OSSIM default plugins as of v.4.1

This list should help you select relevant plugins to use with your OSSIM configuration. It can also be considered “a list of natively supported data sources that are available by default,” although the plugin architecture is very extensible, and there are several thousand more available (see `cd /usr/share/ossim/scripts/ && echo $(($(./plugin_wizard.pl -l | sed ‘/^\s*$/d’ | wc -l) / 4))`).

I pulled some of the descriptions out of the cfg files on the trunk.

Plugins are defined as follows (from alienvault docs):
Detectors: Extensible portion of ossim-agent. Passively watch for regex matches within log files, socket or process output contents. ossim-agent handles sending the matched data to ossim-server. (sort of like passive services in nagios/icinga)
Monitors: Actively receive a query from ossim-server, and communicate to their targets with their assigned task. (sort of like active services in nagios/icinga)

** “type of system” is a brief categorization of the product being monitored, itself. “monitoring” should be interesting to you. “hardware,” “software,” “software systems” should not be that interesting.
‡ enabled by default with Sensor server role.

Detection plugins:

plugin

type of system**

description

airlock

hardware

reverse proxy and WAF

aix-audit

software

“audit subsystem allows system administrators to monitor and record security-related events on the system. This utility provides a good footing for identifying security vulnerability concerning user profile attribute changes and security settings on your system files.”

aladdin

hardware

Aladdin eSafe Gateway

allot

hardware

Allot Communications NetEnforcer Allot AC Series

alteonos

software system

application delivery controller system by radware.

amun-honeypot

honeypot

python honeypot

apache

service server

httpd

arpalert

monitoring

Compares ARP packets to a whitelist, runs a script when a packet is found that’s not in the whitelist.

arpwatch

monitoring

Watches ARP packets and can send an email when IP-MAC pairs change.

artemisa

honeypot

SIP emulation honeypot.

aruba

hardware

Aruba wireless network product support.

ascenlink

hardware

WAN load balancer by Xtera.

avast

software system

Antivirus solution.

axigen-mail

software system

A groupware solution.

bind

service server

dns

bit9

software system

End point security (DLP, encryption, discovery) vendor.

bluecoat

hardware

Web proxy by Bluecoat.

bro-ids

monitoring

ids

cisco-3030

hardware

VPN concentrator

cisco-ace

hardware

Application control engine for 6500 series.

cisco-acs-idm

hardware

Application control engine logs for identity and access management (for failed logons and the like)

cisco-acs

hardware

Radius access control server from Windows server.

cisco-asa

hardware

ASA firewall support

cisco-asr

hardware

virtualized router platform support

cisco-fw

hardware

firewall

cisco-ids

hardware

ids support

cisco-ips-syslog

hardware

ips syslog support

cisco-ips

hardware

ips support

cisco-nexus-nx-os

hardware

nexus router suppoirt

cisco-pix

hardware

pix support

cisco-router

hardware

router support

cisco-vpn

hardware

vpn support

cisco-wlc

hardware

wireless lan controller support

citrix-netscaller

hardware

netscallar support

clamav

software system

antivirus solution.

clurgmgr

software system

enterprise linux resource group/cluster manager daemon

courier

service server

mail server

cyberguard

hardware

firewall

dhcp

service server

dhcp

dionaea

honeypot

smb, http, ftp, tftp, mssql, mysql, sip honeypot

dovecot

service server

imap server

dragon

hardware

ips and host scanner by enterasys

drupal-wiki

software system

content management system

eljefe

monitoring

process monitor (agents report to console) by Immunity.

enterasys-rmatrix

hardware

switches with secure network stack (featuring unified threat management capabilities) by enterasys

exchange

software system

groupware server by microsoft

extreme-switch

hardware

switches by extreme networks

extreme-wireless

hardware

wireless ap by extreme networks

f5-firepass

hardware

vpn concentrator

f5

hardware

f5 gtm and ltm

fidelis

software system

data loss prevention solution by IBM.

