Developing ossim custom plugins

So, let’s looks at developing custom plugins. So basically why do we write custom plugins? Effectively to parse logs that don’t conform to a particular standard in order to generate events.Now, before you start writing any plugins, ensure you have considered the following to reduce noise on your siem..

Manage the log level settings at the application and managed device level
Fix the problem that is generating events
Use Pcap filters to ignore certain hosts or networks (Snort, Tcpdump…)
In deployments with a big amount of analyzed data, filtering at the application level should be done whenever possible

Ok, let’s start. First, let’s create a new configuration file called custom.cfg:

#touch /etc/ossim/agent/plugins/custom.cfg
Next, insert the following code inside it.

[DEFAULT]
plugin_id=600001
[config]
type=detector
enable=yes
process=
start=no
stop=no
startup=
shutdown=
source=log
location=/var/log/t24.log
create_file=false

To explain this briefly, plugin_id is the numerical identifier of the plugin within the OSSIM server. Type is pretty straight forward. Enable means just that, enable the plugin.Location identifies the source logs. Start and stop apply to when the agent starts and stops and lastly, no, we don’t want to create a log file because it already exists. Speaking of which, let’s create our log file like so.

#touch /var/log/custom.log

Now, for the fun part. I will use a “web sphere” log for this demo, particularly a write error log and write the regex for it.

Log:
#”R09.1.91658 – 561268 – (VALIDATE.SIGN.ON,839) – Fri Oct 25 12:20:20 – F.LOCKING – F_LOCKING – ** Error ** writeRecordAsXML: Unable to write key JEBA1*LAST.DATA record JEBAJEBAKUINT1ALL120140131M06312013081620991231123599999ALLALL.PGA 2 B C D E F H I L P R S V YYYYDDMM20131023134337M-CM-^DM-CM-^JM-CM-^RM-CM-.M-CM-^HM-CM-0M-CM-/M-CM-(M-CM-“”20130816YNDOPRINTERNDOPRINTERCOMMAND.LINE18328_INPUTTER13081611318328_INPUTTERKE00100011”

Regex:
\w\d+\.\d+\.\d+\s-\s\d+\s-\s\((VALIDATE\.SIGN\.ON,\d+)\)\s-\s(.*)\s-\s(F.LOCKING)\s-\sF_LOCKING\s-\s\S+\s\w+\s\S+\s(writeRecordAsXML: Unable to write key\s.*\srecord)

Good. I have verified my regex matches my log, however you can also verify it will trigger an event from this log using regexp.py. Next,open your configuration file and add the following to it.
. . .
[Write ERROR – Validate]
event_type=event
#”R09.1.91658 – 561268 – (VALIDATE.SIGN.ON,839) – Fri Oct 25 12:20:20 – F.LOCKING – F_LOCKING – ** Error ** writeRecordAsXML: Unable to write key JEBA1*LAST.DATA record JEBAJEBAKUINT1ALL120140131M06312013081620991231123599999ALLALL.PGA 2 B C D E F H I L P R S V YYYYDDMM20131023134337M-CM-^DM-CM-^JM-CM-^RM-CM-.M-CM-^HM-CM-0M-CM-/M-CM-(M-CM-“”20130816YNDOPRINTERNDOPRINTERCOMMAND.LINE18328_INPUTTER13081611318328_INPUTTERKE00100011”
plugin_sid=18
regexp=\w\d+\.\d+\.\d+\s-\s\d+\s-\s\((VALIDATE\.SIGN\.ON,\d+)\)\s-\s(.*)\s-\s(F.LOCKING)\s-\sF_LOCKING\s-\s\S+\s\w+\s\S+\s(writeRecordAsXML: Unable to write key\s.*\srecord)
userdata1={$1}
date={normalized_date($2)}
userdata2={$3}
userdata3={$4}
. . .
Next let’s load our plugin. For each Plugin_ID/Plugin_SID pair the Priority and Reliability values will have to be defined while registering the plugin within the ossim server. For this you can copy an SQL script and customize it in order to insert the new Plugin information in the database.So first let’s create an sql config file.

#touch custom.sql

Now, our SQL script will basically perform the following, “Insert the new Plugin ID information into the “plugin” table” && “Insert the new Plugin SIDs into the “plugin_sid” table”. So let’s insert the following into the sql config file:

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability)
VALUES (600001,18,NULL,NULL,’Write ERROR – Validate’,3,2);ossim-db < custom.sql

Then to insert our plugin, run the following command:

#ossim-db < custom.sql

Once this is done register the plugin with the ossim agent by going to the setup utility and change the sensor settings. You can verify it exists from the data sources in the main gui. Another way to add this is by adding your plugin config to the agent configuration file /etc/ossim/agent/config.cfg.

Restart the OSSIM Server:

#/etc/init.d/ossim-server restart

Restart the OSSIM agent:

#/etc/init.d/ossim-agent restart

You can now replay your logs and check for events.

That’s it!

–R

Leave a Reply

    26
    Aug

    So, let's looks at developing custom plugins. So basically why do we write custom plugins? Effectively to parse logs that don't conform to a

    + Read More
    August 2016
    M T W T F S S
        Sep »
    1234567
    891011121314
    15161718192021
    22232425262728
    293031