Building Collector Plugins 1.1 - AlienVault
Building Collector Plugins 1.1 - AlienVault
Building Collector Plugins 1.1 - AlienVault
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong><br />
Admin Guide<br />
Copyright © Alienvault 2010<br />
All rights reserved. No part of this work may be reproduced or transmitted in any form or by<br />
any means, electronic or mechanical, including photocopying, recording, or by any<br />
information storage or retrieval system, without the prior written permission of the<br />
copyright owner and publisher.<br />
Any trademarks referenced herein are the property of their respective holders.
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
Table of Content<br />
1 Overview ..................................................................................................................................................... 4<br />
<strong>1.1</strong> OSSIM Agent Role ............................................................................................................................... 4<br />
<strong>1.1</strong>.1 Event Collection .......................................................................................................................... 4<br />
<strong>1.1</strong>.2 Event Normalization ................................................................................................................... 4<br />
1.2 OSSIM Server Role .............................................................................................................................. 6<br />
1.2.1 Event Enrichment ....................................................................................................................... 6<br />
1.2.2 Policies and Actions .................................................................................................................... 7<br />
1.3 The Configuration Workflow .............................................................................................................. 8<br />
2 Configuring Detector <strong>Plugins</strong> .................................................................................................................... 10<br />
2.1 Rsyslog .............................................................................................................................................. 10<br />
2.<strong>1.1</strong> Configuration File ..................................................................................................................... 10<br />
2.1.2 Listener Configuration .............................................................................................................. 10<br />
2.1.3 Filters ........................................................................................................................................ 10<br />
2.2 OSSIM Agent Configuration .............................................................................................................. 11<br />
2.2.1 Configuration File ..................................................................................................................... 11<br />
2.2.2 Parameters ............................................................................................................................... 11<br />
2.3 Detector Plugin Configuration .......................................................................................................... 13<br />
2.3.1 Configuration Files .................................................................................................................... 13<br />
2.3.2 Common Event Types ............................................................................................................... 13<br />
2.3.3 Parameters ............................................................................................................................... 13<br />
2.3.4 Using Local (Plugin) Variables ................................................................................................... 15<br />
2.3.5 Using Global (Agent) Variables ................................................................................................. 15<br />
2.4 Aliases ............................................................................................................................................... 16<br />
2.4.1 Path ........................................................................................................................................... 16<br />
2.4.2 Predefined Regular Expressions ............................................................................................... 16<br />
2.5 Functions .......................................................................................................................................... 16<br />
2.5.1 Path ........................................................................................................................................... 16<br />
2.5.2 Conversions .............................................................................................................................. 16<br />
2.5.3 Application Specific Translations .............................................................................................. 17<br />
2.5.4 User Defined Translations ........................................................................................................ 17<br />
2.6 Event Fields ....................................................................................................................................... 18<br />
2.7 Rules ................................................................................................................................................. 19<br />
2.7.1 Evaluation Order....................................................................................................................... 19<br />
Page 2 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
2.7.2 Structure ................................................................................................................................... 19<br />
2.8 Loading <strong>Plugins</strong> ................................................................................................................................. 21<br />
2.8.1 Priority and Reliability values ................................................................................................... 21<br />
2.8.2 SQL Statement .......................................................................................................................... 21<br />