forensics-db-1

not sure

“Check for hosts who’ve got events towards more than 50 different hosts on netbios ports”

fortigate

hardware

firewall

fortiguard

hardware

checks fortigate UTM

fw1-alt

hardware

firewall-1 firewall by checkpoint

fw1ngr60

hardware

for checkpoint firewall-1 NGX R60

gfi

software system

antivirus solution by GFI

glastopng

honeypot

web application honeypot

heartbeat

provides info to other daemons of clustered machines.

heartbeat

honeyd

honeypot

telnet, http, smtp, pop, iis honeypot and worm emulator focusing on emulating many hosts

hp-eva

software system

HP StorageWorks Command View EVA

iis

service server

iis

imperva-securesphere

hardware

waf, dlp, and db protection by imperva

intrushield

hardware

nids by mcafee

ipfw

software

ipfw

iphone

hardware

iphone

iptables

software

iptables

ironport

software system

email protection services (spam, encryption) by cisco

isa

software system

vpn, content filtering, proxy by microsoft

juniper-srx

hardware

routing and utm by juniper

juniper-vpn

hardware

vpn server

kismet

monitoring

wireless ids

linuxdhcp

service server

dhcp server

lucent-brick

hardware

firewall by lucent

m0n0wall

software

firewall from FreeBSD

mcafee-antispam

software system

antispam from mcafee

mcafee-epo

software system

central policy for products mcafee

mcafee

software system

antivirus solution.

modsecurity

software

ids for apache

moodle

software

e-learning webapp

motion

software

video camera anomaly detection

motorola-firewall

hardware

motorola-firewall

mwcollect

honeypot

honeypot to capture binaries (the first iteration of dionaea, development stopped in 2006)

nagios

monitoring

monitoring system which handles passive alerting, and can actively poll

nepenthes

honeypot

honeypot to capture binaries (the second iteration of dionaea)

nessus-detector

monitoring

nessus

nessus

monitoring

nessus

netgear

hardware

netgear

netkeeper-fw

hardware

netkeeper firewall

netkeeper-nids

hardware

netkeeper NIDS

netscreen-firewall

hardware

Juniper netscreen firewall

netscreen-igs

hardware

Juniper netscreen firewall

netscreen-manager

hardware

Juniper netscreen firewall manager

netscreen-nsm

hardware

Juniper netscreen firewall manager

nfs

service server

nfs

nortel-switch

hardware

nortel switch

ntsyslog

monitoring

importer for windows eventlog-to-syslog

openldap

service server

ldap server

optenet

hardware

anti-spam/messaging appliance

oracle-sql

service server

oracle-sql

oracle-syslog

service server

oracle-syslog

osiris

monitoring

HIDS

ossec-idm

monitoring

ossec HIDS identity and access management (for failed logons and the like)

ossec-unique-line

monitoring

ossec HIDS

ossec‡

monitoring

ossec HIDS (handles apache, pam-unix, sudo commands, sudo logons, sshd auth, sshd failed logons, sshd sessions, sshd reverse mapping, system packages, windows security failures, windows log ons and log offs)

ossim-agent

monitoring

ossim agent HIDS (failure & successes connecting to server, errors)

p0f

monitoring

passive OS fingerprinting tool

pads

monitoring

rule-based, passive asset detection system

paloalto

hardware

Palo Alto Firewall

pam_unix‡

software

pam_unix

panda-as

software system

Panda AdminSecure

panda-se

software system

Panda Security For Enterprise

pf

software

openbsd packet filter

post_correlation

monitoring

a function of OSSIM: “The AlienVault Correlation Engine provides the capability of doing post-correlation. When new rules are loaded into the system, the history of events is analyzed to ensure that you identify not only the next attack, but also the attack that happened last week.”

