AlienVault Plugin Documentation

AUTHOR: Blueliv
DATE: April 16, 2015
Restricted access document

Contents

1 Installation 2

1.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 Related files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.3 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.4 Activate/Deactivate plugin . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Getting started 5

2.1 CrimeServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.2 Bot Ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.3 Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Annexes 9

A Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Plugin code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Plugin Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

AlienVault Configuration File . . . . . . . . . . . . . . . . . . . . . . 17

AlienVault SQL Script . . . . . . . . . . . . . . . . . . . . . . . . . . 18

1
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

Installation

1.1 Requirements

This plugin has been tested on a 4.6.1 version of AlienVault OSSIM. For
the full functionality of this plugin, a standalone install of python 2.7 must be
present.

An internet connection is required in order to download the data feed from

bluelivs API. Also note that the machine from where you are going to execute
the plugin must see the AlienVault machine through the port 515.

1.2 Related files

blueliv.cfg [3]: Basic configuration for AlienVault to be able to enable the

custom plugin and parse the logs.

blueliv.sql [4]: SQL script to add the required entries to enable the plugin.

BluelivAlienVaultPlugin.py [1]: Python script to feed AlienVault with Blue-

livs data.

config.cfg [2]: Configuration file to set-up the access to Bluelivs data feeds.

1.3 Installation

1. Add your api-key at config.cfg (Listing 2) under section [blueliv] property

token.
[ b lueliv ]
token =
host = https : / / api . blueliv .com

2. Add your OSSIM host at config.cfg (Listing 2) under section [alienvault]

property host.

2
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

[ alienvault ]
host =
port = 514

3. Edit blueliv.cfg (Listing 3) to set your desired plugin id (defaul 9002) under
section [DEFAULT] property plugin_id.
[DEFAULT]
plugin_id=9002

4. Make sure that the plugin_id on blueliv.cfg is the same as the plugin_id in
blueliv.sql (Listing 4).

5. Create a file called blueliv.conf at /etc/rsyslog.d with the following content:

i f $fromhostip==yourpluginiphere then / var / log / b l u e l i v . log
&~

Replace your-plugin-ip-here with the IP from where you are going to ex-
ecute your plugin. In order to not over populate this log file, configure
a rotation rule for this file at /etc/logrotate.d/rsyslog by including the file
/var/log/blueliv.log. This will force all logs coming from the specified IP to
write at /var/log/blueliv.log.

6. Save blueliv.cfg at /etc/ossim/agent/plugins

7. Execute
> cat blueliv.sql | ossim-db

and
> /etc/init.d/ossim-server restart

8. Enable blueliv plugin, either by console or web UI.

9. Execute
> python BluelivAlienVaultPlugin.py -feed FEED_NAME

from where you saved the plugin. Replace FEED_NAME with the feed that
you want to activate (botips, crimeservers or all).

Once everything is set, check if /var/log/blueliv.log at your specified location

is filled with lines like the one below.

3
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

Apr 14 03:55:27 192.168.3.72 crimeservers http : / /mstone . co . jp / i n s t a l l /

FlashFXP5_3822_Setup . exe |MALWARE| 211.125.81.112 |mstone . co . jp | JP |GMO Internet
, Inc |ONLINE|UNCLASSIFIED|20150324T18:50:57+0000 |20150325T01:17:08+0000

1.4 Activate/Deactivate plugin

In order to activate/deactivate this plugin. Go to Configuration Deploy-

ment.

Go to Sensor Configuration.

Search for blueliv in Plugins available list, add it to Plugins enabled and
apply changes.

4
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

Getting started

2.1 CrimeServer

A CrimeServer is an entity that stores relevant data (hosts, IPs, geolocation

data, etc) about a given server that is used to perform some kind of malicious
activity. An example of a Crime Server is shown below:

{
" _id " : "5698945b43fe63f4caa3d2aef42b690
aa6fd3979f905d89f97c5d792fbd4f2b6" ,
" url " : " http : / / 0 rrkut2012 . j e . ro " ,
" type " : "C_AND_C" ,
"subType" : "ZEUS" ,
" country " : "KR" ,
"countryName" : " Republic of Korea" ,
" status " : "ONLINE" ,
"domain" : " je . ro " ,
" host " : "0rrkut2012 . je . ro " ,
" latitude " : 37 . 57 ,
" longitude " : 126 . 98 ,
" ip " : "66.232.140.226" ,
" createdAt " : "20110119T21:34:59+0100" ,
"updatedAt" : "20141125T13:53:25+0100" ,
"asnDesc" : " Enterprise Networks" ,
" firstSeenAt " : "20110119T21:34:59+0100" ,
" lastSeenAt " : "20110119T21:34:59+0100"
}

This data provide Indicators of Compromise (IoC) keys such as domain, ip

address, url, etc. That allow you to correlate with your logs to identify and block
any potential risk.

