Building Collector Plugins 1.1 - AlienVault

More documents

Recommendations

Info

Building Collector Plugins - Admin Guide 2.4 Aliases 2.4.1 Path /etc/ossim/agent/aliases.cfg 2.4.2 Predefined Regular Expressions The predefined regular expressions can be used when creating new plugins. IPV4= \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} MAC= \w{1,2}:\w{1,2}:\w{1,2}:\w{1,2}:\w{1,2}:\w{1,2} PORT= \d{1,5} TIME= \d\d:\d\d:\d\d SYSLOG_DATE= \w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d SYSLOG_WY_DATE= \w+\s+\d{1,2}\s\d{4}\s\d\d:\d\d:\d\d To use an Alias in the regular expression use the \IPV4, \MAC, \SYSLOG_DATE, etc. 2.5 Functions 2.5.1 Path /usr/share/ossim-agent/ossim_agent/ParserUtil.py 2.5.2 Conversions resolv(host): resolv_ip(addr): resolv_port(port): normalize_date(date): normalize_protocol(proto): md5sum(datastring): upper(string): hextoint(string): translates a host name to an IPv4 address translates an IPv4 address to a host name translate a port name into its number convert date strings to isoformat (must tag the regular expressions with the following: , , , , , or for timestamps. To define new date formats add a new regexp to the DATE_REGEXPS array. translates the protocols to the protocol numbers, based on the PROTO_TABLE calculates the md5 checksum all upper case get the integer value of a hexadecimal number Page 16 Copyright © Alienvault 2010
Building Collector Plugins - Admin Guide 2.5.3 Application Specific Translations snort_id(id): intrushield_sid(sid,name): netscreen_idp_sid(msg): iss_siteprotector_sid(msg): resolv_iface(iface): adds 1000 to the Snort ID all McAfee Intrushield IDs are divisible by 256, and this length doesn't fit in the OSSIM table ( mcafee_sid = hextoint(mcafee_sid)/256) translates the Netscreen messages based on the NETSCREEN_IDP_SID_TRANSLATION_TABLE translation table (defined in ParserUtil.py) translates the ISS_SiteProtector messages based on the ISS_SITEPROTECTOR_SID_TRANSLATION_MAP translation table (defined in ParserUtil.py) normalize interface name to either “ext” or “int” 2.5.4 User Defined Translations translate(string): Example (from the iptables plugin): # The translation section in the plugin configuration file [translation] ACCEPT=1 REJECT=2 DROP=3 DENY=3 Inbound=4 Outbound=5 # Rule ID [0 - iptables] translates strings based on the entries defined in the [translation] section of the plugin. # Log sample # Oct 31 08:59:25 M2600001 kernel: RULE 0 -- ACCEPT IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 # TOS=0x00 PREC=0x00 TTL=64 ID=8437 DF PROTO=TCP SPT=57275 DPT=836 SEQ=2806649400 # ACK=0 WINDOW=32767 RES=0x00 SYN URGP=0 # Log Parsing regexp=(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(\S*) (\S*):.*?(\S+)\s+IN=(\S*) OUT=(\S*) SRC=(\S+) DST=(\S+) LEN=(\d+) \S+ \S+ TTL=(\d+) .*? PROTO=(\S*) SPT=(\d*) DPT=(\d*) ……… # plugin_sid is set to 1, the translated value for ACCEPT plugin_sid={translate($4)} Page 17 Copyright © Alienvault 2010
Page 1 and 2: Building Collector Plugins Admin Gu
Page 3 and 4: Building Collector Plugins - Admin
Page 15: Building Collector Plugins - Admin
Page 31 and 32: 5.2.10 Check whether the plugin was

Building Collector Plugins 1.1 - AlienVault

Create successful ePaper yourself

Delete template?

Save as template?