• Support
  • Forums
  • Blogs

Custom rule to detect specific payload and trigger alarm

fahmadfahmad

New Life Form
+2
Hello All,

I would like to have a custom rule and detection should be based on payload. Example: if there is ABC in payload, it should trigger an alarm. Any idea where i can configure this? I couldnt see payload option in directives. Please guide.

Thanks
Fahad
Tagged:

Share post:

Answers

  • I dont think the open source version can do this. You will probably have to write a custom plugin.
  • We are currently using USM, paid version. 
  • edited November 2016
    fahmad,

    This behavior is the same between OSSIM and USM here. Directives correlate on indexed event data. If the data is in userdataX fields, or any of the other indexed fields, then we can use that data in a directive.

    If we are not referring to data in an indexed field, then this would need to be accomplished via plugin customization.
  • In the SIEM, there is option of Payload in drop down. This means that Payload is indexed? so shouldnt it pick up anything that is there in the payload??

    Further, from where can we look at the list of all the indexed fields?


  • edited July 12
    เว็บไซต์นี้เป็นที่น่าสนใจมากผมชอบมัน และเป็นประโยชน์ต่อฉัน










Sign In or Register to comment.