postfix

service server

mail server

prads‡

monitoring

passive asset detection (used to build host_attribute_table.xml to extend sguil)

proxim-orinoco

hardware

proxim orinoco ap-700

pureftpd

service server

ftp server

radiator

service server

radius server

radware-ips

hardware

IPS: defensepro appliance by radware

raslogd

hardware

log messages by brocade

realsecure

software system

IBM’s internet security system, per-host NIBS

rrd

monitoring

tests for anomaly and threshold within an RRD

rsa-secureid

hardware

RSA’s famous two factor authentication platform (speaking of exfiltration)

sap

software system

SAP

sendmail

software

mail server

serviceguard

software system

HP Service Guard/HP-UX Cluster Management

shrubbery-tacacs

service server

TACACS+ server

sidewinder

hardware

mcafee’s firewall

siteprotector

software system

IBM’s proventia security device management system

sitescope

monitoring

HP SiteScope

smbd

service server

smbd: close, connect, open read, open write, unknown user

snare-idm

monitoring

snare for identity and access management (for failed logons and the like)

snare-mssql

monitoring

snare for Microsoft SQL Server 2008 R2 events

snare-msssis

monitoring

snare for Microsoft SQL Server Integration Services events

snare

monitoring

snare for identity and access management (for failed logons and the like)

snort_syslog

monitoring

snort NIDS

snortunified‡

monitoring

snort NIDS

sonicwall

hardware

sonicwall firewall

sophos

software system

antivirus solution.

spamassassin

software system

spam filter

squid

service server

web proxy and cache

squidGuard

service server

url redirector, content control

ssh-remote

service server

sshd for remote log

ssh‡

service server

sshd for local log

stonegate

hardware

firewall by stonesoft

stonegate_ips

hardware

IPS by stonesoft

sudo‡

software

sudo: status failed/success, success, command executed, user not in sudoers

suhosin

software

PHP hardening patch suite

suricata

monitoring

IDS

symantec-amc

software system

Symantec antivirus management server

symantec-epm

software system

Symantec endpoint management server

syslog

service server

syslog

tacacs-plus

service server

tacacs+, may be the ruby gem?

tarantella

software system

Oracle Secure Global Desktop

tippingpoint

monitoring

ips by hp/tippingpoint

token-rsa

hardware

RSA’s famous two factor authentication platform (speaking of exfiltration)

trendmicro

software system

DLP, email filter, encryption: trendmicro interscan messaging security suite

usbudev

monitoring

reports if a USB device is added or removed, depends on /usr/share/ossim/scripts/usbudev.py

vandyke-vshell

service server

SSH server for windows and *nix from Vandyke

vmware-esxi

software system

virtualization server

vmware-vcenter-sql

software system

virtualization server centralized manager

vmware-vcenter

software system

virtualization server centralized manager

vmware-workstation

software

virtualization workstation product

vplus

software system

credit card transaction management software (?)

vsftpd

service server

ftp server

vyatta

software system

open source networking “appliance”

webmin

software

web ui for configuration of *nix.

websense

software

proxy appliance for UTM

wmi-application-logger

monitoring

watches windows application log

wmi-security-logger-srv2008

monitoring

watches windows security log

wmi-security-logger

monitoring

watches windows security log

wmi-system-logger

monitoring

watches windows system log

wuftp

service server

ftp server

Monitor plugins:
These plugins are referred to by ossim-agent. They contain processes that should be managed.

‡ enabled by default with Sensor server role.

plugin

description

malwaredomainlist-monitor

Checks if a host is listed on malwaredomainlist.com.

nessus-monitor

Allows nessusd to be monitored by ossim-agent.

nmap-monitor‡

Use nmap to check for open and closed TCP and UDP ports.

ntop-monitor‡

Allows ntop (the binary) to be managed by ossim-agent. Queries and parses dumpData.html.

ocs-monitor

Provides interface to OCS’s portion of the database (`hardware` and `software` tables).

opennms-monitor

Can query OpenNMS’s postgresql database.

ossim-monitor‡

used to monitor OSSIM DB. By default, checks for attacks and compromise counts.

ping-monitor‡

sends icmp packets (with ping) to a configurable host

session-monitor

Queries ntop’s session page for session data sent and session duration.

tcptrack-monitor

local packet sniffer that lists some stats on tcp flows

whois-monitor‡

Spawns whois to perform a lookup.

wmi-monitor‡

Utilizes /usr/share/ossim/scripts/wmiMonitor.py, which uses wmi-client to query for the following queries: * FROM Win32_COMClass, Name FROM Win32_Process, Name FROM Win32_Service, * FROM Win32_LoggedOnUSer.
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: