How to integrate MyDLP with AlienVault / OSSIM

Posted by:

Requirements

  1. This article already assumes that you have installed MyDLP and DLP functions are working properly.
  2. This article already assumes that your AlienVault / OSSIM is functioning properly.

Tutorial

After version MyDLP v0.9.144 (05.09.2012), as defaults, MyDLP is logging to Syslog using CEF (Common Event Format). It makes very easy to integrate with any kind of SIEM solution including AlienVault / OSSIM. MyDLP logs to Syslog using UDP, it is fast, but it is not a very secure way to transfer logs. If your network is not secure and vulnerable to sniffing or spoofing attacks, you should not use UDP to transfer logs. In this situation, we recommend that you should use MyDLP’s bundled rsyslog server to proxy log transfer. In the links below, how to redirect logs to a remote rsyslog server securely is explained. As mentioned before, MyDLP logs to its bundled rsyslog server as defaults. All you need to do is redirect them. List to related pages:

Otherwise, if you want to directly integrate MyDLP with your AlienVault / OSSIM using UDP (also this is the faster method), you can easily make required configurations using MyDLP Management Console. In MyDLP Enterprise Edition, it is possible to modify MyDLP’s default logging destination to any custom server (in this case AlienVault / OSSIM). To do this;

  1. Open MyDLP Web Management Console and Login
  2. Go to SettingsĀ tab
  3. Go to Enterprise subtab
  4. Enter IP Address of AlienVault / OSSIM to Syslog Host (ACL Logs) input
  5. Enter UDP Listener port of AlienVault / OSSIM (default port is 514) to Syslog Port (ACL Logs) input
  6. Click Save
  7. Click Install Policy

The changes you’ve made should take effect immediately. But, we still need to add and register MyDLP plugin to AlienVault / OSSIM in order to see incidents in AlienVault / OSSIM UI. To do this;

  1. Connect AlienVault / OSSIM Server using SSHand acquire a root shell
  2. Create a new directory for temporary installation files and navigate into it.
  3. Download auto configuration script from ( src/sysconf/ossim/configure-ossim.sh in mydlp@github.com )
  4. Add execute rights and execute.

In other words:
cd
mkdir mydlp
cd mydlp
wget https://raw.github.com/mydlp/mydlp/master/src/sysconf/ossim/configure-ossim.sh
chmod +x configure-ossim.sh
./configure-ossim.sh

Now, you should be trace data leakage incidents using AlienVault / OSSIM.

AlienVault / OSSIM Integration Screenshot

0


About the Author:

Add a Comment