Building Collector Plugins Admin Guide

Transcription

1 Building Cllectr Plugins Admin Guide Cpyright Alienvault 2010 All rights reserved. N part f this wrk may be reprduced r transmitted in any frm r by any means, electrnic r mechanical, including phtcpying, recrding, r by any infrmatin strage r retrieval system, withut the prir written permissin f the cpyright wner and publisher. Any trademarks referenced herein are the prperty f their respective hlders.

2 Table f Cntent 1 Overview OSSIM Agent Rle Event Cllectin Event Nrmalizatin OSSIM Server Rle Event Enrichment Plicies and Actins The Cnfiguratin Wrkflw Cnfiguring Detectr Plugins Rsyslg Cnfiguratin File Listener Cnfiguratin Filters OSSIM Agent Cnfiguratin Cnfiguratin File Parameters Detectr Plugin Cnfiguratin Cnfiguratin Files Cmmn Event Types Parameters Using Lcal (Plugin) Variables Using Glbal (Agent) Variables Aliases Path Predefined Regular Expressins Functins Path Cnversins Applicatin Specific Translatins User Defined Translatins Event Fields Rules Evaluatin Order Page 2 Cpyright Alienvault 2010

3 2.7.2 Structure Lading Plugins Pririty and Reliability values SQL Statement Plugin Activatin Activate the Plugin n the Server Side Activate the Plugin n the Agent Side Lg files Debugging Appendix Regular Expressins Cnfiguratin Example Scenari Write a script t mnitr the last status Lg sample Cllect the lgs in a new lg file Restart rsyslg Check whether the new entries are written in the new lg file Create a plugin file Register the Plugin with the OSSIM Agent Register the Plugin with the OSSIM Server Check whether the plugin was successfully registered Restart the OSSIM Server Restart the OSSIM Agent Check whether Events and Alarms are received Page 3 Cpyright Alienvault 2010

4 1 Overview 1.1 OSSIM Agent Rle Event Cllectin The cllectin prcess invlves extracting the data lgs frm the surce systems (Security, OS, RDBMS, etc.) and allws first steps fr event lg filtering. At this stage can be decided what is ging t be read by the OSSIM Agent and what is ging t be discarded befre having an impact n the system perfrmance. Befre starting t write a plugin sme actins t reduce the amunt f events culd be cnsidered: - Manage the lg level settings at the applicatin and managed device level - Fix the prblem that is generating events - Use Pcap filters t ignre certain hsts r netwrks (Snrt, Tcpdump...) - In deplyments with a big amunt f analysed data, filtering at the applicatin level shuld be dne whenever pssible Lg Files Gd practice is t use ne lg file per plugin in rder t increase perfrmance. Having just ne generic lg file, all the plugins wuld have t read the same extensive cntent in rder t catch the few relevant entries. Using rsyslg it is pssible t filter the cllected lgs based n the syslg tags Event Nrmalizatin In the nrmalizatin stage a series f rules r functins applies t the data extracted frm the surce system in rder t transfrm it in a cmmn OSSIM frmat. Raw Event The raw event might be a generic syslg message, an applicatin lg, an SNMP trap, the result f an SNMP r SQL Query r sme ther kind f infrmatin in a mre r less structured frm that is appended t a lg file. Example: dmz01:/var/lg/auth.lg: May 30 13:15:52 dmz01 sshd[12980]: Accepted passwrd fr rt frm prt 4445 ssh2 Page 4 Cpyright Alienvault 2010

5 Nrmalized Event There is a certain set f fields which are required in rder t ensure a cnsistent evaluatin and crrelatin f the events by the OSSIM server. These fields can be ppulated with infrmatin frm the lg message r statically thrugh the plug-in. Example: ssim-sensr:/var/lg/ssim/agent.lg: :15:49,441 Output [INFO]: event type="detectr" date=" " sensr=" " interface="eth0" plugin_id="4003" plugin_sid="7" src_ip=" " src_prt="4445" dst_ip=" " dst_prt="22" username="rt" lg="may 30 13:15:52 dmz01 sshd[12980]: Accepted passwrd fr rt frm prt 4445 ssh2" fdate=" :15:52" tzne="0" Page 5 Cpyright Alienvault 2010

