|
|
|
|
移动端

1.3.2 采集思路

《开源安全运维平台--OSSIM最佳实践》第1章OSSIM架构与原理,本章从OSSIM起源讲起,介绍了目前运维人员现状,逐步谈到应用SIEM的必要性,进而介绍OSSIM架构与组成原理,另外还介绍了基于插件的日志采集思路,提出标准化安全事件的全新理念,详细分析了OSSIM的高可用架构与实现方法。本节为大家介绍采集思路。

作者:李晨光来源:清华大学出版社|2016-01-14 16:44

有奖调研 | 1TB硬盘等你拿 AI+区块链的发展趋势及应用调研


1.3.2 采集思路

针对这种安全日志格式及描述内容不统一的问题,在OSSIM中采取了基于插件的事件采集代理的收集模式,其基本思路是通过插件来完成日志格式化,在事件采集代理中部署若干个插件,每个插件负责采集某种服务或设备的日志并格式化,并将服务对应端口和插件表示号进行关联与绑定,这样做的优势在于当采集代理接收到设备向监听端口发送的日志后,即可直接调用对应的插件来完成日志格式化任务,且每个插件只能接收绑定端口发送的日志,从而提高了安全事件采集的执行效率。表1-8中例举了OSSIM系统中数据源与插件ID的关系。