2.9 Plugin Activation ............................................................................................................................... 22<br />
2.9.1 Activate the Plugin on the Server Side ..................................................................................... 22<br />
2.9.2 Activate the Plugin on the Agent Side ...................................................................................... 22<br />
3 Log files ..................................................................................................................................................... 22<br />
4 Debugging ................................................................................................................................................. 22<br />
5 Appendix ................................................................................................................................................... 23<br />
5.1 Regular Expressions .......................................................................................................................... 23<br />
5.2 Configuration Example ..................................................................................................................... 25<br />
5.2.1 Scenario .................................................................................................................................... 25<br />
5.2.2 Write a script to monitor the “last” status ............................................................................... 25<br />
5.2.3 Log sample ................................................................................................................................ 25<br />
5.2.4 Collect the logs in a new log file ............................................................................................... 25<br />
5.2.5 Restart “rsyslog”....................................................................................................................... 26<br />
5.2.6 Check whether the new entries are written in the new log file ............................................... 26<br />
5.2.7 Create a plugin file .................................................................................................................... 26<br />
5.2.8 Register the Plugin with the OSSIM Agent ............................................................................... 29<br />
5.2.9 Register the Plugin with the OSSIM Server .............................................................................. 30<br />
5.2.10 Check whether the plugin was successfully registered ............................................................ 31<br />
5.2.11 Restart the OSSIM Server ......................................................................................................... 31<br />
5.2.12 Restart the OSSIM Agent .......................................................................................................... 31<br />
5.2.13 Check whether Events and Alarms are received ...................................................................... 32<br />
Page 3 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
1 Overview<br />
<strong>1.1</strong> OSSIM Agent Role<br />
<strong>1.1</strong>.1 Event Collection<br />
The collection process involves extracting the data logs from the source systems (Security, OS,<br />
RDBMS, etc.) and allows first steps for event log filtering. At this stage can be decided what is going<br />
to be read by the OSSIM Agent and what is going to be discarded before having an impact on the<br />
system performance.<br />
Before starting to write a plugin some actions to reduce the amount of events could be considered:<br />
- Manage the log level settings at the application and managed device level<br />
- Fix the problem that is generating events<br />
- Use Pcap filters to ignore certain hosts or networks (Snort, Tcpdump...)<br />
- In deployments with a big amount of analysed data, filtering at the application level<br />
should be done whenever possible<br />
o<br />
Log Files<br />
Good practice is to use one log file per plugin in order to increase performance. Having just<br />
one generic log file, all the plugins would have to read the same extensive content in order<br />
to catch the few relevant entries.<br />
Using rsyslog it is possible to filter the collected logs based on the syslog tags.<br />
<strong>1.1</strong>.2 Event Normalization<br />
In the normalization stage a series of rules or functions applies to the data extracted from the source<br />
system in order to transform it in a common OSSIM format.<br />
o<br />
Raw Event<br />
The raw event might be a generic syslog message, an application log, an SNMP trap, the<br />
result of an SNMP or SQL Query or some other kind of information in a more or less<br />
structured form that is appended to a log file.<br />
Example:<br />
dmz01:/var/log/auth.log:<br />
May 30 13:15:52 dmz01 sshd[12980]: Accepted password for root from<br />
192.168.178.20 port 4445 ssh2<br />
Page 4 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
o<br />
Normalized Event<br />
There is a certain set of fields which are required in order to ensure a consistent evaluation<br />
and correlation of the events by the OSSIM server. These fields can be populated with<br />
information from the log message or statically through the plug-in.<br />
Example:<br />
ossim-sensor:/var/log/ossim/agent.log:<br />
2010-05-30 13:15:49,441 Output [INFO]: event type="detector" date="1275239752"<br />
sensor="192.168.178.201" interface="eth0" plugin_id="4003" plugin_sid="7"<br />
src_ip="192.168.178.20" src_port="4445" dst_ip="192.168.178.200" dst_port="22"<br />
username="root" log="May 30 13:15:52 dmz01 sshd[12980]: Accepted password for<br />
root from 192.168.178.20 port 4445 ssh2" fdate="2010-05-30 13:15:52" tzone="0"<br />
Page 5 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
1.2 OSSIM Server Role<br />
1.2.1 Event Enrichment<br />
The OSSIM server enriches the received normalized event with the metadata stored in the OSSIM<br />
Database.<br />
o<br />
Enriched Event<br />
The OSSIM Server enriches the event with the Priority and Reliability values, which are<br />
specific to the event type (plugin_id) and subtype (plugin_sid), as well as with the Asset<br />
Value which is specific to the Source (asset_src) and the Destination (asset_dst) hosts.<br />
Example:<br />
ossim:/var/log/ossim/server.log:<br />
