AlienVault® USM Appliance™

Customize Existing Plugins Yourself

Applies to Product: USM Appliance™ AlienVault OSSIM®

You may want to customize an existing plugin, for example, if you need to update configuration file settings, add or update rules, exclude events, or make regex expression changes.

Create the .local File

With any existing plugin file you want to make changes to, you must first create a new empty file with the same name and append the .local extension to the file:

<filename>.cfg.local

You can then add your changes to the plugin in the .local file. Only include the delta, or items you want to change from the original plugin file, along with the section name that it belongs to. For example, if you want the plugin to read from a different log file, you can specify the location for the log file like this:

[config]

location=/path/to/file

Changes in your .local file takes precedence over any settings defined in the original plugin file. The .local file will not be overwritten by system updates. You can change anything within a plugin file except the header or the plugin ID, enable, type, and source parameters.

If you want to modify an existing rule, either the regexp parameter or any of the event field mappings, you must use the same rule ID. For example, if you want to modify the [ssh - Failed password] rule in the SSH plugin , you must include the [ssh - Failed password] section in your .local file and specify your changes underneath.

Important: AT&T Cybersecurity recommends that you keep any plugin file that you customized or developed until you can verify that AT&T Cybersecurity has included your requested plugin or revision in one of its biweekly updates.

Typical customization include but is not limited to