USM Appliance™

Plugin Types

Applies to Product: USM Appliance™ AlienVault OSSIM®

The plugins included in USM Appliance are called detector plugins. They receive and extract events from logs, which include

  • Text logs created by the rsyslog collection system.

    USM Appliance uses rsyslog as its default syslog implementation. The configuration files of all external devices reside in /etc/rsyslog.d.

  • Logs retrieved using other mechanisms such as SDEE (Security Device Event Exchange) or WMI (Windows Management Instrumentation).

Note: For a current list of all AlienVault provided plugins, see the data sheet.

The Source field of each plugin file indicates the type of detector plugin.

[config]
type=detector
enable=true
source=log

There are four types of detector plugins in USM Appliance, which are summarized in the following table.

Detector plugin types
Plugin Source Description Examples
Database Monitors the content of external databases. Database plugins extract data from an external database and turn them into USM Appliance events. Supported databases are MySQL and Microsoft SQL Server. The database plugin configuration file provides information on how USM Appliance should connect to and query the database. See Configure Database Plugins for an example of database plugin configuration file and to obtain more information on configuring database plugins. mcafee-epo
Log Monitors a log file, usually receiving data through syslog. Log plugins extract events from log files by matching each line in a log file using a regular expression. The plugin then normalizes the information in the text to create events containing event field data from the text. See Configure Log Plugins for an example of log plugin configuration file and to obtain more information on configuring log plugins. cisco-asa
SDEE Monitors Cisco devices, using SDEE protocol. Cisco Systems IPS Sensor 5.0 uses the Security Device Event Exchange (SDEE) protocol to specify the format of messages used to communicate events generated by certain Cisco security devices. See Configure SDEE Plugins for an example of SDEE plugin configuration file and to obtain more information on configuring SDEE plugins. cisco-ips
WMI Remotely connects to Microsoft Windows events and data without an agent. Windows Management Instrumentation (WMI) plugins collect Microsoft Windows events and data remotely. These plugins collect the information, without an agent, using the Windows Management Instrumentation Command Line (WMIC). See Configure WMI Plugins for an example of WMI plugin configuration file and to obtain more information on configuring WMI plugins. wmi-application-logger

Most detector plugins work automatically, without additional configuration, after you enable them. (See Enable Plugins.)

IDM Plugins

IDM Plugins are a special type of detector plugin that collect additional information about devices and applications. This information is used to enhance the metadata of individual events when USM Appliance processes event data collected from other plugins. The IDM plugins in USM Appliance include

  • arpalert-idm
  • cisco-acs-idm
  • linuxdhcp-idm
  • nmap-hosts
  • ossec-idm-single-line
  • prads
  • snare-idm

Note: The prads plugin, which identifies and collects information on network services running on hosts, is automatically enabled at startup, by default. Thus, no additional setup or configuration is required before you can start taking advantage of IDM information. Although not required, you can enable additional IDM plugins to gather information from different sources. For more information, see Enable Plugins.

Scheduled inventory tasks such as asset discovery scans, WMI scans, and availability monitoring can also collect IDM information. Information collected by the IDM plugins and other scheduled processes is stored in an internal database, which also maintains historical data retrieved for the same hosts.

USM Appliance queries this data to enrich the metadata for events that are processed from other device and application-specific plugins. In addition, if values have changed in the historical data maintained for IDM data sources, the USM Appliance will generate an anomaly event that shows the change between the new and previous values. For more information on viewing anomaly events containing IDM information, see Review Security Events.

IDM information collected by host, based on their IP address, includes

  • UUID, IP address, and domain of the host
  • ID of the IDM source that generated the event (such as nmap, ocs, nagios)
  • Hostname associated with the IP address
  • MAC address
  • Operating system
  • CPU description and frequency
  • RAM (in megabytes) on the host
  • Host graphics cards
  • List of users that have logged on or off
  • List of active services
  • List of software and hardware installed
  • State of device or asset (on or off, up or down)