SIEMSecurity信息事件Management20
龚记(Web SQL)
锣霁
<强>
SIEM锣JIOne-Class SVMOSSIMGong霁OSSIM:(负面)龚记(积极)OSSIM alt="深度学习OSSIM关联分析(附源码注解)">
1
<强> <强> <强>
OSSIMConfiguration→威胁情报→Directives2
2 OSSIM
<强>新指令:
<李><强>测试指令:/
<李><强>重启服务器:ossim-serverServerUSM
3
<强>●传感器
<强> :●协议ANYTCPUDPICMP
<强>●粘性不同 <强>
4.3 LinuxstickyOSSIM粘性differentSticky differentNone
粘性不同的/etc/OSSIM/服务器/directives.xsd
& lt; xs: simpleType name=" stickydifferenttype "在
…
& lt;/xs: simpleType>
IPNoneDST_PORTSRC_IPPLUGIN_IDGong JISticky不同
<强>
<强> <强> <强> <强> <强>
<强>
4
/etc/OSSIM/服务器/alienvault-dos。xmlAvAttacks,可能DDOS 
<强>●用户名
<强>●通过
<强>●Userdata1 ~ Userdata8 :
5 FromToData源事件类型行动
<强> <强> <强> <强>
<强>
OSSIM/etc/OSSIM/服务器/*。xmlWebCorrelation Directivessshtest/etc/ossim serveruser.xml/etc/ossim/服务器/指令。xml6
Directivecategories 6。xmlXML:
OSSIM(规则)
7
directive_iddirective名称
规则锣JIEvent锣JIGong JIGong霁
规则可靠性锣JIScene iddirective_idReliability 0 ~ 10锣JINew_ReliabilityEvent行动
& lt;指令id=" 500000 " name="公共Web服务器不可用"优先级=" 1 "在
& lt;/directive>
<强>
:<强>●探测器SnortApacheArpwatch
<强>●监视 Ntop
<强>●名称
<强>●可靠性:
<强>●Plugin_id :id, id
<强>●Plugin_sid :IDIDSnortID1001, 1501 idapache
<强> ●条件:6:
eq -=
ne -不等于
lt -小比
gt ->
le -小于或等于
通用电气——大于或等于
<强> time_out●间隔,
<强>
<强> <强>
<强>
OSSIM/etc/OSSIM/服务器/alienvault-scan。xmlGong霁
:一级
:二级
: level3
:四级8
8锣霁
<强>●发生 1龚记“fromtoport_fromport_toplugin_idplugin_sid”
IPGong JIOSSIMIP的
ANYIP IPv4
IPv4 IP
1: IP SRC_IP
2: DST_IP
:“! 192.168.150.200HOME_NET”
HOME_NET=192.168.150.0/24 C192.168.150.200
<强> Time_out
<强> Port_from/Port_to <强> /Port_fromANYPort_to1: DST_PORTport=!22日,25日
dst_ipipdst_portipaddrip
<强>协议TCPUDPANY
<强> Plugin_id IDpluginplugin_id
<强> Plugin_sid SIDID
OSSIMGong霁eventeventGong JIEventalarmAlarm
Plugin_id=" 1001 " Plugin_sid=?008609, 2008641”
4.6385 OSSIM id=1001 snortidssnortid1&
4.8 OSSIMSnortID10011145OSSIM ConfigurationThreat IntelligenceData Source10
10 OSSIMGong JI84OSSIM 4.151800 OSSIM子结构5。x2100 + OSSIMdirective_event
OSSIM锣霁AI
SIEMSIEMGong JIOSSIM
附件:
下面分享的是OSSIM关联分析的一部分源代码。
