2. A Note About Data…
New Analyst
SIEM
Logs, Events...
3. Two Types of DS Connectors
DETECTORS: They offer events (Snort, Firewalls,
Antivirus, Web servers, OS events..)
MONITORS: They offer indicators (Ntop, Tcptrack,
Nmap...)
5. Normalization
...or why do we do this?
plugin_id=4003 plugin_sid=2
username=root date="1295472603"
Authentication Failed for user root from src_ip=192.168.2.2
192.168.2.2 12.02.2009 12:02:21
DROP 192.168.1.1 21.2.2.2
Dec 02 2009 12:02:21
plugin_id=4503 plugin_sid=21
date="1295472603" src_ip=192.168.1.1
dst_ip=21.2.2.2
6. Plugins
Rules
Rules define the format of each event and how they
are normalized
It is composed by a regular expression and the list
of fields that the event will include when once it is
sent to the AlienVault SIEM or Logger
In some cases only one regular expression will
collect every event coming from one application, in
some other cases more than one rule will be
required