表1-8  Ossim数据源ID(plugin_sid)与插件

Plugin_sid

名称

数据源描述

插件

1001

snort

Snort Rules

Snort_syslog.cfg

1002

snort_tag

Snort Tagging

1003

snort-preprocessors

Snort Dynamic Alert

1100

snort_spp_portscan

Snort: Portscan preprocessor

1101

snort_spp_minfrag

Snort: Minfrag preprocessor

1102

snort_http_decode

Snort: HTTP decoder preprocessor

1103

snort_spp_defrag

Snort: defragmenter preprocessor

1104

snort_spp_anomsensor

Snort: SPADE preprocessor

1105

snort_spp_bo

Snort: Back Orifice preprocessor

1106

snort_spp_rpc_decode

Snort: RPC preprocessor

1108

snort_spp_stream3

Snort: stream preprocessor

1109

snort_spp_telnet

Snort: telnet option decoder preprocessor

1110

snort_spp_unidecode

Snort: Unicode decoder preprocessor

1111

snort_spp_stream4

Snort: Stream4 preprocessor

1112

snort_spp_arpspoof

Snort: ARP spoof detector preprocessor

1114

snort_spp_fnord

Snort: NOP detector preprocessor

1115

snort_spp_asn1

Snort: ASN.1 validator preprocessor

1116

snort_snort_decoder

Snort: internal decoder preprocessor

1117

snort_spp_portscan2

Snort: portscan preprocessor

1118

snortspp_conversation

Snort: conversation preprocessor

1119

snort_http_inspect

Snort: http data check preprocessor

1120

snort_http_inspect_anomalous

Snort: anomalous http server preprocessor

1121

snort_flow-portscan

Snort: flow decoder preprocessor

1122

snort_portscan

Snort: portscan decoder preprocessor

1123

snort_frag3

Snort: fragmentation decoder preprocessor

1124

snort_smtp

Snort: SMTP preprocessor

1125

snort_ftp_pp

Snort: FTP preprocessor

1126

snort_telnet_pp

Snort: telnet preprocessor

1128

snort_ssh

Snort: SSH preprocessor

1129

snort_stream5

Snort: TCP preprocessor

1130

snort_dcerp

Snort: DCE/RPC server preprocessor

1131

snort_dns

Snort: DNS preprocessor

1133

snort_dcerpc2

Snort: DCE/RPC server preprocessor v2

1134

snort_ppm

Snort: ppm preprocessor

1135

snort_internal

Snort: internal preprocessor

1138

snort_sensitive_data

Snort: sensitive data preprocessor

1139

snort_sensitive_data2

Snort: sensitive data preprocessor

1140

snort_sip

Snort: SIP preprocessor

1141

snort_imap

Snort: IMAP preprocessor

1142

snort_pop

Snort: POP preprocessor

1144

snort_modbus

Snort: Modbus preprocessor

1501

apache

Apache

apache.cfg

1502

iis

IIS

iis.cfg

1503

iptables

Iptables

iptables.cfg

1505

directive_alert

OSSIM Directives Alerts

AlienVault

1507

rrd_threshold

RRD Threshold

Rrd.cfg

1510

cisco-router

Cisco router

Cisco-router.cfg

1511

p0f

Passive OS fingerprinting tool

P0f.cfg

1512

arpwatch

Arpwatch

Arpwatch.cfg

1514

cisco-pix

Cisco PIX

cisco-pix.cfg

1515

cisco-ids

Cisco Secure IDS

cisco-ids.cfg

1516

pads

Passive Asset Detection System

Pads.cfg

1517

ntsyslog

Windows NT/2000/XP syslog service

Ntsyslog.cfg

1518

snarewindows

Snare Agent for Windows

Snare.cfg

1519

netgear

Netgear

Netgear.cfg

1520

netscreen-manager

Juniper Netscreen Security Manager

netscreen-firewall.cfg

1521

postfix

Postfix mailer

Postfix.cfg

1523

heartbeat

Heartbeat without CRM

Heartbeat.cfg

1524

spamassassin

Spamassassin: Perl-based spam filter using text analysis

Spamassassin.cfg

1525

nagios

Nagios: host/service/network monitoring and management system

Nagios.cfg

1526

stonegate

Stonegate Firewall

Stonegate.cfg

1527

cisco-vpn

Cisco VPN box

cisco-vpn.cfg

1528

clurmgmr

Cluster Service Manager Daemon

Clurgmgr.cfg

1529

ipfw

FreeBSD ipfw

Ipfw.cfg

1530

gfi_mailsecurity

GFI MailSecurity

Gfi.cfg

1551

intrushield

McAfee IntruShield syslog

Intrushield.cfg

1553

squid

Squid

Squid.cfg

1554

fortigate

Fortinet / Fortigate

Fortigate.cfg

1555

clamav

Clam AntiVirus

Clamav.cfg

1556

symantec-ams

Symantec AntiVirus Corporate Edition

symantec-ams.cfg

1557

nortel-switch

Nortel switch and router messages

nortel-switch.cfg

1558

sophos

Sophos Antivirus

Sophos.cfg

1559

m0n0wall

m0n0wall Firewall log

m0n0wall.cfg

1560

pf

pf Firewall log

Pf.cfg

1561

modsecurity

ModSecurity

Modsecurity.cfg

1562

vmware_workstation

Vmware Workstation

vmware-workstation.cfg

1563

optenet antispam

optenet antispam

Optenet.cfg

1565

isa-server

Microsoft ISA Server

Isa.cfg

1566

aladdin

Aladdin eSafe Gateway

Aladdin.cfg

1567

avast

Avast Antivirus Home 4.0

Avast.cfg

1568

bro-ids

Bro-IDS

bro-ids.cfg

1569

dragon

Enterasys Dragon

Dragon.cfg

1570

honeyd

Honeyd Virtual Honeypot

Honeyd.cfg

1571

mcafee

McAfee Antivirus

Mcafee.cfg

1572

sidewinder

Sidewinder firewall (BSD based)

