Up
Previous Next

Sheriff CSMâ„¢

Sophos Antivirus

When you configure Sophos Antivirus to send log data to Sheriff CSM, you can use the Sophos Antivirus plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information

DeviceDetails
Vendor Sophos
Device Type Antivirus
Connection Type Database plugin
Data Source Name sophos-mssql
Data Source ID 1558

Integrating Sophos Antivirus through MSSQL

Before you configure the Sophos Antivirus integration, you must have the IP Address of the Sheriff CSM Sensor (Deputy).

To configure Sheriff CSM retrieve data from Sophos Antivirus

Database plugins extract data from an external database and turn them into Sheriff CSM events. The database plugin configuration file provides information on how Sheriff CSM should connect to and query the database. For more information, see Configuring Database Plugins.

In the Sophos Antivirus plugin configuration file (/etc/ossum/agent/plugins/sophos-mssql.cfg), the section that starts with [config] details how Sheriff CSM connects to the MSSQL database.

[config]
type=detector
enable=yes
 
custom_functions_file=/etc/vigilante/agent/plugins/custom_functions/sophos-ip.cfg
source=database
source_type=mssql
source_ip=
source_port=1433
user=db_user
password=db_pass
db=SophosXXX
sleep=60

To open and update the Sophos Antivirus plugin configuration file, access the command shell on Sheriff CSM (using the jailbreak option), then go to the plugins directory:

cd /etc/vigilante/agent/plugins/

Using a text editor (such as vim), open the plugin file for editing:

vim sophos-mssql.cfg

To enable communication with the MSSQL database, you will need to enter information for the following fields:

  • source_ip: Fully qualified domain name, hostname or IP address.
  • user: Name of the user with access to the database.
  • password: Password for user with access to the database.

After you've updated and saved your changes, restart vigilante-agent:

/etc/init.d/vigilante-agent restart

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

https://cybersecurity.att.com/documentation/Sheriff-CSM/plugin-management/configuring-database-plugins.htm

For troubleshooting, see the vendor documentation.
Topic revision: r7 - 30 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.