2010-05-30 06:48:41 OSSIM-Message: Event received: event id="0" alarm="0"<br />
type="detector" fdate="2010-05-30 13:15:52" date="1275239752" tzone="0"<br />
plugin_id="4003" plugin_sid="7" src_ip="192.168.178.20" src_port="4445"<br />
dst_ip="192.168.178.200" dst_port="22" sensor="192.168.178.201" interface="eth0"<br />
protocol="TCP" asset_src="2" asset_dst="2" log="May 30 13:15:52 dmz01<br />
sshd[12980]: Accepted password for root from 192.168.178.20 port 4445 ssh2"<br />
username="root"<br />
o<br />
Priority<br />
The priority is related to threats and it reflects the importance of a specific attack, having<br />
nothing to do with a specific host or environment. It only measures the relative importance<br />
of the attack itself.<br />
Range: 0 - 5<br />
Default value: 1<br />
Example:<br />
A Unix server running Samba gets attacked by the Sasser worm .<br />
Apart from the fact that the attack won’t have an impact on the given environment, it<br />
has the potential to exploit a big security hole and for that reason the priority is<br />
considered as being high.<br />
o<br />
Reliability<br />
Classical risk-assessment would refer it as "probability ". Since it's quite difficult to<br />
determine how probable it is for a network to be exposed to certain vulnerabilities, the IDS<br />
related “reliability” approach was considered more appropriate.<br />
Range: 0 - 10<br />
Default value : 1.<br />
Example:<br />
If a host connects to 5 different hosts in the same subnet using port 445, could be a<br />
normal behavior, unreliable for IDS purposes. If connecting to 15 hosts would be<br />
Page 6 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
suspicious, with 500 connections to different hosts in less than an hour the attack<br />
would get more and more reliable.<br />
o<br />
Asset Value<br />
It is assigned to both the Source and the Destination Hosts and represents the importance<br />
the host has to the enterprise.<br />
Range: 0 - 5<br />
Default value: 1 (also used for hosts not being defined in the asset database)<br />
Example:<br />
A database server can have an asset value of 5, a development test server an asset<br />
value of 2 and an unknown host in the Internet causing a portscan event would just<br />
have an asset value of 1.<br />
o<br />
Alarm<br />
Based on the Event Priority (0-5), Event Reliability (0-10) and the Asset Value (0-5), a Risk<br />
Value (0-10) is calculated and for values equal or greater than 1 Alerts are generated.<br />
The Risk is calculated based on the following formula:<br />
Risk = (Priority * Reliability * Asset) / 25<br />
1.2.2 Policies and Actions<br />
Policies are defined in order to define what has to be done with the events as they reach the OSSIM<br />
Server:<br />
Correlation (i.e. checked against the correlation directives)<br />
Forwarding (i.e. one copy is sent to the forensic storage)<br />
Actions (i.e. send an email)<br />
Discard - the last filter possibility before saving the event in the database, although it is<br />
recommended to filter the events as close to the source as possible.<br />
Policies can make decisions on which events are going to be filtered based on:<br />
Source and Destination Assets (Hosts, Networks, ANY...)<br />
Ports<br />
Plugin Group<br />
Time Range<br />
Page 7 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
1.3 The Configuration Workflow<br />
o<br />
Collect a Log Sample<br />
First thing to start with is checking which log messages the application generates and eventually<br />
identify sets of logs having a similar structure. Those logs having a similar structure will be where<br />
possible covered by a single collector rule.<br />
o<br />
Create a Plugin File<br />
Best is to copy one existing file and modify its content to match the new application. Should a plugin<br />
exist for a similar application, it is recommended to copy such a file, as there is a good chance that<br />
rules have a similar content and are grouped in a similar way - a generic HTTP-Proxy log will always<br />
contain a URL, a generic Firewall log will contain a Source IP Address and Source Port as well as a<br />
Destination IP Address and Destination Port. Some user defined fields might be defined for a specific<br />
application and the correlation at the server level can be simplified if similar applications use the<br />
same user defined fields.<br />
o<br />
Define a Generic Rule<br />
This is the last Rule to evaluate, which catches all the events that cannot be grouped under specific<br />
rules.<br />
o<br />
Define Specific Rules<br />
The Specific rules are defined for specific error conditions or categories of events. There might also<br />
be that one single rule is used to generate different types or subtypes of events.<br />
o<br />
Discard Noise<br />
Events that are considered noise can be discarded by OSSIM by excluding certain event subtypes<br />
(Plugin_SIDs) in the plugin file, by the way the regular expressions are defined or by using policies.<br />
However, the best way to discard events is by filtering them on the monitored device or at syslog<br />
level on the host running the OSSIM Agent.<br />
o<br />
Review the Evaluation Order<br />
The rules are evaluated alphabetically, which means that all it counts is the name of a rule and not<br />
the position in the plug-in file. The Generic Rule might even be on the first position if the name is<br />
properly chosen. Having rules alphabetically placed after the Generic Rule will have as effect that<br />
the corresponding logs will be evaluated as generic events instead of having the proper event type<br />
and subtype assigned.<br />
o<br />
Register the Plugin with the OSSIM Agent<br />
In order to have a Plugin activated and sending events to the OSSIM server, the path to the plugin file<br />
has to be specified in the Agent configuration file.<br />
Page 8 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
o<br />
Register the Plugin with the OSSIM Server<br />
This is required in order to let the server know which events should be expected and which priority<br />
and reliability values the events should get assigned.<br />
o<br />
Activate the Plugin on the Server Side<br />
Restart the OSSIM Server process.<br />
o<br />
Activate the Plugin on the Agent Side<br />
Restart the OSSIM Agent process.<br />
o<br />
Testing<br />
Using the logger command sample logs can be replayed in order to test the operation of the OSSIM<br />