All this parameters are mapped into a syslog event that will be parsed by a
regexp from the OSSIM. This mapping is described below.

src_ip: CrimeServer IP

5
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

hostname: CrimeServer hostname

userdata1: CrimeServer Type

userdata2: CrimeServer url

userdata3: CrimeServer Country

userdata4: CrimeServer ASN

userdata5: CrimeServer Status [ONLINE/OFFLINE]

userdata6: CrimeServer SubType

date: CrimeServer last seen date.

2.2 Bot Ips

A Bot IP is an entity that stores relevant data about a given IP infected by

malicious software that is part of a botnet. An example of a Bot Ip is shown
below:
{
" botnetFamily " : [
" Trojan Banker"
],
" ip " : " 220.89.127.42 " ,
" country " : "AU" ,
"countryName" : " Australia " ,
" latitude " : 37 . 7833 ,
" longitude " : 144 . 9833 ,
"seenAt" : "20150601T04:35:16+0000" ,
" botnetUrl " : " http ://89.110.147.222 " ,
" botnetIp " : "89.110.147.127 " ,
"botnetType" : "DRIDEX" ,
"operatingSystem" : "Windows 7 , x64 , SP 1" ,
" botId " : "
e280f9ff322e54b81af1ae238b47d9858205be7b7ee1566dc5af8fb9746a80ca" ,
" botVersion " : "131151" ,
" c i t y " : " Fitzroy " ,
" createdAt " : "20150601T12:41:40+0000" ,
" botnet : "245"
}

6
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

This data allows you to detect infected hosts inside your networks and ana-
lyze the level of compromise thanks to the context provided such as the Operat-
ing System, BotNet, portal domain, etc.

All this parameters are mapped into a syslog event that will be parsed by a
regexp from the OSSIM. This mapping is described below.

src_ip: Bot IP

hostname: BotNet Type

userdata1: Portal Url

userdata2: Portal Domain

userdata3: Bot Country

userdata4: Bot City

userdata5: Bot ASN

userdata6: Bot Operating System

dst_ip: BotNet IP

userdata8: BotNet Port

userdata9: BotNet url

date: Seen at date.

2.3 Events

This is a sample of a CrimeServer event sent it to OSSIM. Each event is a

group of parameters separated by pipes ordered as follow.
Apr 14 03:55:27 192.168.3.72 crimeservers http : / /mstone . co . jp / i n s t a l l /
FlashFXP5_3822_Setup . exe |MALWARE| 211.125.81.112 |mstone . co . jp | JP |GMO Internet
, Inc |ONLINE|UNCLASSIFIED|20150324T18:50:57+0000 |20150325T01:17:08+0000

7
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

Processed events can be shown at ANALYSIS SECURITY EVENTS

(SIEM) filtering by plugin blueliv.

8
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

Annexes

9
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

A Files

Plugin code

1 #! / usr / bin / python

2 # * coding : utf 8 *
3

4 import argparse
5 import u r l l i b
6 import sys
7 import json
8 import ConfigParser
9 import socket
10 import datetime
11 import logging
12 import logging . handlers
13 import time
14 import threading
15 from BotIps import BotIps
16 from CrimeServers import CrimeServers
17 from l i b . dateutil import parser
18 from SyslogConverter import SyslogConverter
19

20 class AlienVaultPlugin ( ) :
21

22 __RESERVED_CHARACTERS = [ " | " , " \ \ " , "=" ]