6 1.2 OSSIM Server Rle Event Enrichment The OSSIM server enriches the received nrmalized event with the metadata stred in the OSSIM Database. Enriched Event The OSSIM Server enriches the event with the Pririty and Reliability values, which are specific t the event type (plugin_id) and subtype (plugin_sid), as well as with the Asset Value which is specific t the Surce (asset_src) and the Destinatin (asset_dst) hsts. Example: ssim:/var/lg/ssim/server.lg: :48:41 OSSIM-Message: Event received: event id="0" alarm="0" type="detectr" fdate=" :15:52" date=" " tzne="0" plugin_id="4003" plugin_sid="7" src_ip=" " src_prt="4445" dst_ip=" " dst_prt="22" sensr=" " interface="eth0" prtcl="tcp" asset_src="2" asset_dst="2" lg="may 30 13:15:52 dmz01 sshd[12980]: Accepted passwrd fr rt frm prt 4445 ssh2" username="rt" Pririty The pririty is related t threats and it reflects the imprtance f a specific attack, having nthing t d with a specific hst r envirnment. It nly measures the relative imprtance f the attack itself. Range: 0-5 Default value: 1 Example: A Unix server running Samba gets attacked by the Sasser wrm. Apart frm the fact that the attack wn t have an impact n the given envirnment, it has the ptential t explit a big security hle and fr that reasn the pririty is cnsidered as being high. Reliability Classical risk-assessment wuld refer it as "prbability ". Since it's quite difficult t determine hw prbable it is fr a netwrk t be expsed t certain vulnerabilities, the IDS related reliability apprach was cnsidered mre apprpriate. Range: 0-10 Default value : 1. Example: If a hst cnnects t 5 different hsts in the same subnet using prt 445, culd be a nrmal behavir, unreliable fr IDS purpses. If cnnecting t 15 hsts wuld be Page 6 Cpyright Alienvault 2010

7 suspicius, with 500 cnnectins t different hsts in less than an hur the attack wuld get mre and mre reliable. Asset Value It is assigned t bth the Surce and the Destinatin Hsts and represents the imprtance the hst has t the enterprise. Range: 0-5 Default value: 1 (als used fr hsts nt being defined in the asset database) Example: A database server can have an asset value f 5, a develpment test server an asset value f 2 and an unknwn hst in the Internet causing a prtscan event wuld just have an asset value f 1. Alarm Based n the Event Pririty (0-5), Event Reliability (0-10) and the Asset Value (0-5), a Risk Value (0-10) is calculated and fr values equal r greater than 1 Alerts are generated. The Risk is calculated based n the fllwing frmula: Risk = (Pririty * Reliability * Asset) / Plicies and Actins Plicies are defined in rder t define what has t be dne with the events as they reach the OSSIM Server: Crrelatin (i.e. checked against the crrelatin directives) Frwarding (i.e. ne cpy is sent t the frensic strage) Actins (i.e. send an ) Discard - the last filter pssibility befre saving the event in the database, althugh it is recmmended t filter the events as clse t the surce as pssible. Plicies can make decisins n which events are ging t be filtered based n: Surce and Destinatin Assets (Hsts, Netwrks, ANY...) Prts Plugin Grup Time Range Page 7 Cpyright Alienvault 2010

8 1.3 The Cnfiguratin Wrkflw Cllect a Lg Sample First thing t start with is checking which lg messages the applicatin generates and eventually identify sets f lgs having a similar structure. Thse lgs having a similar structure will be where pssible cvered by a single cllectr rule. Create a Plugin File Best is t cpy ne existing file and mdify its cntent t match the new applicatin. Shuld a plugin exist fr a similar applicatin, it is recmmended t cpy such a file, as there is a gd chance that rules have a similar cntent and are gruped in a similar way - a generic HTTP-Prxy lg will always cntain a URL, a generic Firewall lg will cntain a Surce IP Address and Surce Prt as well as a Destinatin IP Address and Destinatin Prt. Sme user defined fields might be defined fr a specific applicatin and the crrelatin at the server level can be simplified if similar applicatins use the same user defined fields. Define a Generic Rule This is the last Rule t evaluate, which catches all the events that cannt be gruped under specific rules. Define Specific Rules The Specific rules are defined fr specific errr cnditins r categries f events. There might als be that ne single rule is used t generate different types r subtypes f events. Discard Nise Events that are cnsidered nise can be discarded by OSSIM by excluding certain event subtypes (Plugin_SIDs) in the plugin file, by the way the regular expressins are defined r by using plicies. Hwever, the best way t discard events is by filtering them n the mnitred device r at syslg level n the hst running the OSSIM Agent. Review the Evaluatin Order The rules are evaluated alphabetically, which means that all it cunts is the name f a rule and nt the psitin in the plug-in file. The Generic Rule might even be n the first psitin if the name is prperly chsen. Having rules alphabetically placed after the Generic Rule will have as effect that the crrespnding lgs will be evaluated as generic events instead f having the prper event type and subtype assigned. Register the Plugin with the OSSIM Agent In rder t have a Plugin activated and sending events t the OSSIM server, the path t the plugin file has t be specified in the Agent cnfiguratin file. Page 8 Cpyright Alienvault 2010

9 Register the Plugin with the OSSIM Server This is required in rder t let the server knw which events shuld be expected and which pririty and reliability values the events shuld get assigned. Activate the Plugin n the Server Side Restart the OSSIM Server prcess. Activate the Plugin n the Agent Side Restart the OSSIM Agent prcess. Testing Using the lgger cmmand sample lgs can be replayed in rder t test the peratin f the OSSIM Agent r Server. Page 9 Cpyright Alienvault 2010

10 2 Cnfiguring Detectr Plugins 2.1 Rsyslg Rsyslg is the Syslg implementatin shipped with OSSIM and allws cnfiguring filtering and frwarding in a really easy way cmpared t the classical syslg daemn. Syslg is als the cmmn methd t send and receive lgs. Befre starting with the plugin cnfiguratin it is recmmended t check whether the subset f lgs the plugin will nrmalize are saved in an individual file and whether nise can be filtered befre reaching the plugin rules Cnfiguratin File /etc/rsyslg.cnf Listener Cnfiguratin $MdLad imudp $UDPServerRun 514 $MdLad imtcp $InputTCPServerRun Filters Frward certain events t a lcal file if $msg cntains 'errr' then /var/lg/errr if $syslgfacility-text == 'lcal0' and $msg startswith 'DEVNAME' and ($msg cntains 'errr1' r $msg cntains 'errr0') then /var/lg/smelg Stp prcessing sme events if $msg cntains 'errr' then ~ Regex in Rsyslg Page 10 Cpyright Alienvault 2010

11 2.2 OSSIM Agent Cnfiguratin Cnfiguratin File /etc/ssim/agent/cnfig.cfg Parameters [daemn] daemn: pid: [event-cnslidatin] [lg] Daemn mde (True r False) Path t the PID file (Prcess identifier) Enables event cnslidatin at agent level. It is recmmended t use plices instead f this feature as cnslidatin at the agent level affects the crrelatin prcess. by_plugin: enable: time: Example: [event-cnslidatin] List f plugins that will be cnslidated Enable r disable (True r False) Wait n secnds t cnslidate the events befre sending them by_plugin= , , enable=false time=10 Cnfigures the verbse level and the path t the different lg files errr: file: stats: [utput-plain] verbse: File in which the errr events will be stred File in which all the agent lgs will be stred File in which the agent stats will be stred (Every 5 minutes) Cnfigures the verbse level (Debug, Inf, Warning, Errr r Critical) Writes in a lg file what is being sent t the OSSIM Server (Useful fr debugging and develping purpses) enable: file: [utput-server] Enable r disable (True r False) File in which the utput-plain will be stred Cnfigures the server t which events are sent enable: ip: prt: Enable r disable sending events t the server (True r False) IP address f the OSSIM Server Listening prt f the OSSIM Server Page 11 Cpyright Alienvault 2010

12 [plugin-defaults] [plugins] [watchdg] Building Cllectr Plugins - Admin Guide In this categry variables can be defined t be used in the plugins cnfiguratin. Example: [plugin-defaults] date_frmat=%y-%m-%d %H:%M:%S interface=eth0 sensr= Defines which plugins (detectrs and mnitrs) are enabled name_f_the_plugin=path_t_the_plugin_cnfig_file Example: [plugins] pstfix=/etc/ssim/agent/plugins/pstfix.cfg ssh=/etc/ssim/agent/plugins/ssh.cfg Mnitr the prcess assciated t each plugin (In case it is running in the same machine) enable: interval: restart_interval: Enable r disable (True r False) Wait X secnds between checks Restart the prcess every X secnds (This has t be enabled in each plugin) Page 12 Cpyright Alienvault 2010

13 2.3 Detectr Plugin Cnfiguratin Cnfiguratin Files /etc/ssim/agent/plugins/*.cfg Cmmn Event Types Cpy and mdify the existing plugin files t create plugins f the fllwing types. a. Lg - Reading frm files Plugin statement: surce=lg b. Database - Reading frm databases Plugin statement: surce=database mssql - Micrsft SQL Plugin statement: surce_type=mssql mysql - MySQL Plugin statement: surce_type=mysql c. SDEE - Cisc device lgs Plugin statement: surce=sdee d. SnrtLg - Snrt lgs Plugin statement: surce=snrtlg e. WMI - Windws Management Instrumentatin Plugin statement: surce=wmi Parameters [DEFAULT] Any variable defined inside this categry will be sent t the OSSIM Server if nt mdified by a plugin rule. User reserved range is between 9000 and plugin_id: Example: plugin_id=4003 Numerical identifier f the plugin within the OSSIM system Page 13 Cpyright Alienvault 2010

14 [cnfig] type: enable: surce: lcatin: create_file: prcess: start: stp: startup: shutdwn: detectr Enable r Disable the plugin (It must be enabled in cnfig.cfg) Surce f the events (lg, mssql, mysql, wmi) The file(s) where the lgs can be fund - can cntain multiple cmma-separated files Create the lg file in case it des nt exist Name f the prcess generating lgs (If n the same system) Start the prcess when the agent starts (yes/n) Stp the prcess when the agent stps (yes/n) Cmmand that starts the prcess Cmmand that stps the prcess exclude_sids=sid List Use this ptin t exclude SIDs Example (hp-eva): prcess=snmptrapd start=yes stp=yes startup=/etc/init.d/snmpd start shutdwn=/etc/init.d/snmpd stp exclude_sids=404,200,403 [translatin] string=value Used t map strings t their crrespnding values Example (Pstfix): [translatin] sent=10 bunced=11 [Rule IDs Specific Rules] Here are the events cllected and nrmalized. event_type=event regexp=regular Expressin plugin_sid=plugin SID Event_Field=Value Example(ssh): [01 - Failed passwrd] event_type=event regexp="(\syslog_date)\s+(?p<sensr>[^\s]*).*?ssh.*?failed passwrd fr inval user (?P<user>\S+)\s+frm\s+.*?(?P<src>\IPV4).*?prt\s+(?P<sprt>\PORT)" plugin_sid=1 date={nrmalize_date($1)} Page 14 Cpyright Alienvault 2010

15 src_ip={$src} dst_ip={reslv($sensr)} src_prt={$sprt} username={$user} [Rule IDs Specific Rules] [Rule ID Generic Rule] Example (ssh): [99 - Generic rule] # Nv 15 11:55: sshd[ ]: ********** event_type=event regexp="(\syslog_date)\s+(?p<sensr>[^\s]*).*?ssh.*" plugin_sid=99 date={nrmalize_date($1)} dst_ip={reslv($sensr)} Nte: As rules are rdered alphabetically the Generic Rule has t have the highest Rule ID Using Lcal (Plugin) Variables The different cnfiguratin variables defined in the plugin cnfiguratin file can be used with the fllwing syntax: %()s Example: prcess=pads shutdwn=killall -9 %(prcess)s Using Glbal (Agent) Variables \_CFG() Example: In the agent cnfiguratin file (/etc/ssim/agent/cnfig.cfg): [watchdg] restart_interval=3600 ; secnds between plugin prcess restart In the plugin cnfiguratin file(/etc/ssim/agent/plugins/*.cfg): restart_interval=\_cfg(watchdg,restart_interval) Page 15 Cpyright Alienvault 2010