Agent or Server.<br />
Page 9 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
2 Configuring Detector <strong>Plugins</strong><br />
2.1 Rsyslog<br />
Rsyslog is the Syslog implementation shipped with OSSIM and allows configuring filtering and<br />
forwarding in a really easy way compared to the classical syslog daemon. Syslog is also the common<br />
method to send and receive logs.<br />
Before starting with the plugin configuration it is recommended to check whether the subset of logs<br />
the plugin will normalize are saved in an individual file and whether noise can be filtered before<br />
reaching the plugin rules.<br />
2.<strong>1.1</strong> Configuration File<br />
/etc/rsyslog.conf<br />
2.1.2 Listener Configuration<br />
$ModLoad imudp<br />
$UDPServerRun 514<br />
$ModLoad imtcp<br />
$InputTCPServerRun 514<br />
2.1.3 Filters<br />
Forward certain events to a local file<br />
if $msg contains 'error' then /var/log/error<br />
if $syslogfacility-text == 'local0' and $msg startswith 'DEVNAME' and ($msg contains 'error1' or<br />
$msg contains 'error0') then /var/log/somelog<br />
Stop processing some events<br />
if $msg contains 'error' then ~<br />
Regex in Rsyslog<br />
http://www.rsyslog.com/user-regex.php<br />
Page 10 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
2.2 OSSIM Agent Configuration<br />
2.2.1 Configuration File<br />
/etc/ossim/agent/config.cfg<br />
2.2.2 Parameters<br />
[daemon]<br />
daemon:<br />
pid:<br />
[event-consolidation]<br />
[log]<br />
Daemon mode (True or False)<br />
Path to the PID file (Process identifier)<br />
Enables event consolidation at agent level. It is recommended to use polices instead of this<br />
feature as consolidation at the agent level affects the correlation process.<br />
by_plugin:<br />
enable:<br />
time:<br />
Example:<br />
[event-consolidation]<br />
List of plugins that will be consolidated<br />
Enable or disable (True or False)<br />
Wait n seconds to consolidate the events before sending them<br />
by_plugin=1001-1150,1501-1550,4001-4010<br />
enable=False<br />
time=10<br />
Configures the verbose level and the path to the different log files<br />
error:<br />
file:<br />
stats:<br />
[output-plain]<br />
verbose:<br />
File in which the error events will be stored<br />
File in which all the agent logs will be stored<br />
File in which the agent stats will be stored (Every 5 minutes)<br />
Configures the verbose level (Debug, Info, Warning, Error or<br />
Critical)<br />
Writes in a log file what is being sent to the OSSIM Server (Useful for debugging and<br />
developing purposes)<br />
enable:<br />
file:<br />
[output-server]<br />
Enable or disable (True or False)<br />
File in which the output-plain will be stored<br />
Configures the server to which events are sent<br />
enable:<br />
ip:<br />
port:<br />
Enable or disable sending events to the server (True or False)<br />
IP address of the OSSIM Server<br />
Listening port of the OSSIM Server<br />
Page 11 Copyright © Alienvault 2010
[plugin-defaults]<br />
[plugins]<br />
[watchdog]<br />
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
In this category variables can be defined to be used in the plugins configuration.<br />
Example:<br />
[plugin-defaults]<br />
date_format=%Y-%m-%d %H:%M:%S<br />
interface=eth0<br />
sensor=192.168.178.201<br />
Defines which plugins (detectors and monitors) are enabled<br />
name_of_the_plugin=path_to_the_plugin_config_file<br />
Example:<br />
[plugins]<br />
postfix=/etc/ossim/agent/plugins/postfix.cfg<br />
ssh=/etc/ossim/agent/plugins/ssh.cfg<br />
Monitor the process associated to each plugin (In case it is running in the same machine)<br />
enable:<br />
interval:<br />
restart_interval:<br />
Enable or disable (True or False)<br />
Wait X seconds between checks<br />
Restart the process every X seconds (This has to be enabled in each<br />
plugin)<br />
Page 12 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
2.3 Detector Plugin Configuration<br />
2.3.1 Configuration Files<br />
/etc/ossim/agent/plugins/*.cfg<br />
2.3.2 Common Event Types<br />
Copy and modify the existing plugin files to create plugins of the following types.<br />
a. Log - Reading from files<br />
Plugin statement: source=log<br />
b. Database - Reading from databases<br />
Plugin statement: source=database<br />
− mssql<br />
- Microsoft SQL<br />
Plugin statement: source_type=mssql<br />
− mysql<br />
- MySQL<br />
Plugin statement: source_type=mysql<br />
c. SDEE - Cisco device logs<br />
Plugin statement: source=sdee<br />
d. SnortLog - Snort logs<br />
Plugin statement: source=snortlog<br />
e. WMI - Windows Management Instrumentation<br />
Plugin statement: source=wmi<br />
2.3.3 Parameters<br />
[DEFAULT]<br />
Any variable defined inside this category will be sent to the OSSIM Server if not modified by<br />
a plugin rule. User reserved range is between 9000 and 10000.<br />
plugin_id:<br />
Example:<br />
plugin_id=4003<br />
Numerical identifier of the plugin within the OSSIM system<br />
Page 13 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
[config]<br />
type:<br />
enable:<br />
source:<br />
location:<br />
create_file:<br />
process:<br />
start:<br />
stop:<br />
startup:<br />
shutdown:<br />
exclude_sids=SID List<br />
Example (hp-eva):<br />
detector<br />
process=snmptrapd<br />
start=yes<br />
stop=yes<br />
startup=/etc/init.d/snmpd start<br />
shutdown=/etc/init.d/snmpd stop<br />
exclude_sids=404,200,403<br />
Enable or Disable the plugin (It must be enabled in config.cfg)<br />
Source of the events (log, mssql, mysql, wmi)<br />
The file(s) where the logs can be found - can contain multiple<br />
comma-separated files<br />
Create the log file in case it does not exist<br />
Name of the process generating logs (If on the same system)<br />
Start the process when the agent starts (yes/no)<br />
Stop the process when the agent stops (yes/no)<br />
Command that starts the process<br />
Command that stops the process<br />
Use this option to exclude SIDs<br />
[translation]<br />
string=value<br />
Used to map strings to their corresponding values<br />
Example (Postfix):<br />
[translation]<br />
sent=10<br />
bounced=11<br />
[Rule IDs – Specific Rules]<br />
Here are the events collected and normalized.<br />
event_type=event<br />
regexp=Regular Expression<br />
plugin_sid=Plugin SID<br />
Event_Field=Value<br />
Example(ssh):<br />
[01 - Failed password]<br />
event_type=event<br />
regexp="(\SYSLOG_DATE)\s+(?P[^\s]*).*?ssh.*?Failed password for inval<br />
user (?P\S+)\s+from\s+.*?(?P\IPV4).*?port\s+(?P\PORT)"<br />
plugin_sid=1<br />
date={normalize_date($1)}<br />
Page 14 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
src_ip={$src}<br />
dst_ip={resolv($sensor)}<br />
src_port={$sport}<br />
username={$user} [Rule IDs – Specific Rules]<br />
[Rule ID – Generic Rule]<br />
Example (ssh):<br />
[99 - Generic rule]<br />
# Nov 15 11:55:35 1<strong>1.1</strong>.4.9 sshd[1769702]: **********<br />
event_type=event<br />
regexp="(\SYSLOG_DATE)\s+(?P[^\s]*).*?ssh.*"<br />
plugin_sid=99<br />
date={normalize_date($1)}<br />
dst_ip={resolv($sensor)}<br />
Note: As rules are ordered alphabetically the Generic Rule has to have the highest Rule ID .<br />
2.3.4 Using Local (Plugin) Variables<br />
The different configuration variables defined in the plugin configuration file can be used with the<br />
following syntax:<br />
%()s<br />
Example:<br />
process=pads<br />
shutdown=killall -9 %(process)s<br />
2.3.5 Using Global (Agent) Variables<br />
\_CFG()<br />
Example:<br />
In the agent configuration file (/etc/ossim/agent/config.cfg):<br />
[watchdog]<br />
restart_interval=3600 ; seconds between plugin process restart<br />
In the plugin configuration file(/etc/ossim/agent/plugins/*.cfg):<br />
restart_interval=\_CFG(watchdog,restart_interval)<br />
Page 15 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
2.4 Aliases<br />
2.4.1 Path<br />
/etc/ossim/agent/aliases.cfg<br />
2.4.2 Predefined Regular Expressions<br />
The predefined regular expressions can be used when creating new plugins.<br />
IPV4= \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}<br />
MAC= \w{1,2}:\w{1,2}:\w{1,2}:\w{1,2}:\w{1,2}:\w{1,2}<br />
PORT= \d{1,5}<br />
TIME=<br />
\d\d:\d\d:\d\d<br />
SYSLOG_DATE= \w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d<br />
SYSLOG_WY_DATE= \w+\s+\d{1,2}\s\d{4}\s\d\d:\d\d:\d\d<br />
To use an Alias in the regular expression use the \IPV4, \MAC, \SYSLOG_DATE, etc.<br />
2.5 Functions<br />
2.5.1 Path<br />
/usr/share/ossim-agent/ossim_agent/ParserUtil.py<br />
2.5.2 Conversions<br />
resolv(host):<br />
resolv_ip(addr):<br />
resolv_port(port):<br />
normalize_date(date):<br />
normalize_protocol(proto):<br />
md5sum(datastring):<br />
upper(string):<br />
hextoint(string):<br />
translates a host name to an IPv4 address<br />
translates an IPv4 address to a host name<br />
translate a port name into its number<br />
convert date strings to isoformat (must tag the regular expressions<br />
with the following: , , , , ,<br />
or for timestamps. To define new date<br />
formats add a new regexp to the DATE_REGEXPS array.<br />
translates the protocols to the protocol numbers, based on the<br />
PROTO_TABLE<br />
calculates the md5 checksum<br />
all upper case<br />
get the integer value of a hexadecimal number<br />
Page 16 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
2.5.3 Application Specific Translations<br />
snort_id(id):<br />
intrushield_sid(sid,name):<br />
netscreen_idp_sid(msg):<br />
iss_siteprotector_sid(msg):<br />
resolv_iface(iface):<br />
adds 1000 to the Snort ID<br />
all McAfee Intrushield IDs are divisible by 256, and this length<br />
doesn't fit in the OSSIM table ( mcafee_sid =<br />
hextoint(mcafee_sid)/256)<br />
translates the Netscreen messages based on the<br />
NETSCREEN_IDP_SID_TRANSLATION_TABLE translation table<br />
(defined in ParserUtil.py)<br />
translates the ISS_SiteProtector messages based on the<br />
ISS_SITEPROTECTOR_SID_TRANSLATION_MAP translation table<br />
(defined in ParserUtil.py)<br />
normalize interface name to either “ext” or “int”<br />
2.5.4 User Defined Translations<br />
translate(string):<br />
Example (from the iptables plugin):<br />
# The translation section in the plugin configuration file<br />
[translation]<br />
ACCEPT=1<br />
REJECT=2<br />
DROP=3<br />
DENY=3<br />
Inbound=4<br />
Outbound=5<br />
# Rule ID<br />
[0 - iptables]<br />
translates strings based on the entries defined in the [translation]<br />
section of the plugin.<br />
# Log sample<br />
# Oct 31 08:59:25 M2600001 kernel: RULE 0 -- ACCEPT IN= OUT=lo SRC=127.0.0.1<br />
DST=127.0.0.1 LEN=60<br />
# TOS=0x00 PREC=0x00 TTL=64 ID=8437 DF PROTO=TCP SPT=57275 DPT=836<br />
SEQ=2806649400<br />
# ACK=0 WINDOW=32767 RES=0x00 SYN URGP=0<br />
# Log Parsing<br />
regexp=(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(\S*) (\S*):.*?(\S+)\s+IN=(\S*) OUT=(\S*) SRC=(\S+)<br />
DST=(\S+) LEN=(\d+) \S+ \S+ TTL=(\d+) .*? PROTO=(\S*) SPT=(\d*) DPT=(\d*)<br />
………<br />
# plugin_sid is set to 1, the translated value for ACCEPT<br />
plugin_sid={translate($4)}<br />
Page 17 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
2.6 Event Fields<br />
Mandatory – no default values, have always to be set when creating a new plugin<br />
plugin_id<br />
plugin_sid<br />
Event Type<br />
Event Subtype<br />
Mandatory – default values are assigned by the OSSIM Agent<br />
Optional<br />
date<br />
sensor<br />
interface<br />
protocol<br />
src_ip<br />
src_port<br />
dst_ip<br />
dst_port<br />
username<br />
password<br />
filename<br />
The time the event has been collected from the device<br />
The IP Address of the sensor collecting the event<br />
The interface where the event has been collected<br />
IP Protocol (see /etc/protocols)<br />
The Source IP Address<br />
The Source Port<br />
The Destination IP Address<br />
The Destination Port<br />
The User referred in the event<br />
The Password referred in the event<br />
The Filename referred in the event<br />
userdata1 – userdata9 User defined fields that could be used in custom reports,<br />
correlation directives, etc.<br />
Special types of events and the list of fields that can be used in each event type:<br />
Host-os-event Host-mac-event Host-service-event<br />
host host host<br />
os mac sensor<br />
sensor vendor interface<br />
interface sensor port<br />
date interface protocol<br />
date<br />
service<br />
application<br />
date<br />
Page 18 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
2.7 Rules<br />
The Rules define the format of each event and how they are normalized. It is composed by a regular<br />
expression and the list of fields that the event will include once it is sent to the OSSIM Server.<br />
In some cases only one regular expression will collect every event coming from one application, in<br />
some other cases more than one rule will be required.<br />
2.7.1 Evaluation Order<br />
Rules are loading in alphabetical order based on the name given to each rule (Rule ID).<br />
Once the log matches the regex of one rule the ossim agent stops processing the event, therefore<br />
generic rules must be the last to be evaluated.<br />
2.7.2 Structure<br />
o<br />
Name / Rule ID<br />
The name of the rule is mandatory<br />
o<br />
Regular Expression<br />
The regexp field contains the regular expression that defines the format of the events, and<br />
extracts the information to normalize the event.<br />
The regular expression has to be written following Python regular expression syntax:<br />
http://docs.python.org/library/re.html<br />
The information extracted by the regular expression from the log can be accessed by:<br />
Position: (\d\d):(\d\d):(\d\d)<br />
hour={$1}<br />
minutes ={$2}<br />
seconds={$3}<br />
Tags: (?P\d\d):(?P\d\d)(?P\d\d)<br />
hour={$hour}<br />
minutes ={$minutes}<br />
seconds={$seconds}<br />
o<br />
Normalized Fields<br />
As the server must receive normalized events, where IP addresses for instance are using the<br />
IPV4 format and the date uses the format YYYY-MM-DD HH:MM:SS (2010-12-31 22:57:00)<br />
To simplify the process of normalizing events functions are defined (more details on<br />
functions can be found in the “Functions” section of this document):<br />
resolv()<br />
Translates hostnames into IPV4 addresses (DNS queries)<br />
Page 19 Copyright © Alienvault 2010
normalize_date()<br />
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
The normalize_date function translates many date formats into the format<br />
accepted by the OSSIM Server.<br />
o<br />
Translations<br />
Used for instance when the Event ID is not numeric, but plugin_sid has to be numeric.<br />
Translations have to be defined inside the [translation] section. The actual translation is<br />
triggered by using the translate() function.<br />
o<br />
Exclusions<br />
Some events can be filtered during the collection process editing the configuration file for<br />
each plugin:<br />
- Using the option exclude_sids<br />
- Modifying the regular expressions to avoid matching certain events<br />
Page 20 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
2.8 Loading <strong>Plugins</strong><br />
2.8.1 Priority and Reliability values<br />
For each Plugin_ID/Plugin_SID pair the Priority and Reliability values will have to be defined while<br />
registering the plugin with the OSSIM Server.<br />
2.8.2 SQL Statement<br />
Similar to copying an existing plugin file and customize it in order to create a new plugin file, an SQL<br />
script can be copied and customized in order to insert the new Plugin information in the database.<br />
The sample SQL script can be found under:<br />
/usr/share/doc/ossim-mysql/contrib/plugins/*.sql<br />
Other than with the Plugin configuration file, the SQL script should be created and executed on the<br />
OSSIM Server and not where the OSSIM Agent runs.<br />
The following is performed by the SQL script:<br />
- Remove the Plugin ID from the ”plugin” table, should such an entry already exist<br />
- Remove the Plugin SIDs from the ”plugin_sid” table, should already exist<br />
- Insert the new Plugin ID information into the “plugin” table<br />
- Insert the new Plugin SIDs into the “plugin_sid” table<br />
To run the script use the following command (please double-check the content of the SQL scripts<br />
and the command line syntax before applying the changes to the database):<br />
ossim-server:/usr/share/doc/ossim-mysql/contrib/plugins# ossim-db < ssh.sql<br />
Example (/usr/share/doc/ossim-mysql/contrib/plugins/ssh.sql):<br />
-- SSHd<br />
-- plugin_id: 4003<br />
DELETE FROM plugin WHERE id = "4003";<br />
DELETE FROM plugin_sid where plugin_id = "4003";<br />
INSERT INTO plugin (id, type, name, description) VALUES (4003, 1, 'sshd', 'SSHd: Secure Shell<br />
daemon');<br />
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES<br />
(4003, 1, NULL, NULL, 'SSHd: Failed password', 3, 2);<br />
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES<br />
(4003, 2, NULL, NULL, 'SSHd: Failed publickey', 2, 2);<br />
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority,reliability) VALUES<br />
(4003, 99, NULL, NULL, 'SSHd: Generic SSH Event', 1, 1);<br />
Page 21 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
2.9 Plugin Activation<br />
2.9.1 Activate the Plugin on the Server Side<br />
Restart the OSSIM Server process:<br />
ossim-server:~#/etc/init.d/ossim-server restart<br />
2.9.2 Activate the Plugin on the Agent Side<br />
Restart the OSSIM Agent process:<br />
ossim-sensor:~#/etc/init.d/ossim-agent restart<br />
3 Log files<br />
Generic Syslog<br />
/var/log/syslog (Unix)<br />
/var/adm/messages (Solaris)<br />
To identify where the logs for specific applications or certain logging levels are saved, check the<br />
/etc/syslog.conf or /etc/rsyslog.conf files.<br />
OSSIM Agent<br />
/var/log/ossim/agent.log<br />
OSSIM Server<br />
/var/log/ossim/server.log<br />
4 Debugging<br />
Note: Do never leave an application running in Debug mode in a production environment<br />
OSSIM Agent<br />
ossim-agent –vv<br />
OSSIM Server<br />
ossim-server –D6<br />
Page 22 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
5 Appendix<br />
5.1 Regular Expressions<br />
Operator<br />
c<br />
Meaning<br />
A non-special character matches with itself<br />
\c Removes the special meaning of the character c; The RE \$ matches with $<br />
^<br />
Indicates the beginning of the line<br />
$ Indicates the end of the line<br />
. Any individual character<br />
[…]<br />
[^…]<br />
One or any of the characters …; accepts intervals of the type a-z, 0-9, A-Z<br />
A char different from … ; Accepts intervals of the type a-z, 0-9, A-Z<br />
Regular Expression<br />
Matches with<br />
a.b axb aab abb aSb a#b ...<br />
a..b axxb aaab abbb a4$b ...<br />
[abc]<br />
[aA]<br />
[aA][bB]<br />
a b c (one character srtings)<br />
a A (one character srtings)<br />
ab Ab aB AB (two character srtings)<br />
[0123456789] 0 1 2 3 4 5 6 7 8 9<br />
[0-9] 0 1 2 3 4 5 6 7 8 9<br />
[A-Za-z]<br />
A B C ... Z a b c ... Z<br />
[0-9][0-9][0-9] 000 001 .. 009 010 .. 019 100 .. 999<br />
[0-9]* empty_chain 0 1 9 00 99 123 456 999 9999 ...<br />
[0-9][0-9]* 0 1 9 00 99 123 456 999 9999 99999 99999999 ...<br />
^.*$<br />
A full line<br />
Page 23 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
Operator<br />
Meaning<br />