Sidewinder.cfg

1573

sonicwall

SonicWALL

Sonicwall.cfg

1574

trendmicro

Trend Micro Messaging Security

Trendmicro.cfg

1575

cyberguard

Snort Rules

Cyberguard.cfg

1576

vsftp

VSFTP

Vsftpd.cfg

1577

bind

BIND

Bind.cfg

1578

Panda-AS

Panda AdminSecure

panda-as.cfg

1579

hp-eva

HP Command View EVA

hp-eva.cfg

1580

webmin

Webmin

Webmin.cfg

1581

raslogd

RASlog - Brocade Fabric OS

Raslogd.cfg

1582

serviceguard

HP Service Guard Cluster

Serviceguard.cfg

1583

sitescope

HP SiteScope

Sitescope.cfg

1584

DHCP

Microsoft DHCP Service Activity

Dhcp.cfg

1586

openldap

OpenLDAP

Openldap.cfg

1587

squidguard

Accesses identified in squidguards blacklist

Squid.cfg

1588

lucent-brick

Lucent Brick

lucent-brick.cfg

1589

radiator

Radiator

Radiator.cfg

1590

fw1

Checkpoint Fw1

fw1ngr60.cfg

1591

ironport

IRONPORT log

Ironport.cfg

1592

fidelis

Fidelis

Fidelis.cfg

1594

cisco-acs-sidb

Cisco-ACS-4-SIDB

cisco-acs.cfg

1595

juniper-netscreen-idp

Juniper NetScreen IDP

juniper-idp.cfg

1596

Kismet

Kismet Wireless IDS

Kismet.cfg

1597

cisco-ips

Cisco Intrusion Prevention System

cisco-ips.cfg

1598

Symantec

Symantec

symantec-ams.cfg

1603

Exchange

Exchange Message Tracking

Exchange.cfg

1604

Moodle

Moodle

Moodle.cfg

1605

PandaSE

Panda Security For Enterprise

panda-se.cfg

1607

linuxdhcp

Linux DHCP Service Activity

Linuxdhcp.cfg

1608

allot

Allot NetEnforcer

Allot.cfg

1609

Juniper-VPN

Juniper VPN SSL

juniper-vpn.cfg

1610

vyatta

Vyatta events

Vyatta.cfg

1611

Siteprotector

Siteprotector IDS plugin

Siteprotector.cfg

1612

tippingpoint

Tippingpoint

Tippingpoint.cfg

1613

motion

Motion: Motion detector

Motion.cfg

1614

f5

F5 Load Balancer

f5.cfg

1615

paloalto

PaloAlto Firewall

Paloalto.cfg

1616

pureftpd

Pure-FTPd: FTP Server

Pureftpd.cfg

1617

courier

Courier Mail Server

Courier.cfg

1618

Mcafee-AntiSpam

Mcafee AntiSpam

mcafee-antispam.cfg

1619

SymantecEPM

SymantecEPM: Symantec AV Server

symantec-epm.cfg

1621

Fortiguard

Fortiguard IPS

Fortiguard.cfg

1623

Aruba

Aruba Wireless

Aruba.cfg

1626

Juniper-SRX

Juniper-SRX Router/Firewall/IDS/IPS

juniper-srx.cfg

1630

bit9

Bit9, Advanced Threat Protection

bit9.cfg

1631

nfs

NFS

Nfs.cfg

1632

wuftp

WU-FTP

Wuftp.cfg

1633

motorola firewall

Motorola RFS Series Firewall

motorola-firewall.cfg

1635

netscreen-igs

Netscreen Device

netscreen-igs.cfg

1636

cisco-asa

Cisco ASA

cisco-asa.cfg

1640

usbudev

USB Udev Hardware detection

Usbudev.cfg

1641

airlock

Airlock Reverse Proxy

Airlock.cfg

1642

bluecoat

Blue Coat Proxy

Bluecoat.cfg

1643

stonegate_ips

Stonegate IPS

stonegate_ips.cfg

1646

netkeeper-fw

NetKeeper Firewall

netkeeper-fw.cfg

1647

netkeeper-nids

NetKeeper NIDS Detection

netkeeper-nids.cfg

1648

dovecot

Dovecot Server

Dovecot.cfg

1649

aix-audit

IBM AIX Audit Logs

aix-audit.cfg

1650

vplus

Vision Plus

Vplus.cfg

1651

oracle-syslog

ORACLE Syslog

oracle-syslog.cfg

1652

cisco-nexus-nx-os

Cisco Nexus

cisco-nexus-nx-os.cfg

1653

cisco-ace

Cisco ACE

cisco-ace.cfg