16 2.4 Aliases Path /etc/ssim/agent/aliases.cfg Predefined Regular Expressins The predefined regular expressins can be used when creating new plugins. IPV4= \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} MAC= \w{1,2}:\w{1,2}:\w{1,2}:\w{1,2}:\w{1,2}:\w{1,2} PORT= \d{1,5} TIME= \d\d:\d\d:\d\d SYSLOG_DATE= \w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d SYSLOG_WY_DATE= \w+\s+\d{1,2}\s\d{4}\s\d\d:\d\d:\d\d T use an Alias in the regular expressin use the \IPV4, \MAC, \SYSLOG_DATE, etc. 2.5 Functins Path /usr/share/ssim-agent/ssim_agent/parserutil.py Cnversins reslv(hst): reslv_ip(addr): reslv_prt(prt): nrmalize_date(date): translates a hst name t an IPv4 address translates an IPv4 address t a hst name translate a prt name int its number cnvert date strings t isfrmat (must tag the regular expressins with the fllwing: <year>, <mnth>, <minute>, <hur>, <minute>, <secnd> r <timestamp> fr timestamps. T define new date frmats add a new regexp t the DATE_REGEXPS array. nrmalize_prtcl(prt): translates the prtcls t the prtcl numbers, based n the PROTO_TABLE md5sum(datastring): upper(string): hextint(string): calculates the md5 checksum all upper case get the integer value f a hexadecimal number Page 16 Cpyright Alienvault 2010

17 2.5.3 Applicatin Specific Translatins snrt_id(id): adds 1000 t the Snrt ID intrushield_sid(sid,name): all McAfee Intrushield IDs are divisible by 256, and this length desn't fit in the OSSIM table ( mcafee_sid = hextint(mcafee_sid)/256) netscreen_idp_sid(msg): translates the Netscreen messages based n the NETSCREEN_IDP_SID_TRANSLATION_TABLE translatin table (defined in ParserUtil.py) iss_siteprtectr_sid(msg): translates the ISS_SitePrtectr messages based n the ISS_SITEPROTECTOR_SID_TRANSLATION_MAP translatin table (defined in ParserUtil.py) reslv_iface(iface): nrmalize interface name t either ext r int User Defined Translatins translate(string): Example (frm the iptables plugin): # The translatin sectin in the plugin cnfiguratin file [translatin] ACCEPT=1 REJECT=2 DROP=3 DENY=3 Inbund=4 Outbund=5 # Rule ID [0 - iptables] translates strings based n the entries defined in the [translatin] sectin f the plugin. # Lg sample # Oct 31 08:59:25 M kernel: RULE 0 -- ACCEPT IN= OUT=l SRC= DST= LEN=60 # TOS=0x00 PREC=0x00 TTL=64 ID=8437 DF PROTO=TCP SPT=57275 DPT=836 SEQ= # ACK=0 WINDOW=32767 RES=0x00 SYN URGP=0 # Lg Parsing regexp=(\s+\s+\d+\s+\d\d:\d\d:\d\d)\s+(\s*) (\S*):.*?(\S+)\s+IN=(\S*) OUT=(\S*) SRC=(\S+) DST=(\S+) LEN=(\d+) \S+ \S+ TTL=(\d+).*? PROTO=(\S*) SPT=(\d*) DPT=(\d*) # plugin_sid is set t 1, the translated value fr ACCEPT plugin_sid={translate($4)} Page 17 Cpyright Alienvault 2010

18 2.6 Event Fields Mandatry n default values, have always t be set when creating a new plugin plugin_id plugin_sid Event Type Event Subtype Mandatry default values are assigned by the OSSIM Agent Optinal date sensr interface prtcl src_ip src_prt dst_ip dst_prt username passwrd filename The time the event has been cllected frm the device The IP Address f the sensr cllecting the event The interface where the event has been cllected IP Prtcl (see /etc/prtcls) The Surce IP Address The Surce Prt The Destinatin IP Address The Destinatin Prt The User referred in the event The Passwrd referred in the event The Filename referred in the event userdata1 userdata9 User defined fields that culd be used in custm reprts, crrelatin directives, etc. Special types f events and the list f fields that can be used in each event type: Hst-s-event Hst-mac-event Hst-service-event hst hst hst s mac sensr sensr vendr interface interface sensr prt date interface prtcl date service applicatin date Page 18 Cpyright Alienvault 2010

