this by adding new log record with ‘exe’. (you can used this python script to feed log to the custom log file)
Calling the python script as below (python log-feed.py <dst_ip> <msg_type>
python log-feed.py 192.168.100.34 EXE
OSSIM Risk count is calculate with below formulary
Risk=(priority*reliability*Asset)/25
7. Go to Analysis –> alarms
There you will find alarm hits. You can create tags (labels) for alarm also as below
No comments:
Post a Comment