r* 0 or more occurrences of the RE r<br />
r+ 1 or more occurrences of the RE r<br />
r? 0 or an occurrence of the RE r, and no more<br />
r{n}<br />
r{,m}<br />
r{n,m}<br />
r1|r2<br />
n occurrences of the RE r<br />
0 or at most m occurrences of the RE r<br />
N or more occurrences of the RE r, but at most m<br />
The RE r1 or the RE r2<br />
Regular expression<br />
Matches with<br />
[0-9]+ 0 1 9 00 99 123 456 999 9999 99999 99999999 ..<br />
[0-9]? empty_string 0 1 2 .. 9<br />
(ab)*<br />
empty_string ab ababab abababababab<br />
([0-9]+ab)* empty_string 1234ab 9ab9ab9ab 9876543210ab 99ab99ab ...<br />
Regular expression Matches with Equals<br />
\d Any decimal character [0-9]<br />
\D Any non decimal character [^0-9]<br />
\s Any space character [ \t\n\r\f\v]<br />
\S Any non space character [^ \t\n\r\f\v]<br />
\w Any alphanumeric character<br />
and “_”<br />
[a-zA-Z0-9_]<br />
\W Any non alphanumeric character [^a-zA-Z0-9_]<br />
\Z End of line<br />
Page 24 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
5.2 Configuration Example<br />
5.2.1 Scenario<br />
In order to detect user logons on a Unix system, the “last” command output will be used. The “last”<br />
command displays the content of the /var/log/wtmp file, where closed and opened terminal sessions<br />
as well as system restarts are logged.<br />
To just create events on status updates, the last output will be collected periodically and compared<br />
to the similar information saved with the previous loop.<br />
The status updates will be sent by syslog, with the help of the “logger” command.<br />
5.2.2 Write a script to monitor the “last” status<br />
#!/bin/sh<br />
# create the file if does not exist<br />
touch /var/log/last.prev<br />
while true<br />
do<br />
# get last entries<br />
last > /var/log/last.new<br />
# send new entries to syslog<br />
diff /var/log/last.prev /var/log/last.new | grep '^>' | logger -t LOGON_EXAMPLE -p local2.info<br />
# move .new to .prev<br />
mv /var/log/last.new /var/log/last.prev<br />
sleep 5<br />
done<br />
5.2.3 Log sample<br />
dmz01:~# tail -f /var/log/messages<br />
Jul 14 19:21:32 dmz01 LOGON_EXAMPLE: > root pts/3 localhost Wed Jul 14 18:49 - 19:21 (00:31)<br />
Jul 14 19:23:28 dmz01 LOGON_EXAMPLE: > dbadmin pts/3 localhost Wed Jul 14 19:23 still logged in<br />
Jul 14 19:23:59 dmz01 LOGON_EXAMPLE: > root pts/4 localhost Wed Jul 14 19:23 still logged in<br />
Jul 14 19:24:09 dmz01 LOGON_EXAMPLE: > root pts/4 localhost Wed Jul 14 19:23 - 19:24 (00:00)<br />
Jul 14 19:24:09 dmz01 LOGON_EXAMPLE: > dbadmin pts/3 localhost Wed Jul 14 19:23 - 19:24 (00:00)<br />
Jul 14 19:24:09 dmz01 LOGON_EXAMPLE: > root pts/2 172.22.22.10 Wed Jul 14 18:38 - 19:24 (00:45)<br />
Jul 14 19:24:54 dmz01 LOGON_EXAMPLE: > root pts/2 172.22.22.10 Wed Jul 14 19:24 still logged in<br />
Jul 14 19:26:15 dmz01 LOGON_EXAMPLE: > root pts/2 172.22.22.10 Wed Jul 14 19:24 - 19:26 (00:01)<br />
Jul 14 19:26:20 dmz01 LOGON_EXAMPLE: > ossim pts/2 172.22.22.10 Wed Jul 14 19:26 still logged in<br />
Jul 14 19:26:25 dmz01 LOGON_EXAMPLE: > ossim pts/2 172.22.22.10 Wed Jul 14 19:26 - 19:26 (00:00)<br />
5.2.4 Collect the logs in a new log file<br />
Add the following to the rsyslog.conf on the system running the OSSIM Agent:<br />
#<br />
# LOGON_EXAMPLE<br />
#<br />
local2.info<br />
/var/log/last_logon.log<br />
Page 25 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
5.2.5 Restart “rsyslog”<br />
opensourcesim:~# /etc/init.d/rsyslogd restart<br />
5.2.6 Check whether the new entries are written in the new log file<br />
opensourcesim:/etc/ossim/agent/plugins# tail -f /var/log/last_logon.log<br />
Jul 14 19:38:49 dmz01 LOGON_EXAMPLE: > root pts/2 localhost Wed Jul 14 19:38 still logged in<br />
Jul 14 19:38:54 dmz01 LOGON_EXAMPLE: > root pts/2 localhost Wed Jul 14 19:38 - 19:38 (00:00)<br />
Jul 14 19:38:59 dmz01 LOGON_EXAMPLE: > ossim pts/2 localhost Wed Jul 14 19:38 still logged in<br />
Jul 14 19:40:51 dmz01 LOGON_EXAMPLE: > ossim pts/2 localhost Wed Jul 14 19:38 - 19:40 (00:01)<br />
Jul 14 20:15:09 dmz01 LOGON_EXAMPLE: > reboot system boot 2.6.31.6 Wed Jul 14 17:39 - 20:15 (02:35)<br />
5.2.7 Create a plugin file<br />
Copy an existing plugin to build the new one on the existing structure<br />
opensourcesim:/etc/ossim/agent/plugins# cp syslog.cfg example.cfg<br />
Set the new plugin specific parameters<br />
;; <strong>Building</strong> <strong>Plugins</strong> Example<br />
;; plugin_id: 9001<br />
;; type: detector<br />
[DEFAULT]<br />
plugin_id=9001<br />
[config]<br />
type=detector<br />
enable=yes<br />
source=log<br />
# Enable syslog to log everything to one file. Add it to log rotation also.<br />
# echo "*.* /var/log/all.log" >> /etc/syslog.conf; killall -HUP syslogd<br />
#location=/var/log/all.log<br />
location=/var/log/last_logon.log<br />
# create log file if it does not exists,<br />
# otherwise stop processing this plugin<br />
create_file=true<br />
process=<br />
start=no<br />
stop=no<br />
startup=<br />
shutdown=<br />
## rules<br />
[Rule 01 - Console Session Open]<br />
# Jul 14 20:36:47 dmz01 LOGON_EXAMPLE: > root tty1 Wed Jul 14 20:36 still logged in<br />
event_type=event<br />
regexp="^(?P(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE:<br />
>\s+(?P[^\s]+)\s+(?Ptty\d+)\s+(?P.*still logged in.*))$"<br />
sensor=\_CFG(plugin-defaults,sensor)<br />
Page 26 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
date={normalize_date($1)}<br />
plugin_sid=1<br />
username={$username}<br />
dst_ip={resolv($host)}<br />
userdata1={$tty}<br />
userdata2={md5sum($logline)}<br />
userdata3={$logline}<br />
userdata4={$logged_event}<br />
[Rule 02 - Console Session Closed]<br />
# Jul 14 20:35:46 dmz01 LOGON_EXAMPLE: > root tty1 Wed Jul 14 20:18 - 20:35 (00:17)<br />
event_type=event<br />
regexp="^(?P(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE:<br />
>\s+(?P[^\s]+)\s+(?Ptty\d+)\s+(?P.*))$"<br />
sensor=\_CFG(plugin-defaults,sensor)<br />
date={normalize_date($1)}<br />
plugin_sid=2<br />
username={$username}<br />
dst_ip={resolv($host)}<br />
userdata1={$tty}<br />
userdata2={md5sum($logline)}<br />
userdata3={$logline}<br />
userdata4={$logged_event}<br />
[Rule 03 - New User Session - IP]<br />
# Jul 14 20:21:49 dmz01 LOGON_EXAMPLE: > root pts/1 172.22.22.10 Wed Jul 14 20:21 still logged in<br />
event_type=event<br />
regexp="^(?P(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE:<br />
>\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?P\IPV4)\s+(?P.*still logged in.*))$"<br />