1654

snare-mssql

MS SQL Server

snare-mssql.cfg

1656

cisco-ips-syslog

Cisco Intrusion Prevention System

cisco-ips.cfg

1657

cisco-3030

Cisco VPN concentrator

cisco-3030.cfg

1658

vmware-vcenter

VMware Vcenter

vmware-vcenter.cfg

1660

ascenlink-network

Xtera AscenLink WAN Load Balancer - Network

Ascenlink.cfg

1662

amun

Amun

amun-honeypot.cfg

1663

cisco-wlc

Cisco Wireless LAN Controller

cisco-wlc.cfg

1664

axigen

Axigen Email Server

axigen-mail.cfg

1665

tacacs-plus

TACACS+

tacacs-plus.cfg

1666

smbd

Smbd: Samba Service

Smbd.cfg

1667

GlastopfNG

GlastopfNG: Web Honeypot

Glastopng.cfg

1668

Artemisa

Artemisa: VOIP Honeypot

Artemisa.cfg

1669

dionaea

Dionaea Honeypot

Dionaea.cfg

1670

cisco-asr

Cisco-ASR

cisco-asr.cfg

1672

extreme-switch

Extreme Switch

extreme-switch.cfg

1673

extreme-wireless

Extreme Wireless

extreme-wireless.cfg

1674

f5-firepass

F5 Firepass Network

f5-firepass.cfg

1675

drupal-wiki

Drupal Wiki

drupal-wiki.cfg

1676

shrubbery-tacacs

Shrubbery TACACS+

shrubbery-tacacs.cfg

1677

vandyke-vshell

VanDyke VShell

vandyke-vshell.cfg

1678

citrix-netscaler

Citrix NetScaler

citrix-netscaler.cfg

1679

imperva-securesphere

Imperva SecureSphere

imperva-securesphere.cfg

1680

sendmail

Sendmail

Sendmail.cfg

1682

proxim-orinoco

Proxim ORiNOCO

proxim-orinoco.cfg

1683

prads

Passive RealTime Asset Detection System

Prads.cfg

1684

AlteonOS

Alteon OS (Nortel Switches)

Alteonos.cfg

1685

Suhosin

PHP advanced protection system

Suhosin.cfg

1686

vmware-esxi

VMware ESXi server

vmware-esxi.cfg

1687

monit

Monit Plugin

Monit.cfg

1688

Storage - StorewizeV7000

Storage

storewize-V7000.cfg

1689

W2003DNS

W2003DNS

W2003DNS.cfg

1690

Aruba-6.x

Aruba Wireless(HP公司收购)

aruba-6.cfg

1691

Watchguard

Watchguard Firebox

Watchguard.cfg

1801

forensics-db-1

A post correlation plugin which queries the database on a regular basis in order to catch worms the correlation engine might have missed.

forensics-db-1.cfg

1802

wmi-system-logger

Wmi-Windows: Agent for Windows

wmi-system-logger.cfg

2004

opennms

OpenNMS

opennms-monitor.cfg

2005

ntop

NTop

ntop-monitor.cfg

2006

tcptrack

tcptrack

tcptrack-monitor.cfg

2007

nagios-monitor

Nagios

Nagios.cfg

2008

nmap-monitor

Nmap: network mapper

nmap-monitor.cfg

2009

ping-monitor

ping-monitor: Check if a host is alive or unreachable

ping-monitor.cfg

2010

whois

Whois: Internet domain name and network number directory service

whois-monitor.cfg

2011

malwaredomain

malwaredomainlist: Check whether one Host is listed as a malicious host

malwaredomainlist-monitor.cfg

2012

wmi-monitor

wmi-monitor: Windows checks via wmi

wmi-monitor.cfg

2013

OCS-Monitor

OCS inventory monitor

ocs-monitor.cfg

3001

nessus

Nessus

Nessus.cfg

3002

nmap

NMap

nmap-monitor.cfg

4001

osiris

Osiris HIDS

Osiris.cfg

4003

sshd

SSHd: Secure Shell daemon

Ssh.cfg

4004

pam_unix

Pam Unix authentication mechanism

pam_unix.cfg

4005

sudo

Sudo allows users to run programs with the security privileges of another user in a secure manner

