logs from snoopy in AlienVault/Ossim

770 views Asked by At

I try to analyze logs from snoopy. For example:

Dec  2 07:58:31 local.server snoopy[14165]: [uid:1660 sid:14056 tty:/dev/pts/1 cwd:/home/myuser filename:/usr/bin/ssh]: ssh [email protected]

I wrote a decoder:

<decoder name="snoopy-logger">
  <program_name>^snoopy</program_name>
</decoder>

and:

<group name="snoopy-test">
    <rule id="100040" level="0">
      <decoded_as>snoopy-logger</decoded_as>
      <description>Ignore Snoopy logger events</description>
    </rule>
    <rule id="100041" level="15">
      <if_sid>100040</if_sid>
      <match>ssh root@</match>
      <description>snoopy root</description>
    </rule>
  </group>

And when I tested via logtest, I got:

**Phase 1: Completed pre-decoding.
       full event: 'Dec  2 07:58:31 local.server snoopy[14165]: [uid:1660 sid:14056 tty:/dev/pts/1 cwd:/home/myuser filename:/usr/bin/ssh]: ssh [email protected]'
       hostname: 'local.server'
       program_name: 'snoopy'
       log: '[uid:1660 sid:14056 tty:/dev/pts/1 cwd:/home/myuser filename:/usr/bin/ssh]: ssh [email protected]'

**Phase 2: Completed decoding.
       decoder: 'snoopy-logger'

**Phase 3: Completed filtering (rules).
       Rule id: '100041'
       Level: '15'
       Description: 'snoopy root'
**Alert to be generated.

So it works, but in SIEM i got event with src_ip and dst_ip = 0.0.0.0. What I missed? I need src_ip = local.server and dst_ip = remote.server.

Thanks in advance for any suggestions :)

1

There are 1 answers

0
Daniel Giebink On

Looks like my answer is a little bit late, but unfortunately the OSSEC rules are only half of the parsing issue in AlienVault.

Once OSSEC parses the event and it has a high enough level to generate an OSSEC alert, it gets written to /var/ossec/logs/alerts/alerts.log where it is then picked up by ossim-agent which is reading the alerts file. ossim-agent is the sensor process that is responsible for reading the raw text logs and then parsing them using regular expressions defined in a plugin (in this case, the ossec-single-line.cfg plugin in /etc/ossim/agent/plugins/).

You will probably need to add an additional rule to your plugin by creating an ossec-single-line.cfg.local file in /etc/ossim/agent/plugins/ to add rules to the original plugin for OSSEC.

More info on creating rules and plugin files can be found in AlienVault's docs here: https://www.alienvault.com/doc-repo/usm/security-intelligence/AlienVault-USM-Plugins-Management-Guide.pdf

Check out the Customizing Plugins section starting on page 35.

Happy Tuning!