Tracking an Infected Host Using OSSIM / USM with Customization
Tracking an Infected Host Using OSSIM / USM with Customization
Good day everyone! Today I want to share the experience of tracking the activity of malicious software on a host with the help of OSSIM or USM, and some customization. Let’s look at a typical network of a small or mid-sized enterprise. For example, we have a few client PCs running Windows 7, 8, 10, and a domain controller which also acts…
How to Use OSSIM / USM Active Lists with Python Scripts
Hello, dear Alien Nation and all the community! What I want to explore today is the so-called “active lists” functionality and how it can be implemented in USM/OSSIM. Let me explain what I call an “active list” with the following example. Let’s say we have some application (A) to which users log in do their work and then…
Using Custom Functions in USM and OSSIM for Additional Parsing of Log Data
Good day everybody. Today I’m going to examine and explain the functionality of “custom functions”, used in OSSIM/USM parsers. Those are the functions meant to modify the data after the agent finishes parsing. There are several built-in functions such as: “resolv()”, which resolves the IP by hostname “normalize_date()” which normalizes the timestamp In the following example I…