23

24 def _ _ i n i t _ _ ( self ) :
25 #LOGGER
26 self . logger = logging . getLogger ( "MainApp" )
27 self . logger . setLevel ( logging .INFO)
28 # Create the logging f i l e handler
29 l o g f i l e = " blueliv . log "
30 fh = logging . handlers . RotatingFileHandler ( l o g f i l e , maxBytes=2097152,
backupCount=5)
31 formatter = logging . Formatter ( %(process )d %(asctime ) s %(name) s %(
levelname ) s %(message) s )
32 fh . setFormatter ( formatter )
33 # Add handler to logger object
34 self . logger . addHandler ( fh )
35 #CONFIG FILE
36 self . config = ConfigParser . SafeConfigParser ( )
37 self . config . read ( config . cfg )
38

10
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

39 try :
40 AlienVaultHost = self . config . get ( alienvault , host )
41 AlienVaultPort = self . config . getint ( alienvault , port )
42 i f AlienVaultHost == :
43 raise
44 except Exception as e :
45 self . logger . error ( " AlienVault Host and Port must be set in b l u e l iv . cfg " )
46 print " AlienVault Host and Port must be set in b l u e l iv . cfg "
47 sys . e x i t ( 1)
48

49 #SYSLOG
50 self . loggerlt = logging . getLogger ( " alienvault " )
51 self . loggerlt . setLevel ( logging .DEBUG)
52 ce = logging . handlers . SysLogHandler ( address=(AlienVaultHost , AlienVaultPort ) )
53 formatter = logging . Formatter ( %(message) s )
54 ce . setFormatter ( formatter )
55 self . loggerlt . addHandler ( ce )
56

57 try :
58 token = self . config . get ( b l u el i v , token )
59 apiHost = self . config . get ( b l u e li v , host )
60 i f token == or apiHost == :
61 raise
62 except Exception as e :
63 self . logger . error ( " Blueliv Host and token must be set in b l u e l iv . cfg " )
64 print " Blueliv Host and token must be set in b l u e l iv . cfg "
65 sys . e x i t ( 1)
66 try :
67 self .__SCHEDULER_TIME_CS_SECONDS = self . config . getint ( crimeservers , t t l )
*60
68 except :
69 self . logger . warning ( "No scheduler configured , using default 15 minutes" )
70 self .__SCHEDULER_TIME_CS_SECONDS = 15*60
71

72 try :
73 self .__SCHEDULER_TIME_BOTIPS_SECONDS = self . config . getint ( botips , t t l )
*60
74 except :
75 self . logger . warning ( "No scheduler configured , using default 10 minutes" )
76 self .__SCHEDULER_TIME_BOTIPS_SECONDS = 10*60
77

78 try :
79 i f self . config . getboolean ( proxy , enable ) is True :
80 i f not self . config . get ( proxy , host ) :

11
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

81 self . logger . error ( "Proxy host must be set in b l u e l iv . cfg or disable

proxy" )
82 sys . e x i t ( "Proxy host must be set in b l u el i v . cfg or disable proxy" )
83 else :
84 host = self . config . get ( proxy , host )
85 i f not self . config . get ( proxy , port ) :
86 self . logger . error ( "Proxy host must be set in b l u e l iv . cfg or disable
proxy" )
87 sys . e x i t ( "Proxy port must be set in b l u el i v . cfg or disable proxy" )
88 else :
89 port = self . config . get ( proxy , port )
90 i f self . config . get ( proxy , user ) and self . config . get ( proxy , password
):
91 self . logger . info ( "Using proxy with credentials " )
92 user = self . config . get ( proxy , user )
93 password = self . config . get ( proxy , password )
94 proxies = {" http " : " http ://{0}:{1}2:3".format(user, password, host,port),
"https" : "http://0:1{2}:{3}" . format( user , password , host , port )}
95 else :
96 self . logger . info ( "Using proxy without credentials " )
97 proxies = {" http " : " http ://{0}:{1} " . format( host , port ) , " https " : " http
://{0}:{1} " . format( host , port )}
98 else :
99 proxies = None
100 except :
101 self . logger . error ( " Error getting proxy settings . Check b l u e l iv . cfg " )
102 sys . e x i t ( " Error getting proxy settings . Check b l u el i v . cfg " )
103

104 cs_mapping = [
105 url ,
106 type ,
107 ip ,
108 host ,
109 country ,
110 asnDesc ,
111 status ,
112 subType ,
113 firstSeenAt ,
114 lastSeenAt
115 ]
116

117 bots_mapping = [
118 ip ,
119 botnetType ,
120 portalUrl ,

12
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

121 portalDomain ,
122 countryName ,
123 city ,
124 asnDesc ,
125 operatingSystem ,
126 botnetIp ,
127 destinationPort ,
128 botnetUrl ,
129 seenAt ,
130 ]
131

132 self . cs_converter = SyslogConverter (

133 cs_mapping
134 )
135 self . bots_converter = SyslogConverter (
136 bots_mapping
137 )
138 self .__BOTIPS_OUT_OF_DATE_TIME = self . config . getint ( botips , nupdates )
139 self .__CRIMESERVERS_OUT_OF_DATE_TIME = self . config . getint ( crimeservers ,
nupdates )
140 self .__BOTIPS_SCHEDULER_TIME_SECONDS = self .__SCHEDULER_TIME_BOTIPS_SECONDS
*1000
141 self .__CRIMESERVERS_SCHEDULER_TIME_SECONDS = self .__SCHEDULER_TIME_CS_SECONDS
*1000
142 self . botsIpsFeed = BotIps ( https : / / api . b l u e l iv .com , token , self .
__BOTIPS_SCHEDULER_TIME_SECONDS, self .__BOTIPS_OUT_OF_DATE_TIME, 60, proxies )
143 self . crimeServersFeed = CrimeServers ( https : / / api . b l u e l iv .com , token , self .
__CRIMESERVERS_SCHEDULER_TIME_SECONDS, self .__CRIMESERVERS_OUT_OF_DATE_TIME,
60, proxies )
144

145 def __cs_to_event ( self , apiDict ) :

146 severity = 3
147 try :
148 i f apiDict [ " type " ] == "C_AND_C" :
149 severity = 5
150 else :
151 severity = 3
152 event = self . cs_converter . convert ( apiDict , crimeservers , severity )
153 except Exception , err :
154 self . logger . error ( " Impossible to translate info : {0}" . format( err ) )
155 event = None
156

157 return event

158

159 def __botips_to_event ( self , apiDict ) :

13
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

160 severity = 5
161 try :
162 i f "seenAt" not in apiDict :
163 apiDict [ "seenAt" ] = apiDict [ " createdAt " ]
164 event = self . bots_converter . convert ( apiDict , botips , severity )
165 except Exception , err :
166 self . logger . error ( " Impossible to translate info : {0}" . format( err ) )
167 event = None
168

169 return event

170

171 def pushDataBotIps ( self ) :

172 while True :
173 config_updatedAt = self . config . get ( botips , updatedat )
174 config_updatedAt = None i f config_updatedAt == else config_updatedAt
175 self . logger . info ( " Starting getting bot ips from Blueliv " )
176 bots , updatedAt = self . botsIpsFeed . update ( last_updated_date=
config_updatedAt , pos=False )
177 try :
178 i f updatedAt :
179 self . logger . info ( "Sending data to AlienVault " )
180 try :
181 for bot in bots :
182 event = self . __botips_to_event ( bot )
183 i f event :
184 self . loggerlt . info ( event )
185 except Exception as msg:
186 self . logger . error ( " Error : {}" . format(msg) )
187 print " Error pushing data to AlienVault : {}" . format(msg)
188 raise Exception
189 finally :
190 bots = None
191 except Exception , err :
192 print " Error while pushing data : {0}" . format( err )
193 self . logger . error ( " Error while pushing data : {0}" . format( err ) )
194 else :
195 self . logger . info ( "Saving l a s t updated At : {}" . format( updatedAt ) )
196 self . setLastExecutionDate ( " botips " , updatedAt = updatedAt )
197 finally :
198 print " Waiting for more updates botips "
199 time . sleep ( self .__SCHEDULER_TIME_BOTIPS_SECONDS)
200

201 def pushDataCrimeServers ( self ) :

202 while True :
203 config_updatedAt = self . config . get ( crimeservers , updatedat )

14
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

204 config_updatedAt = None i f config_updatedAt == else config_updatedAt

205 self . logger . info ( " Starting getting bot ips from Blueliv " )
206 crimeservers , updatedAt = self . crimeServersFeed . update ( last_updated_date=
config_updatedAt )
207 try :
208 i f updatedAt :
209 self . logger . info ( "Sending data to AlienVault " )
210

211 try :
212 for crimeserver in crimeservers :
213 event = self . __cs_to_event ( crimeserver )
214 i f event :
215 self . loggerlt . info ( event )
216 except Exception as msg:
217 self . logger . error ( " Error : {}" . format(msg) )
218 print " Error pushing data to AlienVault : {}" . format(msg)
219 raise Exception
220 finally :
221 crimeservers = None
222 except Exception , err :
223 self . logger . error ( " Error while pushing data : {0}" . format( err ) )
224 else :
225 self . logger . info ( "Saving l a s t updated At : {}" . format( updatedAt ) )
226 self . setLastExecutionDate ( " crimeservers " , updatedAt = updatedAt )
227 finally :
228 print " Waiting for more updates crimeservers "
229 time . sleep ( self .__SCHEDULER_TIME_CS_SECONDS)
230

231

232

233 def setLastExecutionDate ( self , feed , updatedAt = None) :

234 i f updatedAt is None:
235 return
236 else :
237 self . config . set ( feed , "updatedat" , updatedAt )
238 with open( config . cfg , wb ) as c o n f i g f i l e :
239 self . config . write ( c o n f i g f i l e )
240

241 i f __name__ == __main__ :

242 arg_parser = argparse . ArgumentParser ( )
243 arg_parser . add_argument( "feed " , help="Choose between Bot Ips feed or
CrimeServers Feed [ botips , crimeservers or a l l ] use a l l for both" )
244 args = arg_parser . parse_args ( )
245 i f args . feed == " botips " :
246 print " BotIps Feed has been activated "

15
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

247 AlienVaultPlugin ( ) . pushDataBotIps ( )

248 e l i f args . feed == " crimeservers " :
249 print "CrimeServers Feed has been activated "
250 AlienVaultPlugin ( ) . pushDataCrimeServers ( )
251 e l i f args . feed == " a l l " :
252 plugin = AlienVaultPlugin ( )
253 bots = threading . Thread ( target=plugin . pushDataBotIps , args=() )
254 bots .daemon = True
255

256 crimeservers = threading . Thread ( target=plugin . pushDataCrimeServers , args=() )

257 crimeservers .daemon = True
258

259 print " Starting Bot Ips Feed"

260 bots . s t a r t ( )
261 print " Starting CrimeServers Feed"
262 crimeservers . s t a r t ( )
263

264 bots . j o i n ( )
265 crimeservers . j o i n ( )
266

267 else :
268 sys . e x i t ( "Not a valid feed . Choose between botips or crimeservers by feed
botips or feed crimeservers " )

Listing 1: Plugin Code

Plugin Configuration

1 [ proxy ]
2 enable = False
3 host =
4 user =
5 password =
6 port =
7

8 [ b l u el i v ]
9 token =
10 host = https : / / api . blueliv .com
11

12 [ crimeservers ]
13 updatedat =
14 t t l = 15
15 nupdates = 96
16

17 [ botips ]

16
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

18 updatedat =
19 t t l = 10
20 nupdates = 6
21

22 [ alienvault ]
23 host =
24 port = 514

Listing 2: Plugin Configuration File

AlienVault Configuration File

1 # Blueliv Alienvault plugin

2 # Author : Blueliv Team
3 # Last modification : 20151401
4 #
5 #
6 #
7 #
8

9 [DEFAULT]
10 plugin_id=9002
11

12 [ config ]
13 type=detector
14 enable=yes
15

16 source=log
17 location=/var / log / blueliv . log
18 c r e a t e _ f i l e=yes
19

20 process=
21 s t a r t=no
22 stop=no
23 startup=
24 shutdown=
25

26 [ translation ]
27 C_AND_C=1
28 EXPLOIT_KIT=2
29 BACKDOOR=3
30 MALWARE=4
31 PHISHING=5
32 DEFAULT_=9999
33

17
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

34

35 [ botips Generic rule ]