19 2.7 Rules The Rules define the frmat f each event and hw they are nrmalized. It is cmpsed by a regular expressin and the list f fields that the event will include nce it is sent t the OSSIM Server. In sme cases nly ne regular expressin will cllect every event cming frm ne applicatin, in sme ther cases mre than ne rule will be required Evaluatin Order Rules are lading in alphabetical rder based n the name given t each rule (Rule ID). Once the lg matches the regex f ne rule the ssim agent stps prcessing the event, therefre generic rules must be the last t be evaluated Structure Name / Rule ID The name f the rule is mandatry Regular Expressin The regexp field cntains the regular expressin that defines the frmat f the events, and extracts the infrmatin t nrmalize the event. The regular expressin has t be written fllwing Pythn regular expressin syntax: The infrmatin extracted by the regular expressin frm the lg can be accessed by: Psitin: (\d\d):(\d\d):(\d\d) hur={$1} minutes ={$2} secnds={$3} Tags: (?P<hur>\d\d):(?P<minutes>\d\d)(?P<secnds>\d\d) hur={$hur} minutes ={$minutes} secnds={$secnds} Nrmalized Fields As the server must receive nrmalized events, where IP addresses fr instance are using the IPV4 frmat and the date uses the frmat YYYY-MM-DD HH:MM:SS ( :57:00) T simplify the prcess f nrmalizing events functins are defined (mre details n functins can be fund in the Functins sectin f this dcument): reslv() Translates hstnames int IPV4 addresses (DNS queries) Page 19 Cpyright Alienvault 2010

20 nrmalize_date() Building Cllectr Plugins - Admin Guide The nrmalize_date functin translates many date frmats int the frmat accepted by the OSSIM Server. Translatins Used fr instance when the Event ID is nt numeric, but plugin_sid has t be numeric. Translatins have t be defined inside the [translatin] sectin. The actual translatin is triggered by using the translate() functin. Exclusins Sme events can be filtered during the cllectin prcess editing the cnfiguratin file fr each plugin: - Using the ptin exclude_sids - Mdifying the regular expressins t avid matching certain events Page 20 Cpyright Alienvault 2010

21 2.8 Lading Plugins Pririty and Reliability values Fr each Plugin_ID/Plugin_SID pair the Pririty and Reliability values will have t be defined while registering the plugin with the OSSIM Server SQL Statement Similar t cpying an existing plugin file and custmize it in rder t create a new plugin file, an SQL script can be cpied and custmized in rder t insert the new Plugin infrmatin in the database. The sample SQL script can be fund under: /usr/share/dc/ssim-mysql/cntrib/plugins/*.sql Other than with the Plugin cnfiguratin file, the SQL script shuld be created and executed n the OSSIM Server and nt where the OSSIM Agent runs. The fllwing is perfrmed by the SQL script: - Remve the Plugin ID frm the plugin table, shuld such an entry already exist - Remve the Plugin SIDs frm the plugin_sid table, shuld already exist - Insert the new Plugin ID infrmatin int the plugin table - Insert the new Plugin SIDs int the plugin_sid table T run the script use the fllwing cmmand (please duble-check the cntent f the SQL scripts and the cmmand line syntax befre applying the changes t the database): ssim-server:/usr/share/dc/ssim-mysql/cntrib/plugins# ssim-db < ssh.sql Example (/usr/share/dc/ssim-mysql/cntrib/plugins/ssh.sql): -- SSHd -- plugin_id: 4003 DELETE FROM plugin WHERE id = "4003"; DELETE FROM plugin_sid where plugin_id = "4003"; INSERT INTO plugin (id, type, name, descriptin) VALUES (4003, 1, 'sshd', 'SSHd: Secure Shell daemn'); INSERT INTO plugin_sid (plugin_id, sid, categry_id, class_id, name, pririty, reliability) VALUES (4003, 1, NULL, NULL, 'SSHd: Failed passwrd', 3, 2); INSERT INTO plugin_sid (plugin_id, sid, categry_id, class_id, name, pririty, reliability) VALUES (4003, 2, NULL, NULL, 'SSHd: Failed publickey', 2, 2); INSERT INTO plugin_sid (plugin_id, sid, categry_id, class_id, name, pririty,reliability) VALUES (4003, 99, NULL, NULL, 'SSHd: Generic SSH Event', 1, 1); Page 21 Cpyright Alienvault 2010

