Previous post discuses about ossim correlation. Now we create new directive targeting our hello log custom plugin.
1. Go to the ‘Directives Page’ configuration -> threat_intelligence -> directives
2. Click on 'New Directive'
3. Follow up the wizard (you can referee previous post to get more understanding about those fields)
4. Next you can build the rule
You can find the xml directive in
/etc/ossim/server/{unique_id}/user.xml
<?xml version="1.0" encoding="UTF-8"?>
<directive id="500001" name="custom_directive" priority="3">
<rule type="detector" name="custom_rule" from="192.168.100.188" to="ANY" port_from="ANY" port_to="ANY" reliability="2" occurrence="1" plugin_id="9002" plugin_sid="2"/>
</directive>
This plugin_id="9002" is our ‘hello plugin’ and plugin_sid="2" is mapping to MAIL. This directive will hit when there is MAIL event from SRC_IP 192.168.100.188
5. Then restart the server from directive page UI
6. Next feed some log to hit the directive
python log-feed2.py 192.168.100.184 MAIL
#event only list not the directive is hit
python log-feed2.py 192.168.100.188 MAIL
#Here directive is hit
No comments:
Post a Comment