36 event_type=event
37 regexp=" [^\|]+ botips (?P<src_ip >[\d \ . ] * ) \ | ( ? P<type >[^\|] * ) \ | ( ? P<userdata2
>[^\|] * ) \ | ( ? P<userdata3 >[^\|] * ) \ | ( ? P<userdata4 >[^\|] * ) \ | ( ? P<userdata5 >[^\|] * )
\ | ( ? P<userdata6 >[^\|] * ) \ | ( ? P<userdata7 >[^\|] * ) \ | ( ? P<dst_ip >[\d \ . ] * ) \ | ( ? P<
userdata8 >[^\|] * ) \ | ( ? P<userdata9 >[^\|] * ) \ | ( ? P<date>\d{4}\d{2}\d{2}T\ d{2}:\d
{2}:\d{2}\+\d{4})"
38 date={normalize_date ( $date )}
39 src_ip={resolv ( $src_ip )}
40 dst_ip={resolv ( $dst_ip )}
41 plugin_sid=6
42 userdata1={$type}
43 userdata2={$userdata2}
44 userdata3={$userdata3}
45 userdata4={$userdata4}
46 userdata5={$userdata5}
47 userdata6={$userdata6}
48 userdata7={$userdata7}
49 userdata8={$userdata8}
50 userdata9={$userdata9}
51

52 [ crimeservers Generic rule ]

53 event_type=event
54 regexp=" [^\|]+ crimeservers (?P<userdata1 >[^\|] * ) \ | ( ? P<type >[^\|] * ) \ | ( ? P<
src_ip >[^\|] * ) \ | ( ? P<hostname>[^\|] * ) \ | ( ? P<userdata3 >[^\|] * ) \ | ( ? P<userdata4
>[^\|] * ) \ | ( ? P<userdata5 >[^\|] * ) \ | ( ? P<userdata6 >[^\|] * ) \ | ( ? P<date1>\d{4}\d
{2}\d{2}T\ d{2}:\d{2}:\d{2}\+\d{4}) \ | ( ? P<date2>\d{4}\d{2}\d{2}T\ d{2}:\d
{2}:\d{2}\+\d{4})"
55 date={normalize_date ( $date2 )}
56 plugin_sid={translate ( $type )}
57 src_ip={resolv ( $src_ip )}
58 hostname={$hostname}
59 userdata1={$userdata1}
60 userdata2={$type}
61 userdata3={$userdata3}
62 userdata4={$userdata4}
63 userdata5={$userdata5}
64 userdata6={$userdata6}

Listing 3: AlienVault Configuration File

AlienVault SQL Script

18
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
Restricted access document

1 INSERT OR IGNORE INTO plugin ( id , type , name, description ) VALUES (9002, 1 ,

b l u eliv , Add data from Blueliv BigData ) ;
2 INSERT OR IGNORE INTO plugin_sid ( plugin_id , sid , category_id , class_id , name,
pr io rity , r e l i a b i l i t y ) VALUES (9002, 1 , NULL, NULL, b lu e l i v : C & C Crime
Server , 5 , 5) ;
3 INSERT OR IGNORE INTO plugin_sid ( plugin_id , sid , category_id , class_id , name,
pr io rity , r e l i a b i l i t y ) VALUES (9002, 2 , NULL, NULL, b lu e l i v : Exploit Kit
Crime Server , 3 , 4) ;
4 INSERT OR IGNORE INTO plugin_sid ( plugin_id , sid , category_id , class_id , name,
pr io rity , r e l i a b i l i t y ) VALUES (9002, 3 , NULL, NULL, b lu e l i v : Backdoor Crime
Server , 3 , 4) ;
5 INSERT OR IGNORE INTO plugin_sid ( plugin_id , sid , category_id , class_id , name,
pr io rity , r e l i a b i l i t y ) VALUES (9002, 4 , NULL, NULL, b lu e l i v : Malware Crime
Server , 3 , 4) ;
6 INSERT OR IGNORE INTO plugin_sid ( plugin_id , sid , category_id , class_id , name,
pr io rity , r e l i a b i l i t y ) VALUES (9002, 5 , NULL, NULL, b lu e l i v : Phishing Crime
Server , 3 , 4) ;
7 INSERT OR IGNORE INTO plugin_sid ( plugin_id , sid , category_id , class_id , name,
pr io rity , r e l i a b i l i t y ) VALUES (9002, 6 , NULL, NULL, b lu e l i v : BotIp , 3 , 5) ;
8 INSERT OR IGNORE INTO plugin_sid ( plugin_id , sid , category_id , class_id , name,
pr io rity , r e l i a b i l i t y ) VALUES (9002, 9999, NULL, NULL, b lu e l i v : Not
c l a s s i f i e d event , 3 , 2) ;

Listing 4: AlienVault SQL Script

19
Blueliv is a registered trademark of Leap In Value S.L., all rights reserved
IMPROVE YOUR CYBER THREAT VISIBILITY

[email protected] www.blueliv.com