sensor=\_CFG(plugin-defaults,sensor)<br />
date={normalize_date($1)}<br />
plugin_sid=3<br />
username={$username}<br />
src_ip={$source}<br />
dst_ip={resolv($host)}<br />
userdata1={$tty}<br />
userdata2={md5sum($logline)}<br />
userdata3={$logline}<br />
userdata4={$logged_event}<br />
[Rule 04 - New User Session - hostname]<br />
# Jul 14 19:23:28 dmz01 LOGON_EXAMPLE: > dbadmin pts/3 localhost Wed Jul 14 19:23 still logged in<br />
event_type=event<br />
regexp="^(?P(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE:<br />
>\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?Plocalhost)\s+(?P.*still logged in.*))$"<br />
sensor=\_CFG(plugin-defaults,sensor)<br />
date={normalize_date($1)}<br />
plugin_sid=3<br />
username={$username}<br />
src_ip=127.0.0.1<br />
dst_ip={resolv($host)}<br />
userdata1={$tty}<br />
userdata2={md5sum($logline)}<br />
userdata3={$logline}<br />
userdata4={$logged_event}<br />
Page 27 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
[Rule 05 - User Session Closed - IP]<br />
# Jul 14 19:26:25 dmz01 LOGON_EXAMPLE: > ossim pts/2 172.22.22.10 Wed Jul 14 19:26 - 19:26 (00:00)<br />
event_type=event<br />
regexp="^(?P(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE:<br />
>\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?P\IPV4)\s+(?P.*))$"<br />
sensor=\_CFG(plugin-defaults,sensor)<br />
date={normalize_date($1)}<br />
plugin_sid=4<br />
username={$username}<br />
src_ip={$source}<br />
dst_ip={resolv($host)}<br />
userdata1={$tty}<br />
userdata2={md5sum($logline)}<br />
userdata3={$logline}<br />
userdata4={$logged_event}<br />
[Rule 06 - User Session Closed - hostname]<br />
# Jul 14 19:33:56 dmz01 LOGON_EXAMPLE: > root pts/2 localhost Wed Jul 14 19:33 - 19:33 (00:00)<br />
event_type=event<br />
regexp="^(?P(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE:<br />
>\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?Plocalhost)\s+(?P.*))$"<br />
sensor=\_CFG(plugin-defaults,sensor)<br />
date={normalize_date($1)}<br />
plugin_sid=4<br />
username={$username}<br />
src_ip=127.0.0.1<br />
dst_ip={resolv($host)}<br />
userdata1={$tty}<br />
userdata2={md5sum($logline)}<br />
userdata3={$logline}<br />
userdata4={$logged_event}<br />
[Rule 07 - Reboot Detected]<br />
# Jul 14 20:15:09 dmz01 LOGON_EXAMPLE: > reboot system boot 2.6.31.6 Mon May 24 13:51 - 20:15 (51+06:23)<br />
event_type=event<br />
regexp="^(?P(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE: >reboot.*))$"<br />
sensor=\_CFG(plugin-defaults,sensor)<br />
date={normalize_date($1)}<br />
plugin_sid=5<br />
userdata1={md5sum($logline)}<br />
userdata2={$logline}<br />
userdata3={$generator}<br />
userdata4={$logged_event}<br />
[Rule 99 - Catch all]<br />
# Whatever doesn't match the above rules<br />
event_type=event<br />
regexp="^(?P(?P\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE:.*))$"<br />
sensor=\_CFG(plugin-defaults,sensor)<br />
date={normalize_date($date)}<br />
plugin_sid=99<br />
userdata1={md5sum($logline)}<br />
userdata2={$logline}<br />
userdata3={$logged_event}<br />
Page 28 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
5.2.8 Register the Plugin with the OSSIM Agent<br />
Add the example.cfg plugin to the agent configuration file<br />
opensourcesim:~# more /etc/ossim/agent/config.cfg<br />
[plugins]<br />
syslog=/etc/ossim/agent/plugins/syslog.cfg<br />
example=/etc/ossim/agent/plugins/example.cfg<br />
wmi-system-logger=/etc/ossim/agent/plugins/wmi-system-logger.cfg<br />
Alternatively the plugin can be activated with the ossim-setup utility:<br />
opensourcesim:~# ossim-setup<br />
1) Change Sensor Settings<br />
2) Select Detector <strong>Plugins</strong><br />
3) Select the “example” Plugin<br />
Page 29 Copyright © Alienvault 2010
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
4) Save & Exit<br />
5.2.9 Register the Plugin with the OSSIM Server<br />
Copy an existing SQL script to build the new one on the existing structure<br />
opensourcesim:/usr/share/doc/ossim-mysql/contrib/plugins# cp syslog.sql example.sql<br />
Get a list of the rules defined in the Plugin configuration file.<br />
opensourcesim:~# grep '^\[' /etc/ossim/agent/plugins/example.cfg<br />
[Rule 01 - Console Session Open]<br />
[Rule 02 - Console Session Closed]<br />
[Rule 03 - New User Session - IP]<br />
[Rule 04 - New User Session - hostname]<br />
[Rule 05 - User Session Closed - IP]<br />
[Rule 06 - User Session Closed - hostname]<br />
[Rule 07 - Reboot Detected]<br />
[Rule 99 - Catch all]<br />
Rules having the same plugin_sid will only require one SQL statement and plugin_sid defined on the<br />
OSSIM server. Different rules where used just because both IP addresses and hostnames are<br />
returned as sources by the “last” command.<br />
-- plugin_id: 9001<br />
DELETE FROM plugin WHERE id = "9001";<br />
DELETE FROM plugin_sid where plugin_id = "9001";<br />
INSERT INTO plugin (id, type, name, description) VALUES (9001, 1, 'Example', 'User logons based on the last output');<br />
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9001, 1, NULL, NULL, 'Login: System<br />
console' , 5, 5);<br />
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9001, 2, NULL, NULL, 'Logout: System<br />
console' , 5, 5);<br />
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9001, 3, NULL, NULL, 'Login: Pseudo<br />
terminal' , 3, 5);<br />
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9001, 4, NULL, NULL, 'Logout: Pseudo<br />
terminal' , 3, 5);<br />
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9001, 5, NULL, NULL, 'System reboot:<br />
Restarted' , 5, 5);<br />
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9001, 99, NULL, NULL, 'Last: Generic<br />
messages' , 1, 1);<br />
After changing the script to reflect the Plugin IDs and SIDs, load the changes with the command:<br />
opensourcesim:/usr/share/doc/ossim-mysql/contrib/plugins# cat example.sql | ossim-db<br />
Page 30 Copyright © Alienvault 2010
5.2.10 Check whether the plugin was successfully registered<br />
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
Plugin ID<br />
Plugin SIDs<br />
5.2.11 Restart the OSSIM Server<br />
opensourcesim:~# /etc/init.d/ossim-server restart<br />
5.2.12 Restart the OSSIM Agent<br />
opensourcesim:~# /etc/init.d/ossim-agent restart<br />
Page 31 Copyright © Alienvault 2010
5.2.13 Check whether Events and Alarms are received<br />
<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />
Events<br />
Alarms<br />
Page 32 Copyright © Alienvault 2010