OSSIM default plugins as of v.4.1


This list should help you select relevant plugins to use with your OSSIM configuration. It can also be considered “a list of natively supported data sources that are available by default,” although the plugin architecture is very extensible, and there are several thousand more available (see `cd /usr/share/ossim/scripts/ && echo $(($(./plugin_wizard.pl -l | sed ‘/^\s*$/d’ | wc -l) / 4))`).

I pulled some of the descriptions out of the cfg files on the trunk.

Plugins are defined as follows (from alienvault docs):
Detectors: Extensible portion of ossim-agent. Passively watch for regex matches within log files, socket or process output contents. ossim-agent handles sending the matched data to ossim-server. (sort of like passive services in nagios/icinga)
Monitors: Actively receive a query from ossim-server, and communicate to their targets with their assigned task. (sort of like active services in nagios/icinga)

** “type of system” is a brief categorization of the product being monitored, itself. “monitoring” should be interesting to you. “hardware,” “software,” “software systems” should not be that interesting.
‡ enabled by default with Sensor server role.

Detection plugins:

plugin type of system** description

airlock hardware reverse proxy and WAF

aix-audit software “audit subsystem allows system administrators to monitor and record security-related events on the system. This utility provides a good footing for identifying security vulnerability concerning user profile attribute changes and security settings on your system files.”

aladdin hardware Aladdin eSafe Gateway

allot hardware Allot Communications NetEnforcer Allot AC Series

alteonos software system application delivery controller system by radware.

amun-honeypot honeypot python honeypot

apache service server httpd

arpalert monitoring Compares ARP packets to a whitelist, runs a script when a packet is found that’s not in the whitelist.

arpwatch monitoring Watches ARP packets and can send an email when IP-MAC pairs change.

artemisa honeypot SIP emulation honeypot.

aruba hardware Aruba wireless network product support.

ascenlink hardware WAN load balancer by Xtera.

avast software system Antivirus solution.

axigen-mail software system A groupware solution.

bind service server dns

bit9 software system End point security (DLP, encryption, discovery) vendor.

bluecoat hardware Web proxy by Bluecoat.

bro-ids monitoring ids

cisco-3030 hardware VPN concentrator

cisco-ace hardware Application control engine for 6500 series.

cisco-acs-idm hardware Application control engine logs for identity and access management (for failed logons and the like)

cisco-acs hardware Radius access control server from Windows server.

cisco-asa hardware ASA firewall support

cisco-asr hardware virtualized router platform support

cisco-fw hardware firewall

cisco-ids hardware ids support

cisco-ips-syslog hardware ips syslog support

cisco-ips hardware ips support

cisco-nexus-nx-os hardware nexus router suppoirt

cisco-pix hardware pix support

cisco-router hardware router support

cisco-vpn hardware vpn support

cisco-wlc hardware wireless lan controller support

citrix-netscaller hardware netscallar support

clamav software system antivirus solution.

clurgmgr software system enterprise linux resource group/cluster manager daemon

courier service server mail server

cyberguard hardware firewall

dhcp service server dhcp

dionaea honeypot smb, http, ftp, tftp, mssql, mysql, sip honeypot

dovecot service server imap server

dragon hardware ips and host scanner by enterasys

drupal-wiki software system content management system

eljefe monitoring process monitor (agents report to console) by Immunity.

enterasys-rmatrix hardware switches with secure network stack (featuring unified threat management capabilities) by enterasys

exchange software system groupware server by microsoft

extreme-switch hardware switches by extreme networks

extreme-wireless hardware wireless ap by extreme networks

f5-firepass hardware vpn concentrator

f5 hardware f5 gtm and ltm

fidelis software system data loss prevention solution by IBM.

forensics-db-1 not sure “Check for hosts who’ve got events towards more than 50 different hosts on netbios ports”

fortigate hardware firewall

fortiguard hardware checks fortigate UTM

fw1-alt hardware firewall-1 firewall by checkpoint

fw1ngr60 hardware for checkpoint firewall-1 NGX R60

gfi software system antivirus solution by GFI

glastopng honeypot web application honeypot

heartbeat provides info to other daemons of clustered machines. heartbeat

honeyd honeypot telnet, http, smtp, pop, iis honeypot and worm emulator focusing on emulating many hosts

hp-eva software system HP StorageWorks Command View EVA

iis service server iis

imperva-securesphere hardware waf, dlp, and db protection by imperva

intrushield hardware nids by mcafee

ipfw software ipfw

iphone hardware iphone

iptables software iptables

ironport software system email protection services (spam, encryption) by cisco

isa software system vpn, content filtering, proxy by microsoft

juniper-srx hardware routing and utm by juniper

juniper-vpn hardware vpn server

kismet monitoring wireless ids

linuxdhcp service server dhcp server

lucent-brick hardware firewall by lucent

m0n0wall software firewall from FreeBSD

mcafee-antispam software system antispam from mcafee

mcafee-epo software system central policy for products mcafee

mcafee software system antivirus solution.

