You are on page 1of 233

ACSE

AlienVault Certified Security Engineer

1

ACSE AlienVault Certified Security Engineer 1 Thursday, May 3, 12

2

2 Thursday, May 3, 12

About this document

ACSE (AlienVault Certified Security Engineer)

Author: AlienVault Training Team (trainers@alienvault.com)

Document Version 1.0

Last revision: 01/2012

Product version used: 3.1

Copyright © Alienvault 2012 All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and publisher.

Any trademarks referenced herein are the property of their respective holders

3

About this document • ACSE (AlienVault Certified Security Engineer) • Author: AlienVault Training Team <a href=(trainers@alienvault.com ) • Document Version 1.0 • Last revision: 01/2012 • Product version used: 3.1 Copyright © Alienvault 2012 All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and publisher. Any trademarks referenced herein are the property of their respective holders 3 Thursday, May 3, 12 " id="pdf-obj-2-42" src="pdf-obj-2-42.jpg">

Contents

• Installation

Logger

Updates

IDM

CLI

HIDS

Event Collection

Secure Connection

Data Sources

Snort

Policies & Actions

Dimensioning and Deployment

Logical Correlation Directives

4

Contents • Installation • Logger • Updates • IDM • CLI • HIDS • Event Collection

Bubba

Throughout the document Bubba will give you useful hints and links for further documentation

Bubba • Throughout the document Bubba will give you useful hints and links for further documentation

We come in peace and security!

Bubba • Throughout the document Bubba will give you useful hints and links for further documentation

5

Bubba • Throughout the document Bubba will give you useful hints and links for further documentation

AlienVault Installation

6

Getting to speed

AlienVault Installation 6 Getting to speed Thursday, May 3, 12

Products

AlienVault Installations

Appliances

  • - Sensors (X1000, X2000, X3000, X4000)

  • - Loggers (L1000, L2000, L3000)

  • - SIEM (S1000, S2000, S3000)

Software

  • - analog to the Appliances range, installable on custom hardware

custom restrictions, special purpose environments, etc.

Preferred: AlienVault Appliances

  • - optimum performance and compatibility

7

Products • AlienVault Installations ‣ Appliances - Sensors (X1000, X2000, X3000, X4000) - Loggers (L1000, L2000,

Installation Guide

Find the Installation Guide here

8

Installation Guide • Find the Installation Guide here • <a href=http://www.alienvault.com/docs/Installation_Guide.pdf 8 Thursday, May 3, 12 " id="pdf-obj-7-13" src="pdf-obj-7-13.jpg">

Hardware recommendations

For a production system:

 

At least 4GB Ram

64 Processor

DUAL Core Processor

Depending on the amount of traffic being monitored and the amount of data captured RAM has to be increased, always avoiding SWAP memory usage.

If we don’t have the appropriate hardware:

"Divide et vinces"

9

Hardware recommendations • For a production system: ‣ At least 4GB Ram ‣ 64 Processor ‣

Network hardware

Requires Intel E1000 cards for capturing

 

performance

performance

performance

Administration interface can be any card with no known problems

10

Network hardware • Requires Intel E1000 cards for capturing ‣ performance ‣ performance ‣ performance •

Best practice

Always use the latest installation image

If you need performance you can’t use any hardware

disable unused data sources

for the time of installation and customization, try to stick to english for faster support

don’t use Sniffers (ntop, snort, p0f) on interfaces without tap or port/ mirror

11

Best practice • Always use the latest installation image • If you need performance you can’t

Performance is crucial when sniffing is involved. Get rid of unneeded CPU hoggers!

Best practice • Always use the latest installation image • If you need performance you can’t

Best practice: VmWare

VMware installations are popular but minimal memory: 8GB

minimal number of CPUS: 4

take care that all resources are bound singularly to the AlienVault guest system

12

Best practice: VmWare • ‣ VMware installations are popular but minimal memory: 8GB ‣ minimal number

Best practice: Partitioning

SIEM only

 

use 50-100 GB of disk space for /var/lib/mysql

use the maximum available remaining space for /var

 
  • - REASON: /var/lib/mysql keeps all the configuration

Logger only

 

use at least twice the space required per log interval for /var

 
  • - 50 GB expected logs/day => /var => 100GB

 

use the remaining rest for /var/ossim/logs

  • - REASON: if /var runs out of space /var/ossim/logs remains intact

13

Best practice: Partitioning • SIEM only ‣ use 50-100 GB of disk space for /var/lib/mysql ‣

Best practice: Partitioning

Use a small amount of space for the operating system

 

50-100 GB are absolutely sufficient

be sure to configure enough swap space

 

golden rule: 2x amount of RAM

additional swap can be configured later with a loopback mount

the storage killer: /var

 

use at least 80% or more for this partition

depending on the usage you may sub-partition /var further

14

Best practice: Partitioning • Use a small amount of space for the operating system ‣ 50-100

Best practice: Partitioning

Sensor only

50-100GB for /

2x physical memory (RAM) for swap

remaining space: /var

Example: SIEM - S1000

path

filesystem

size

partition

/boot

ext2

2GB

#1

/

ext3

100GB

#2

swap

swap

16GB

#3

/var

ext3

834GB

#4

/var/lib/mysql

ext3

100GB

#5

15

Best practice: Partitioning • Sensor only ‣ 50-100GB for / ‣ 2x physical memory (RAM) for

Installation profiles

Selecting the server role

 

Sensor

Server (includes SIEM & Logger)

Database

Framework

can be changed during installation or anytime after installation

Installation profiles • Selecting the server role ‣ Sensor ‣ Server (includes SIEM & Logger) ‣
Installation profiles • Selecting the server role ‣ Sensor ‣ Server (includes SIEM & Logger) ‣

16

Installation profiles • Selecting the server role ‣ Sensor ‣ Server (includes SIEM & Logger) ‣
Installation profiles • Selecting the server role ‣ Sensor ‣ Server (includes SIEM & Logger) ‣
Installation profiles • Selecting the server role ‣ Sensor ‣ Server (includes SIEM & Logger) ‣
Installation profiles • Selecting the server role ‣ Sensor ‣ Server (includes SIEM & Logger) ‣

Profile: Sensor

enables Sensor functionality

 

needs access to all the networks being monitored

receives all the network traffic

 

Port Span

 

-

needs to be configured separately

 

Tap device

Hub

17

Profile: Sensor • enables Sensor functionality ‣ needs access to all the networks being monitored •

Profile: Sensor

out of the box enabled data sources

Snort (Network Intrusion Detection System)

Ntop (Network and usage Monitor)

OpenVAS (Vulnerability Scanning)

P0f (Passive operative system detection)

Pads (Passive Asset Detection System)

Arpwatch (Ethernet/Ip address parings monitor)

OSSEC (Host Intrusion Detection System)

Nagios (Availability Monitoring)

OCS (Inventory)

18

Profile: Sensor • out of the box enabled data sources ‣ Snort (Network Intrusion Detection System)

Profile: Server

combines SIEM functionality

 

correlation

risk assessment

etc.

with Logger functionality

 

forensic long-term storage

digitally signed

The server installation profile also comes with a Sensor with limited functionality to monitor the Server itself

19

Profile: Server • combines SIEM functionality ‣ correlation ‣ risk assessment ‣ etc. • with Logger

Profile: Database

enables a mysql server for usage with Server components

is required in most installations

SIEM only

  • - event and alarm storage

  • - metadata

  • - framework

Logger

  • - configuration

20

  • - metadata

  • - framework

Profile: Database • enables a mysql server for usage with Server components • is required in

Profile: Framework

enables the Web front-end for the server

is installed on most appliances

low overhead

useful in emergency situations

  • - power outage on central console

  • - connection to central console lost

  • - usage as a per department or per location console

21

Profile: Framework • enables the Web front-end for the server • is installed on most appliances

Profile: All-In-One

Enables all AlienVault components on a single appliance

 

Server (SIEM + Logger)

Database (Configuration and event storage + correlation)

Sensor

Framework (Web-Interface)

Useful for:

 

Testing

Evaluation

Small deployments

activated on every automated install

22

Profile: All-In-One • Enables all AlienVault components on a single appliance ‣ Server (SIEM + Logger)

Installation methods

Automated installation

  • 1. Boot the installation system

  • 2. Configure networking

  • 3. Create and mount the partitions on which AlienVault will be installed

  • 4. Watch the automatic download/install/setup/update of the base system.

