1

I try to analyze logs from snoopy. For example:

Dec  2 07:58:31 local.server snoopy[14165]: [uid:1660 sid:14056 tty:/dev/pts/1 cwd:/home/myuser filename:/usr/bin/ssh]: ssh root@remote.server

I wrote a decoder:

<decoder name="snoopy-logger">
  <program_name>^snoopy</program_name>
</decoder>

and:

<group name="snoopy-test">
    <rule id="100040" level="0">
      <decoded_as>snoopy-logger</decoded_as>
      <description>Ignore Snoopy logger events</description>
    </rule>
    <rule id="100041" level="15">
      <if_sid>100040</if_sid>
      <match>ssh root@</match>
      <description>snoopy root</description>
    </rule>
  </group>

And when I tested via logtest, I got:

**Phase 1: Completed pre-decoding.
       full event: 'Dec  2 07:58:31 local.server snoopy[14165]: [uid:1660 sid:14056 tty:/dev/pts/1 cwd:/home/myuser filename:/usr/bin/ssh]: ssh root@remote.server'
       hostname: 'local.server'
       program_name: 'snoopy'
       log: '[uid:1660 sid:14056 tty:/dev/pts/1 cwd:/home/myuser filename:/usr/bin/ssh]: ssh root@remote.server'

**Phase 2: Completed decoding.
       decoder: 'snoopy-logger'

**Phase 3: Completed filtering (rules).
       Rule id: '100041'
       Level: '15'
       Description: 'snoopy root'
**Alert to be generated.

So it works, but in SIEM i got event with src_ip and dst_ip = 0.0.0.0. What I missed? I need src_ip = local.server and dst_ip = remote.server.

Thanks in advance for any suggestions :)

fok
  • 11
  • 3

1 Answers1

1

Looks like my answer is a little bit late, but unfortunately the OSSEC rules are only half of the parsing issue in AlienVault.

Once OSSEC parses the event and it has a high enough level to generate an OSSEC alert, it gets written to /var/ossec/logs/alerts/alerts.log where it is then picked up by ossim-agent which is reading the alerts file. ossim-agent is the sensor process that is responsible for reading the raw text logs and then parsing them using regular expressions defined in a plugin (in this case, the ossec-single-line.cfg plugin in /etc/ossim/agent/plugins/).

You will probably need to add an additional rule to your plugin by creating an ossec-single-line.cfg.local file in /etc/ossim/agent/plugins/ to add rules to the original plugin for OSSEC.

More info on creating rules and plugin files can be found in AlienVault's docs here: https://www.alienvault.com/doc-repo/usm/security-intelligence/AlienVault-USM-Plugins-Management-Guide.pdf

Check out the Customizing Plugins section starting on page 35.

Happy Tuning!

Daniel Giebink
  • 21
  • 4