modsecurity software ids for apache

moodle software e-learning webapp

motion software video camera anomaly detection

motorola-firewall hardware motorola-firewall

mwcollect honeypot honeypot to capture binaries (the first iteration of dionaea, development stopped in 2006)

nagios monitoring monitoring system which handles passive alerting, and can actively poll

nepenthes honeypot honeypot to capture binaries (the second iteration of dionaea)

nessus-detector monitoring nessus

nessus monitoring nessus

netgear hardware netgear

netkeeper-fw hardware netkeeper firewall

netkeeper-nids hardware netkeeper NIDS

netscreen-firewall hardware Juniper netscreen firewall

netscreen-igs hardware Juniper netscreen firewall

netscreen-manager hardware Juniper netscreen firewall manager

netscreen-nsm hardware Juniper netscreen firewall manager

nfs service server nfs

nortel-switch hardware nortel switch

ntsyslog monitoring importer for windows eventlog-to-syslog

openldap service server ldap server

optenet hardware anti-spam/messaging appliance

oracle-sql service server oracle-sql

oracle-syslog service server oracle-syslog

osiris monitoring HIDS

ossec-idm monitoring ossec HIDS identity and access management (for failed logons and the like)

ossec-unique-line monitoring ossec HIDS

ossec‡ monitoring ossec HIDS (handles apache, pam-unix, sudo commands, sudo logons, sshd auth, sshd failed logons, sshd sessions, sshd reverse mapping, system packages, windows security failures, windows log ons and log offs)

ossim-agent monitoring ossim agent HIDS (failure & successes connecting to server, errors)

p0f monitoring passive OS fingerprinting tool

pads monitoring rule-based, passive asset detection system

paloalto hardware Palo Alto Firewall

pam_unix‡ software pam_unix

panda-as software system Panda AdminSecure

panda-se software system Panda Security For Enterprise

pf software openbsd packet filter

post_correlation monitoring a function of OSSIM: “The AlienVault Correlation Engine provides the capability of doing post-correlation. When new rules are loaded into the system, the history of events is analyzed to ensure that you identify not only the next attack, but also the attack that happened last week.”

postfix service server mail server

prads‡ monitoring passive asset detection (used to build host_attribute_table.xml to extend sguil)

proxim-orinoco hardware proxim orinoco ap-700

pureftpd service server ftp server

radiator service server radius server

radware-ips hardware IPS: defensepro appliance by radware

raslogd hardware log messages by brocade

realsecure software system IBM’s internet security system, per-host NIBS

rrd monitoring tests for anomaly and threshold within an RRD

rsa-secureid hardware RSA’s famous two factor authentication platform (speaking of exfiltration)

sap software system SAP

sendmail software mail server

serviceguard software system HP Service Guard/HP-UX Cluster Management

shrubbery-tacacs service server TACACS+ server

sidewinder hardware mcafee’s firewall

siteprotector software system IBM’s proventia security device management system

sitescope monitoring HP SiteScope

smbd service server smbd: close, connect, open read, open write, unknown user

snare-idm monitoring snare for identity and access management (for failed logons and the like)

snare-mssql monitoring snare for Microsoft SQL Server 2008 R2 events

snare-msssis monitoring snare for Microsoft SQL Server Integration Services events

snare monitoring snare for identity and access management (for failed logons and the like)

snort_syslog monitoring snort NIDS

snortunified‡ monitoring snort NIDS

sonicwall hardware sonicwall firewall

sophos software system antivirus solution.

spamassassin software system spam filter

squid service server web proxy and cache

squidGuard service server url redirector, content control

ssh-remote service server sshd for remote log

ssh‡ service server sshd for local log

stonegate hardware firewall by stonesoft

stonegate_ips hardware IPS by stonesoft

sudo‡ software sudo: status failed/success, success, command executed, user not in sudoers

suhosin software PHP hardening patch suite

suricata monitoring IDS

symantec-amc software system Symantec antivirus management server

symantec-epm software system Symantec endpoint management server

syslog service server syslog

tacacs-plus service server tacacs+, may be the ruby gem?

tarantella software system Oracle Secure Global Desktop

tippingpoint monitoring ips by hp/tippingpoint

token-rsa hardware RSA’s famous two factor authentication platform (speaking of exfiltration)

trendmicro software system DLP, email filter, encryption: trendmicro interscan messaging security suite

usbudev monitoring reports if a USB device is added or removed, depends on /usr/share/ossim/scripts/usbudev.py

vandyke-vshell service server SSH server for windows and *nix from Vandyke

vmware-esxi software system virtualization server

vmware-vcenter-sql software system virtualization server centralized manager

vmware-vcenter software system virtualization server centralized manager

vmware-workstation software virtualization workstation product

vplus software system credit card transaction management software (?)

vsftpd service server ftp server

vyatta software system open source networking “appliance”

webmin software web ui for configuration of *nix.

websense software proxy appliance for UTM

wmi-application-logger monitoring watches windows application log

wmi-security-logger-srv2008 monitoring watches windows security log

wmi-security-logger monitoring watches windows security log

wmi-system-logger monitoring watches windows system log

wuftp service server ftp server

Monitor plugins:
These plugins are referred to by ossim-agent. They contain processes that should be managed.

‡ enabled by default with Sensor server role.

plugin description

malwaredomainlist-monitor Checks if a host is listed on malwaredomainlist.com.

nessus-monitor Allows nessusd to be monitored by ossim-agent.

nmap-monitor‡ Use nmap to check for open and closed TCP and UDP ports.

ntop-monitor‡ Allows ntop (the binary) to be managed by ossim-agent. Queries and parses dumpData.html.

ocs-monitor Provides interface to OCS’s portion of the database (`hardware` and `software` tables).

opennms-monitor Can query OpenNMS’s postgresql database.

ossim-monitor‡ used to monitor OSSIM DB. By default, checks for attacks and compromise counts.

ping-monitor‡ sends icmp packets (with ping) to a configurable host

session-monitor Queries ntop’s session page for session data sent and session duration.

tcptrack-monitor local packet sniffer that lists some stats on tcp flows

whois-monitor‡ Spawns whois to perform a lookup.

wmi-monitor‡ Utilizes /usr/share/ossim/scripts/wmiMonitor.py, which uses wmi-client to query for the following queries: * FROM Win32_COMClass, Name FROM Win32_Process, Name FROM Win32_Service, * FROM Win32_LoggedOnUSer.
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: