In OSSIM v3, it’s not immediately obvious how to create custom rules/policies if you want to trigger an alert or action based on certain IDS (e.g. OSSIM plugin) criteria. So let’s learn how to create a custom rule! We’ll run through an example of creating a policy to trigger an alert associated to 3 plugings (snort, nessus, and nmap).
So first off we’ll to the Intellegence -> Policy and Actions Menu. Once here click on New for New Policy. I’ll assume you can set source IP, destination IP, and port group. What we are interested in here is DS Group. (DS stands for Data Source) Click on Insert DS Group
Fig. 1 above shows us the New DS Group screen. Here we can enter a group name and description. The Group ID will be generated for us. Here are the steps to create our custom policy.
- Click the green +
- Select a plugin (in this I searched for a SYN Scan)
- Add your event (this will populate the plug AND event IDs into the window (see Fig 2.) – You will see I added a Nessus, Snort and NMap Events.
- Accept your new DS Group
- Close the DS Group Window (You will now have a list of DS Group which will include your new group (in my case “Blog Example”) See Fig 3.
- Select your new group and finish configuring your Policy.
A few notes:
- A policy group is a way to group policies like the one we just created. This isn’t obvious when you are creating a policy.
- You need to remember to Reload Policies whenever you create a new one.