I try to analyze logs from snoopy. For example:
Dec 2 07:58:31 local.server snoopy[14165]: [uid:1660 sid:14056 tty:/dev/pts/1 cwd:/home/myuser filename:/usr/bin/ssh]: ssh [email protected]
I wrote a decoder:
<decoder name="snoopy-logger">
<program_name>^snoopy</program_name>
</decoder>
and:
<group name="snoopy-test">
<rule id="100040" level="0">
<decoded_as>snoopy-logger</decoded_as>
<description>Ignore Snoopy logger events</description>
</rule>
<rule id="100041" level="15">
<if_sid>100040</if_sid>
<match>ssh root@</match>
<description>snoopy root</description>
</rule>
</group>
And when I tested via logtest, I got:
**Phase 1: Completed pre-decoding.
full event: 'Dec 2 07:58:31 local.server snoopy[14165]: [uid:1660 sid:14056 tty:/dev/pts/1 cwd:/home/myuser filename:/usr/bin/ssh]: ssh [email protected]'
hostname: 'local.server'
program_name: 'snoopy'
log: '[uid:1660 sid:14056 tty:/dev/pts/1 cwd:/home/myuser filename:/usr/bin/ssh]: ssh [email protected]'
**Phase 2: Completed decoding.
decoder: 'snoopy-logger'
**Phase 3: Completed filtering (rules).
Rule id: '100041'
Level: '15'
Description: 'snoopy root'
**Alert to be generated.
So it works, but in SIEM i got event with src_ip and dst_ip = 0.0.0.0. What I missed? I need src_ip = local.server and dst_ip = remote.server.
Thanks in advance for any suggestions :)
Looks like my answer is a little bit late, but unfortunately the OSSEC rules are only half of the parsing issue in AlienVault.
Once OSSEC parses the event and it has a high enough level to generate an OSSEC alert, it gets written to /var/ossec/logs/alerts/alerts.log where it is then picked up by ossim-agent which is reading the alerts file. ossim-agent is the sensor process that is responsible for reading the raw text logs and then parsing them using regular expressions defined in a plugin (in this case, the ossec-single-line.cfg plugin in /etc/ossim/agent/plugins/).
You will probably need to add an additional rule to your plugin by creating an ossec-single-line.cfg.local file in /etc/ossim/agent/plugins/ to add rules to the original plugin for OSSEC.
More info on creating rules and plugin files can be found in AlienVault's docs here: https://www.alienvault.com/doc-repo/usm/security-intelligence/AlienVault-USM-Plugins-Management-Guide.pdf
Check out the Customizing Plugins section starting on page 35.
Happy Tuning!