LevelBlue NIDS

Applies to Product: USM Appliance™ LevelBlue OSSIM®

LevelBlue NIDS plays an important role in the USM Appliance. By detecting malicious network events, it provides vital information for correlation directives and cross-correlation rules. Combining this information with the events collected from other devices, USM Appliance presents a complete picture of the malicious activity.

The LevelBlue NIDS functionality, including monitoring network traffic and detecting malicious events, takes place on the USM Appliance Sensor. You should configure at least two network interfaces on a USM Appliance Sensor or USM Appliance All-in-One:

  • Management interface — Configure the interface with an IP address, which you can reach from the network. Use this interface for administrative purposes and communication with other USM Appliance components. See Set Up the Management Interface.
  • Network monitoring interface — Do not configure an IP address on the interface. Instead, connect the interface to a spanned or mirrored port on a network switch , so that USM Appliance can examine the throughput. You can use more than one network monitoring interface to observe several networks from a single USM Appliance Sensor. See Configuring AlienVault NIDS.

The USM Appliance Server consumes the NIDS signatures through plugins, which generates the LevelBlue NIDS events. The correlation engine processes and correlates the normalized events, then stores them in the SIEM database.

AlienVault NIDS diagram

AlienVault NIDS diagram

AlienVault OSSIM Limitations: Both LevelBlue OSSIM and the USM Appliance HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that USM Appliance and LevelBlue OSSIM provide. However, LevelBlue OSSIM lacks the depth of NIDS information that is provided to USM Appliance through the Threat Intelligence Updates.