22 2.9 Plugin Activatin Activate the Plugin n the Server Side Restart the OSSIM Server prcess: ssim-server:~#/etc/init.d/ssim-server restart Activate the Plugin n the Agent Side Restart the OSSIM Agent prcess: ssim-sensr:~#/etc/init.d/ssim-agent restart 3 Lg files Generic Syslg /var/lg/syslg (Unix) /var/adm/messages (Slaris) T identify where the lgs fr specific applicatins r certain lgging levels are saved, check the /etc/syslg.cnf r /etc/rsyslg.cnf files. OSSIM Agent /var/lg/ssim/agent.lg OSSIM Server /var/lg/ssim/server.lg 4 Debugging Nte: D never leave an applicatin running in Debug mde in a prductin envirnment OSSIM Agent ssim-agent vv OSSIM Server ssim-server D6 Page 22 Cpyright Alienvault 2010

23 5 Appendix 5.1 Regular Expressins Operatr c Meaning A nn-special character matches with itself \c Remves the special meaning f the character c; The RE \$ matches with $ ^ Indicates the beginning f the line $ Indicates the end f the line. Any individual character [ ] [^ ] One r any f the characters ; accepts intervals f the type a-z, 0-9, A-Z A char different frm ; Accepts intervals f the type a-z, 0-9, A-Z Regular Expressin Matches with a.b axb aab abb asb a#b... a..b axxb aaab abbb a4$b... [abc] [aa] [aa][bb] a b c (ne character srtings) a A (ne character srtings) ab Ab ab AB (tw character srtings) [ ] [0-9] [A-Za-z] A B C... Z a b c... Z [0-9][0-9][0-9] [0-9]* empty_chain [0-9][0-9]* ^.*$ A full line Page 23 Cpyright Alienvault 2010

24 Operatr Meaning r* 0 r mre ccurrences f the RE r r+ 1 r mre ccurrences f the RE r r? 0 r an ccurrence f the RE r, and n mre r{n} r{,m} r{n,m} r1 r2 n ccurrences f the RE r 0 r at mst m ccurrences f the RE r N r mre ccurrences f the RE r, but at mst m The RE r1 r the RE r2 Regular expressin Matches with [0-9] [0-9]? empty_string (ab)* empty_string ab ababab abababababab ([0-9]+ab)* empty_string 1234ab 9ab9ab9ab ab 99ab99ab... Regular expressin Matches with Equals \d Any decimal character [0-9] \D Any nn decimal character [^0-9] \s Any space character [\t\n\r\f\v] \S Any nn space character [^\t\n\r\f\v] \w Any alphanumeric character and _ [a-za-z0-9_] \W Any nn alphanumeric character [^a-za-z0-9_] \Z End f line Page 24 Cpyright Alienvault 2010