Sudo.cfg

4007

syslog

Syslog plugin with md5 checksum logging

Syslog.cfg

6001

ossim-agent

ossim-agent

ossim-agent.cfg

7001

ossec-syslog

syslog

Ossec.cfg

7002

ossec-firewall

firewall

7003

ossec-ids

ids

7004

ossec-web-log

web-log

7005

ossec-squid

squid

7006

ossec-windows

windows

7007

ossec-ossec

ossec

7022

ossec-access_denied

access_denied

7023

ossec-mail

mail

7024

ossec-smartd

smartd

7025

ossec-linuxkernel

linuxkernel

7026

ossec-promisc

promisc

7027

ossec-service_availability

service_availability

7028

ossec-system_shutdown

system_shutdown

7029

ossec-cron

cron

7030

ossec-su

su

7031

ossec-tripwire

tripwire

7032

ossec-adduser

adduser

7033

ossec-sudo

sudo

7034

ossec-pptp

pptp

7035

ossec-fts

fts

7036

ossec-arpwatch

arpwatch

7037

ossec-new_host

new_host

7038

ossec-ip_spoof

ip_spoof

7039

ossec-symantec

symantec

7040

ossec-virus

virus

7041

ossec-pix

pix

7042

ossec-config_changed

config_changed

7043

ossec-account_changed

account_changed

7044

ossec-system_error

system_error

7045

ossec-named

named

7046

ossec-invalid_access

invalid_access

7047

ossec-client_misconfig

client_misconfig

7048

ossec-smbd

smbd

7049

ossec-vsftpd

vsftpd

7050

ossec-connection_attempt

connection_attempt

7051

ossec-pure-ftpd

pure-ftpd

7052

ossec-proftpd

proftpd

7053

ossec-msftp

msftp

7054

ossec-hordeimp

hordeimp

7055

ossec-vpopmail

vpopmail

7056

ossec-courier

courier

7057

ossec-web

web

7058

ossec-accesslog

accesslog

7059

ossec-attack

attack

7060

ossec-sql_injection

sql_injection

7061

ossec-web_scan

web_scan

7062

ossec-apache

apache

7063

ossec-automatic_attack

automatic_attack

7065

ossec-invalid_request

invalid_request

7066

ossec-mysql_log

mysql_log

7067

ossec-postgresql_log

postgresql_log

7068

ossec-firewall_drop

firewall_drop

7069

ossec-multiple_drops

multiple_drops

7070

ossec-cisco_ios

cisco_ios

7095

ossec-hostinfo

hostinfo

7096

ossec-local

local

7098

ossec-ftpd

ftpd

7099

ossec-win_group_created

win_group_created

7115

ossec-login_time

login_time

7999

ossec-preprocessor

preprocessor

8001

suricata

Suricata HTTP Event

suricata-http.cfg

9555

Fortimail

Fortinet / Fortimail

Fortimail.cfg


喜欢的朋友可以添加我们的微信账号:

51CTO读书频道二维码


51CTO读书频道活动讨论群:342347198

【责任编辑:book TEL:(010)68476606】

回书目   上一节   下一节
点赞 0
分享:
大家都在看
猜你喜欢

读 书 +更多

The Ruby Way(第二版)中文版

本书采用“如何解决问题”的方式阐述Ruby编程,涵盖了以下内容:Ruby术语和基本原理;数字、字符串等低级数据类型的操作;正则表达式;国际...

订阅51CTO邮刊

点击这里查看样刊

订阅51CTO邮刊