OSSIM Alarms for Snort rules

Question

I'm new to OSSIM.

My requirement is to detect executable files (.exe) using snort. I have found a snort rule:

 alert tcp any any -> any any (msg: "DLL Windows file download"; flow: established; content:"MZ";isdataat: 76,relative;content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; classtype: misc-activity; sid:5000789;)

I added this in /etc/snort/rules/local.rules and Perl

/usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/

Then restarte snort:

/etc/init.d/snort restart.

I can see the snort rule detecting the file download when I check the snort binary log in the snort console. BUT I want to see this alert in under Incident-> Alerts section in OSSIM web UI.

What am I missing?

score 0 · Answer 1 · answered Apr 28 '13 at 15:19

0

Try using forums.alienvault.com for these kind of questions - they tend to get more answers there.

What you need is a correlation rule. Try out the documentation listed at the forums on how to write one.

answered Apr 28 '13 at 15:19

Tim Brigham

15,465
7
72
113

I was unable to find any documents or samples related to this. Can you help me ? – user851157 Apr 28 '13 at 16:14

OSSIM Alarms for Snort rules

1 Answers1