25 5.2 Cnfiguratin Example Scenari In rder t detect user lgns n a Unix system, the last cmmand utput will be used. The last cmmand displays the cntent f the /var/lg/wtmp file, where clsed and pened terminal sessins as well as system restarts are lgged. T just create events n status updates, the last utput will be cllected peridically and cmpared t the similar infrmatin saved with the previus lp. The status updates will be sent by syslg, with the help f the lgger cmmand Write a script t mnitr the last status #!/bin/sh # create the file if des nt exist tuch /var/lg/last.prev while true d # get last entries last > /var/lg/last.new # send new entries t syslg diff /var/lg/last.prev /var/lg/last.new grep '^>' lgger -t LOGON_EXAMPLE -p lcal2.inf # mve.new t.prev mv /var/lg/last.new /var/lg/last.prev sleep 5 dne Lg sample dmz01:~# tail -f/var/lg/messages Jul 1419:21:32 dmz01 LOGON_EXAMPLE: > rt pts/3 lcalhst Wed Jul 1418:49-19:21 (00:31) Jul 1419:23:28 dmz01 LOGON_EXAMPLE: > dbadmin pts/3 lcalhst Wed Jul 1419:23 still lgged in Jul 1419:23:59 dmz01 LOGON_EXAMPLE: > rt pts/4 lcalhst Wed Jul 1419:23 still lgged in Jul 1419:24:09 dmz01 LOGON_EXAMPLE: > rt pts/4 lcalhst Wed Jul 1419:23-19:24 (00:00) Jul 1419:24:09 dmz01 LOGON_EXAMPLE: > dbadmin pts/3 lcalhst Wed Jul 1419:23-19:24 (00:00) Jul 1419:24:09 dmz01 LOGON_EXAMPLE: > rt pts/ Wed Jul 1418:38-19:24 (00:45) Jul 1419:24:54 dmz01 LOGON_EXAMPLE: > rt pts/ Wed Jul 1419:24 still lgged in Jul 1419:26:15 dmz01 LOGON_EXAMPLE: > rt pts/ Wed Jul 1419:24-19:26 (00:01) Jul 1419:26:20 dmz01 LOGON_EXAMPLE: > ssim pts/ Wed Jul 1419:26 still lgged in Jul 1419:26:25 dmz01 LOGON_EXAMPLE: > ssim pts/ Wed Jul 1419:26-19:26 (00:00) Cllect the lgs in a new lg file Add the fllwing t the rsyslg.cnf n the system running the OSSIM Agent: # # LOGON_EXAMPLE # lcal2.inf /var/lg/last_lgn.lg Page 25 Cpyright Alienvault 2010

26 5.2.5 Restart rsyslg pensurcesim:~# /etc/init.d/rsyslgd restart Check whether the new entries are written in the new lg file pensurcesim:/etc/ssim/agent/plugins# tail -f/var/lg/last_lgn.lg Jul 1419:38:49 dmz01 LOGON_EXAMPLE: > rt pts/2 lcalhst Wed Jul 1419:38 still lgged in Jul 1419:38:54 dmz01 LOGON_EXAMPLE: > rt pts/2 lcalhst Wed Jul 1419:38-19:38 (00:00) Jul 1419:38:59 dmz01 LOGON_EXAMPLE: > ssim pts/2 lcalhst Wed Jul 1419:38 still lgged in Jul 1419:40:51 dmz01 LOGON_EXAMPLE: > ssim pts/2 lcalhst Wed Jul 1419:38-19:40 (00:01) Jul 1420:15:09 dmz01 LOGON_EXAMPLE: > rebt system bt Wed Jul 1417:39-20:15 (02:35) Create a plugin file Cpy an existing plugin t build the new ne n the existing structure pensurcesim:/etc/ssim/agent/plugins# cp syslg.cfg example.cfg Set the new plugin specific parameters ;; Building Plugins Example ;; plugin_id: 9001 ;; type: detectr [DEFAULT] plugin_id=9001 [cnfig] type=detectr enable=yes surce=lg # Enable syslg t lg everything t ne file. Add it t lg rtatin als. # ech "*.* /var/lg/all.lg" >> /etc/syslg.cnf; killall -HUP syslgd #lcatin=/var/lg/all.lg lcatin=/var/lg/last_lgn.lg # create lg file if it des nt exists, # therwise stp prcessing this plugin create_file=true prcess= start=n stp=n startup= shutdwn= ## rules [Rule 01 - Cnsle Sessin Open] # Jul 14 20:36:47 dmz01 LOGON_EXAMPLE: > rt tty1 Wed Jul 14 20:36 still lgged in event_type=event regexp="^(?p<lgline>(\s+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?p<hst>[^\s]+)\s+logon_example: >\s+(?p<username>[^\s]+)\s+(?p<tty>tty\d+)\s+(?p<lgged_event>.*still lgged in.*))$" sensr=\_cfg(plugin-defaults,sensr) Page 26 Cpyright Alienvault 2010