• Support
  • Forums
  • Blogs

How do you read a pulse in Ossim?

paul_psmithpaul_psmith

Space invader
+14
So I have this pulse that keeps coming up. Seems to hit for different source and destination IP's and even ports.
What part of this is what triggers the pulse?
{
"src_port": 27405,
"log":
{
"src_port": 27405,
"event_type": "http",
"proto": "TCP",
"timestamp": "2017-11-08T09:12:09.912317-0600",
"in_iface": "eth1",
"src_ip": "172.58.19.252",
"tx_id": 2953,
"flow_id": 1970439379190192,
"http":
{
"url": "\/index.html",
"hostname": "mysite.mydomain.com",
"http_content_type": "text\/html"
},
"dest_port": 80,
"dest_ip": "10.10.10.10"
},
"proto": "TCP",
"timestamp": "2017-11-08T09:12:09.912317-0600",
"src_ip": "172.58.19.252",
"pulses":
{
"56b855ea4637f20e8cbea9a1":
{
"0": "5.196.0.0\/16"
}
},
"dest_ip": "10.10.10.10",
"dest_port": 80
}
Tagged:

Share post:

Comments

  • edited December 2017
    Hello @paul_psmith,

        Using OTX, I utilize really the lower portion of the Raw_Log section, particularly the "pulses" field :: 
    "pulses": 
    {
    "56b855ea4637f20e8cbea9a1":
    {
    "0": "5.196.0.0\/16"
    }
    },
    "dest_ip": "10.10.10.10",
    "dest_port": 80
    }

       You can copy-paste the Pulse_ID directly in to your browser, using the template :: 





      I am seeing that this Pulse is "Pulse not found"; this could indicate one of two things. Either the Pulse is a Private_Pulse and I am not successfully able to view it (publicly), or the Pulse has been deleted and therefore, no longer viewable Privately or Publicly.  If you can Publicly view the pulse, then you have access to view this Private_Pulse. If you cannot see the Pulse, there is a good chance the Pulse has been deleted; you will need to clear it from your #redis database. This should clear any resonant data from the #redis database.  

    VirtualUSMAllInOneLite:~# redis-cli -p 6380

    127.0.0.1:6380> select 99

    OK

    127.0.0.1:6380[99]> flushall

    OK

    127.0.0.1:6380[99]> exit




       Although it says "AlienVault USM" it still applied to OSSIM; I would recommend viewing our OTX documentation to get an understanding of how the OTX-Pulses display their information. 


    AlienVault USM Appliance :: Open Threat Exchange and USM Appliance


       To answer your question directly about "what triggered the Pulse", you can see in the "pulses" section :: 

                "0": "5.196.0.0\/16"


         Regards,

    - kratos

    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Menlo; color: #00c400; background-color: #000000; background-color: rgba(0, 0, 0, 0.69)}
    span.s1 {font-variant-ligatures: no-common-ligatures}
Sign In or Register to comment.