Documente Academic
Documente Profesional
Documente Cultură
Plugin.cfg
Contains the configuration parameters of the plugins and the rules
that an event has to match in order to be collected and normalized.
Plugin.sql
Contains the description of every possible event that can be
collected using the plugin (Plugin_id, Plugin_sid, Name given to the
event, priority and reliability)
source=log
location=/var/log/auth.log
Source of the events (log, mssql,mysql or wmi)
create_file=false
process=sshd
start=no
stop=no
Associated process and start/stop options
startup=/etc/init.d/ssh start
shutdown=/etc/init.d/ssh stop
E.g.: plugin_id=3000
source
- E.g.: location=/var/log/file.log
create_file
- false/true
- Only if the process is running in the same machine that the detector
Rules define the format of each event and how they are normalized
In some cases only one regular expression will collect every event
coming from one application, in some other cases more than one
rule will be required
Once the log matches one the regex of one rule the ossim agent
stops processing the event
event_type=event
Fields in red include values that always have to be defined in the plugin
Fields in green can will be filled by the AlienVault Agent in case they can not be found
in the original log (Dont include that line when creating the plugin)
The regexp field contains the regular expression that defines the format of the events,
and extracts the information to normalize the event.
regexp=(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)\S+ (\S+) (\S+) (\S+) (\d+) (\w+) (\S+) \S+ (\d+)
The regular expressions are written using the Python regular expression syntax:
http://docs.python.org/library/re.html
10
Operator Meaning
c A non special character matches with itself
Removes the special meaning of the character c; The RE \$ matches with
\c
$
^ Indicates located at the beginning of the line
$ Indicates located at the end of the line
. Any individual character
[] One or any of the characters ; accepts intervals of the type a-z, 0-9, A-Z
[^] A char different from ; Accepts intervals of the type a-z, 0-9, A-Z
11
12
13
14
15
Usage Example:
\SYSLOG_DATE\s+\IPV4\s+\IPV4
16
Position: (\d\d):(\d\d):(\d\d)
- hour={$1}
- minutes ={$2}
- seconds={$3}
Tags: (?P<hour>\d\d):(?P<minutes>\d\d)(?P<seconds>\d\d)
- hour={$hour}
- minutes ={$minutes}
- seconds={$seconds}
17
resolv()
normalize_date()
The normalize_date function translate many format dates into the format
accepted by the SIEM or Logger
- YYYY-MM-DD hh:mm:ss
18
20
21