  • 5. Set up users and passwords

  • 6. Load the newly installed system for the first time

Custom installation

  • 1. Boot the installation system

  • 2. Select the installation language

  • 3. Configure keyboard

  • 4. Configure location

  • 5. Select the installation AlienVault profiles for this installation

  • 6. Configure networking

  • 7. Create and mount the partitions on which AlienVault will be installed

  • 8. Enter the professional license

  • 9. Watch the automatic download/install/setup/update of

the base system. 10. Set up users and passwords

23

Installation methods Automated installation 1. Boot the installation system 2. Configure networking 3. Create and mount

Installation checklist

Rack Space Power Network Configuration

Port mirroring

IP addresses

Installation checklist • • • • • • Rack Space Power Network Configuration ‣ ‣ Port

Professional Key Internet Access (Required when installing the professional version) Role of the device to install

24

Installation checklist • • • • • • Rack Space Power Network Configuration ‣ ‣ Port

INSTALL

25

INSTALL 25 Thursday, May 3, 12

Installation: Next steps

Point your web-browser to https://siem_ip/

 

username/password = admin

Use ssh to login to the appliance

 

same password as in installation dialog

26

Installation: Next steps • Point your web-browser to <a href=https://siem_ip/ ‣ username/password = admin • Use ssh to login to the appliance ‣ same password as in installation dialog 26 Be sure to note down the root password you enter in the installation process. Thursday, May 3, 12 " id="pdf-obj-25-33" src="pdf-obj-25-33.jpg">

Be sure to note down the root password you enter in the installation process.

Installation: Next steps • Point your web-browser to <a href=https://siem_ip/ ‣ username/password = admin • Use ssh to login to the appliance ‣ same password as in installation dialog 26 Be sure to note down the root password you enter in the installation process. Thursday, May 3, 12 " id="pdf-obj-25-37" src="pdf-obj-25-37.jpg">

Hands-On: Installation

27

Fill in the following tables with the partitioning data for the given profiles

Logger, 4TB of overall disk capacity

Mountpoint Logger, 8TB of disk capacity Capacity Comment Mountpoint SIEM, 4 TB of disk capacity Capacity
Mountpoint
Logger, 8TB of disk capacity
Capacity
Comment
Mountpoint
SIEM, 4 TB of disk capacity
Capacity
Comment
Hands-On: Installation 27 • Fill in the following tables with the partitioning data for the given

Hands-On: Installation

Given the following SIEM design, which profiles need to be installed on which machines?

Hands-On: Installation • Given the following SIEM design, which profiles need to be installed on which

SIEM & Console Profiles:

______________________________________

______________________________________

______________________________________

Hands-On: Installation • Given the following SIEM design, which profiles need to be installed on which
Hands-On: Installation • Given the following SIEM design, which profiles need to be installed on which

Sensor:

Profiles:

______________________________________

______________________________________

Logger:

______________________________________

Profiles:

28

______________________________________

______________________________________

______________________________________

Hands-On: Installation • Given the following SIEM design, which profiles need to be installed on which

AlienVault Updates

Keeping your system up to date

29

AlienVault Updates Keeping your system up to date 29 Thursday, May 3, 12

AlienVault: Update channels

AlienVault uses the Advanced Packaging Tool (apt) for software maintenance

 

reliable

tested

Every AlienVault Appliance is configured to retrieve updates

 

Base System: Debian repositories

AlienVault Software: AlienVault repositories

  • - Binary and package updates

/etc/apt/sources.list.d/alienvault-pro.list

  • - AlienVault professional feed

/etc/apt/sources.list.d/alienvault-etpro-pro.list

30

AlienVault: Update channels • AlienVault uses the Advanced Packaging Tool (apt) for software maintenance ‣ reliablehttp://en.wikipedia.org/wiki/ Advanced_Packaging_Tool Thursday, May 3, 12 " id="pdf-obj-29-63" src="pdf-obj-29-63.jpg">

Get more info on how APT works here: http://en.wikipedia.org/wiki/ Advanced_Packaging_Tool

AlienVault: Update channels • AlienVault uses the Advanced Packaging Tool (apt) for software maintenance ‣ reliablehttp://en.wikipedia.org/wiki/ Advanced_Packaging_Tool Thursday, May 3, 12 " id="pdf-obj-29-68" src="pdf-obj-29-68.jpg">

Updating Process

Important files (They should never be modified)

 

/etc/apt/sources.list

 
  • - Contains the different software repositories

 

/etc/apt/preferences

 
  • - Contains the priority configuration between the different repositories

The update system in AlienVault:

Updates the AlienVault components as well as the Debian base system

Allows the AlienVault development team preventing software packages from being upgraded (Unstable versions, software causing troubles to other users.

31

Updating Process • Important files (They should never be modified) /etc/apt/sources.list - Contains the different software

Update AlienVault

The system notifies in the Web interface the availability of new versions of the AlienVault components

The system notifies the management console on the availability of new updates to the components of AlienVault

If the update procedure requires any manual change, it will be explained in the updates notification system

To update the whole system, use the following command:

# alienvault-update

debugging: alienvault-update -v

32

Update AlienVault • The system notifies in the Web interface the availability of new versions of

Update AlienVault

During the update process:

 

When prompted always select installing the latest configuration files available

Once the system has been updated, if something is not working run:

 

-

# alienvault-reconfig

Snort rules, OpenVas scripts, directives and plugins will be updated automatically using software packages

33

Update AlienVault • During the update process: ‣ When prompted always select installing the latest configuration

Update AlienVault

In case new Snort or OpenVas rules are included manually, you will need to run the following scripts to update the information in the database

 

Snort:

 
  • - # perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules

 

OpenVas:

 
  • - # perl /usr/share/ossim/scripts/update_nessus_ids.pl

And restart the AlienVault Server

# /etc/init.d/ossim-server restart

34

Update AlienVault • In case new Snort or OpenVas rules are included manually, you will need

Package Management

Following apt’s principle several tools are available to install packages and monitor installed software

apt-cache

  • - search for packages (apt-cache search <packagename>)

  • - show package requirements, versions etc.

apt-get

  • - install individual packages

dpkg

  • - show installed packages

35

Package Management • Following apt’s principle several tools are available to install packages and monitor installedhttp://www.debian.org/doc/manuals/ apt-howto/ Thursday, May 3, 12 " id="pdf-obj-34-39" src="pdf-obj-34-39.jpg">

The Debian APT howtos:

Package Management • Following apt’s principle several tools are available to install packages and monitor installedhttp://www.debian.org/doc/manuals/ apt-howto/ Thursday, May 3, 12 " id="pdf-obj-34-47" src="pdf-obj-34-47.jpg">

Hands-On: Updates

Update the system

review the software sources in /etc/apt/sources.list.d

Which versions of the following software is installed:

ossim-server ___________________________

ossim-agent ___________________________

mysql-server-core ___________________________

ossim-framework ___________________________

36

Hands-On: Updates • Update the system • review the software sources in /etc/apt/sources.list.d • Which versions

AlienVault CLI

37

power to the user

AlienVault CLI 37 power to the user Thursday, May 3, 12

AlienVault: Base System

AlienVault Appliances are built around 64 bit Debian 5 Linux

 

Open

Reliable

Secure

Innovative

AlienVault uses many packages from Debian

 

where possible

AlienVault repositories

 

for AlienVault software packages

customized Debian packages

38

AlienVault: Base System • AlienVault Appliances are built around 64 bit Debian 5 Linux ‣ Open

AlienVault: Filesystem

Current standard installation is based on ext3 filesystem

recommended filesystem for usage of the AlienVault software

journaled

stable

39

AlienVault: Filesystem • Current standard installation is based on ext3 filesystem ‣ recommended filesystem for usage

AlienVault: system access

Get access to the platform

SSH access with superuser “root”

  • - use the password supplied by AlienVault or the one from the installation process

HTTPS access with administrative user “admin”

  • - default password is ‘admin’

  • - can be switched to normal HTTP

40

AlienVault: system access • Get access to the platform ‣ SSH access with superuser “root” -

Configuration Files

AlienVault

 

OSSIM Server: /etc/ossim/server/config.xml

OSSIM Agent: /etc/ossim/agent/config.cfg

Frameworkd: /etc/ossim/framework/ossim.conf

Snort

 

/etc/snort/snort.ethN.conf

OpenVas

 

/etc/openvas/openvasd.conf

Nagios

 

/etc/nagios3/

Database

 

/etc/mysql/my.cnf

41

Configuration Files • AlienVault ‣ OSSIM Server: /etc/ossim/server/config.xml ‣ OSSIM Agent: /etc/ossim/agent/config.cfg ‣ Frameworkd: /etc/ossim/framework/ossim.conf •

Configuration Files

42

System startup

 

/etc/rc*

Logrotate

 

/etc/logrotate.d

Network configuration

 

/etc/network/interfaces

DNS configuration

 

/etc/resolv.conf

Rsyslog

 

/etc/rsyslog.conf

Monit

 

/etc/monit/monitrc

Configuration Files 42 • System startup ‣ /etc/rc* • Logrotate ‣ /etc/logrotate.d • Network configuration ‣

AlienVault: Services

 

Stop a service

 

# /etc/init.d/<servicename> stop

# service <servicename> stop

 

Start a service

 

# /etc/init.d/<service> start

# service <servicename> start

 

Restart a service

 

# /etc/init.d/<servicename> restart

# service <servicename> restart

 

The parameters that the services will use when starting are usually configured in the following path:

43

# /etc/default/<service>

43 ‣ # /etc/default/<service>

alienvault-setup /alienvault-reconfig

ossim_setup.conf
ossim_setup.conf
alienvault-setup /alienvault-reconfig ossim_setup.conf 44 AlienVault Components Database ossim-reconfig Integrated Tools OS Components Thursday, May 3, 12

44

AlienVault Components Database ossim-reconfig Integrated Tools OS Components
AlienVault
Components
Database
ossim-reconfig
Integrated Tools
OS Components
alienvault-setup /alienvault-reconfig ossim_setup.conf 44 AlienVault Components Database ossim-reconfig Integrated Tools OS Components Thursday, May 3, 12

ossim-setup.conf

interface: Network management interface (eth0, eth1 ...

language: Language used within AlienVault (en, es, fr ... )

profile: Profile or Profiles enabled in the system

version: Version of AlienVault in use

hostname: Name of the system

admin_ip: IP address to manage the system

first_init: Variable to check whether is the first boot or not

email_notify: e-mail to receive notifications

45

ossim-setup.conf • interface : Network management interface (eth0, eth1 ... • language : Language used within

alienvault-setup (Database)

acl_db, event_db, ossim_db, osvdb_db, ocs_db: Name for the different databases

db_ip: IP address of the Database

db_port: Listening port of the Database

pass: Password of the Database

type: Type of Database

user: User in the Database

create: If i is set to yes, database will be deleted and created again when running alienvault-reconfig

46

alienvault-setup (Database) • acl_db, event_db, ossim_db, osvdb_db, ocs_db : Name for the different databases • db_ip

ossim-setup.conf (Sensor)

detectors: Enabled detector plugins (Separated by comma and using the same name that the plugin configuration file has)

interfaces: Listening interfaces (Separated by comma)

ip: IP address that the sensor will use to connect to the AlienVault Server

monitors: Enabled monitor plugins (Separated by comma and using the same name that the plugin configuration file has)

name: Name of the sensor

networks: Local networks that will be monitored from that sensor (In CIDR format and separated by comma)

47

ossim-setup.conf (Sensor) • detectors : Enabled detector plugins (Separated by comma and using the same name

ossim-setup.conf

FRAMEWORK

 

framework_ip: IP address of the Web interface

framework_port: Listening port of the frameworkd daemon

SERVER

 

server_ip: Listening IP address of the AlienVault Server

server_port: Listening port of the AlienVault Server

server_license: Professional license code

server_plugins: Enabled plugins in the Server profile

48

ossim-setup.conf • FRAMEWORK ‣ framework_ip : IP address of the Web interface ‣ framework_port : Listening

ossim-setup.conf

SNMP

 

snmpd: Enable the Snmp daemon

snmptrap: Enable Snmp traps collection

community: Snmp community

FIREWALL

 

active (firewall): Enable or disable iptables

VPN

 

vpn_infrastructure: Enable or disable the VPN between the OSSIM components

vpn_net: VPN Network

vpn_port: VPN Port

49

ossim-setup.conf • SNMP ‣ snmpd : Enable the Snmp daemon ‣ snmptrap : Enable Snmp traps

Agent Configuration

/etc/ossim/agent/config.cfg

[daemon]

 

daemon: Daemon mode (True or False)

pid: Path to the PID file (Process identifier)

[event-consolidation]

 

Enable events consolidation at Sensor level

by_plugin: List of plugins that will be consolidated

enable: Enable or disable (True or False)

time: Wait n seconds to consolidate the events before sending them

50

Agent Configuration • /etc/ossim/agent/config.cfg • [daemon] ‣ daemon : Daemon mode (True or False) ‣ pid

Agent Configuration

/etc/ossim/agent/config.cfg

[log]

 

Configures the verbose level and the path to the different log files

error: File in which the error events will be stored

file: File in which all the agent logs will be stored

stats: File in which the agent stats will be stored (Every 5 minutes)

verbose: Configures the verbose level (Debug, Info, Warning, Error or Critical)

[output-plain]

 

Writes in a log file what is being sent to the AlienVault Server (Useful for debugging and developing purposes)

enable: Enable or disable (True or False)

file: File in which the output-plain will be stored

51

Agent Configuration • /etc/ossim/agent/config.cfg • [log] ‣ Configures the verbose level and the path to the

Agent Configuration

/etc/ossim/agent/config.cfg

[output-server]

 

Configures the server to which events are sent

enable: Enable or disable sending events to the server (True or False)

ip: IP address of the AlienVault Server (Logger or SIEM)

port: Listening port of the AlienVault Server (Logger or SIEM)

[plugin-defaults]

 

In this category variables can be defined to be used in the plugins configuration.

52

Agent Configuration • /etc/ossim/agent/config.cfg • [output-server] ‣ Configures the server to which events are sent ‣

Agent Configuration

/etc/ossim/agent/config.cfg

[plugins]

  • - Defines which Data Source Connectors (detectors and monitors) are enabled

  • - name_of_the_plugin=path_to_the_plugin_config_file

  • - device= /etc/ossim/agent/plugins/device.cfg

[watchdog]

  • - Monitor the process associated to each plugin (In case it is running in the same machine)

  • - enable: Enable or disable (True or False)

  • - interval: Wait X seconds between checks

  • - restart_interval: Restart the process every X seconds (This has to be enabled in each plugin)

53

Agent Configuration /etc/ossim/agent/config.cfg [plugins] - Defines which Data Source Connectors (detectors and monitors) are enabled -

Agent Configuration

/etc/ossim/agent/aliases.cfg

 

Contains predefined regular expressions that can be used when creating new plugins

Data Source Connectors configuration files

 

/etc/ossim/agent/plugins/*.cfg

54

Agent Configuration • /etc/ossim/agent/aliases.cfg ‣ Contains predefined regular expressions that can be used when creating new

Data Source Connectors

Detector plugin configuration (/etc/ossim/agent/plugins/*.cfg)

[DEFAULT]

 

Any var defined inside this category will be sent to the AlienVault Server

plugin_id: Numerical identifier of the plugin within the AllienVault

system (Data Source ID) [config]

 

type: detector

enable: Enable or Disable plugin (It must be enabled in config.cfg)

source: Source of the events (log, database, wmi)

location: File in which logs can be found

create_file: Create the log file in case it does not exist

55

Data Source Connectors • Detector plugin configuration (/etc/ossim/agent/plugins/*.cfg) • [DEFAULT] ‣ Any var defined inside this

Data Source Connectors

Detector plugin configuration (/etc/ossim/agent/plugins/*.cfg)

[config]

  • - process: Name of the process generating logs (If the process is running in the same system)

  • - start: Start the process when the agent starts (yes/no)

  • - stop: Stop the process when the agent stops (yes/no)

  • - startup: Command that starts the process

  • - shutdown: Command that stops the process

The next part of the configuration files includes the regular expressions that collect and normalize the events.

56

Data Source Connectors ‣ Detector plugin configuration (/etc/ossim/agent/plugins/*.cfg) [config] - process : Name of the process

Agent Configuration

The different configuration variables defined in the config file can be used with the following syntax to help defining new variables:

%()s

When the variable has been defined in the same file:

 

process=pads shutdown=killall -9 %(process)s

\_CFG()

When the variable has been defined in the main configuration file(config.cfg)

In /etc/ossim/agent/config.cfg file:

 

restart_interval=3600 ; seconds between plugin process restart

 

In the Data Source Connector configuration file:

57

restart_interval=\_CFG(watchdog,restart_interval)

Agent Configuration • The different configuration variables defined in the config file can be used with

Server Configuration

/etc/ossim/server/config.xml

Path to the AlienVault Server log file

 

<log filename="/var/log/ossim/server.log"/>

Configuration to access the SQL Database

 

<datasource name="ossimDS" provider="MySQL"

 

dsn="PORT=3306;USER=root;PASSWORD=password;DATABASE=ossim;HOST=127.0.0.1"/>

Configuration to access the Snort Database

 

<datasource name="snortDS" provider="MySQL"

 

dsn="PORT=3306;USER=root;PASSWORD=password;DATABASE=snort;HOST=127.0.0.1"/>

Configuration to access the OSVDB Database

 

<datasource name="osvdbDS" provider="MySQL"

dsn="PORT=3306;USER=root;PASSWORD=password;DATABASE=snort;HOST=127.

0.0.1"/>

58

Server Configuration • /etc/ossim/server/config.xml • Path to the AlienVault Server log file ‣ <log filename="/var/log/ossim/server.log"/> •

Server Configuration

/etc/ossim/server/config.xml

Path to the correlation directives

 

<directive filename="/etc/ossim/server/directives.xml"/>

Waiting time between each execution of AlienVault Server scheduled jobs

 

<scheduler interval="15"/>

Listening port, name and listening IP address of the AlienVault Server

 

<server port="40001" name="opensourcesim" ip="0.0.0.0"/>

59

Server Configuration • /etc/ossim/server/config.xml • Path to the correlation directives ‣ <directive filename="/etc/ossim/server/directives.xml"/> • Waiting time

Web Interface Configuration

Executive panel configuration

 

/etc/ossim/framework/panel/

/etc/ossim/framework/ossim.conf

 

Paths to applications and libraries

Configure access to the different databases

Some tools use this file to get the configuration parameters to

 

access the database (ossim-db, create_sidmap.pl

...

)

60

Web Interface Configuration • Executive panel configuration ‣ /etc/ossim/framework/panel/ • /etc/ossim/framework/ossim.conf ‣ Paths to applications and

Monit

Monit

 

Process monitors all the important services in the AlienVault machines and restarts services in case of a process crash

Configuration file /etc/monit/monitrc

Different configuration based on the profile in use

When Stopping any process monit must be stopped first

# Framework check process ossim-framework with pidfile /var/run/ossim-framework.pid group framework start program = "/etc/init.d/ossim-framework start" stop program = "/etc/init.d/ossim-framework stop" if 5 restarts within 5 cycles then timeout

61

Monit • Monit ‣ Process monitors all the important services in the AlienVault machines and restartshttp://mmonit.com/monit/ Thursday, May 3, 12 " id="pdf-obj-60-41" src="pdf-obj-60-41.jpg">

When debugging, be sure to turn monit OFF! More Monit infos:

Monit • Monit ‣ Process monitors all the important services in the AlienVault machines and restartshttp://mmonit.com/monit/ Thursday, May 3, 12 " id="pdf-obj-60-47" src="pdf-obj-60-47.jpg">

AlienVault: System logging

All the AlienVault components offer logging

This can and should be used for

Debugging

  • - errors may not be seen directly in the Web interface but can be spotted in the system logs

  • - extra information for the AlienVault Support Team

Diagnosis

  • - are all the services up to date

  • - did system update generate errors

Verification of Success or Failures

  • - is my data source connector generating events

  • - are idm-events collected

62

AlienVault: System logging • All the AlienVault components offer logging • This can and should be

AlienVault: Log files

OSSIM Server

 

/var/log/ossim/server.log

OSSIM Agent

 

/var/log/ossim/agent.log

OSSIM Frameworkd

 

/var/log/ossim/frameworkd.log

Snort

 

/var/log/syslog

/var/log/snort (Binary Format)

Other applications Check the variable location in the plugin configuration file

63

AlienVault: Log files • OSSIM Server ‣ /var/log/ossim/server.log • OSSIM Agent ‣ /var/log/ossim/agent.log • OSSIM Frameworkd

Debug Mode

OSSIM Server

 

# ossim-server –D 6 -d

Logfiles in /var/log/ossim/server.log

This does not show information on the terminal, much more info will be logged in the server log file

OSSIM Agent

 

# ossim-agent –vv

OSSIM Frameworkd

 

# ossim-framework –vv

Never leave an application running in Debug mode in a production

64

Debug Mode • OSSIM Server ‣ # ossim-server –D 6 -d ‣ Logfiles in /var/log/ossim/server.log •

Networks Card Information

ethtool/mii-tool

 

Network card stats and link status

set link speed and type for not autonegoiating switch ports

iptraf

 

measure throughput and TCP sessions on a network interface

tcpdump

 

Check whether the port mirroring is well configured or not

do configured devices really send syslog to the Sensor

65

Networks Card Information ethtool/mii-tool ‣ Network card stats and link status ‣ set link speed and

Network Configuration

Rename network interfaces

 

# apt-get install ifrename

Edit the file /etc/iftab

Insert a line for each network interface with the following format :

 

eth0 mac 00:17:31:56:BC:2D

eth1 mac 00:16:3E:2F:0E:9C

Network cards with more than one interface usually have consecutives MAC addresses

 

# ifconfig -a | grep HWaddr

66

Network Configuration • Rename network interfaces # apt-get install ifrename • Edit the file /etc/iftab •

Network Configuration

Additionally rename it with udev

 

# ifconfig -a |grep HWaddr

 
• Additionally rename it with udev # ifconfig -a |grep HWaddr • Create the file /etc/udev/rules.d/010_netinterfaces.rules

Create the file /etc/udev/rules.d/010_netinterfaces.rules

• Additionally rename it with udev # ifconfig -a |grep HWaddr • Create the file /etc/udev/rules.d/010_netinterfaces.rules

Reboot & check udev entries

# udevinfo -a -p /sys/class/net/eth0

67

Network Configuration • Additionally rename it with udev # ifconfig -a |grep HWaddr • Create the

Network Configuration

The network configuration in Debian is stored in the following file:

/etc/network/interfaces

After modifying the previous file, it is required restarting networking with the following command:

# /etc/init.d/networking restart

Network Configuration • The network configuration in Debian is stored in the following file: /etc/network/interfaces •

68

Network Configuration • The network configuration in Debian is stored in the following file: /etc/network/interfaces •

Network Configuration

Each interface is configured in /etc/network/interfaces with the following template

be sure that the interface is also in the ‘auto’ section to enable automatic startup on system boot

auto lo0 eth0

eth<n>

allow-hotplug eth0 iface eth0 inet static address 192.168.1.133 netmask 255.255.0.0 network 192.168.0.0 broadcast 192.168.255.255 gateway 192.168.1.1 dns-nameservers 192.168.1.100

69

Network Configuration • Each interface is configured in /etc/network/interfaces with the following template • be sure
Network Configuration • Each interface is configured in /etc/network/interfaces with the following template • be sure

Network Configuration

address: IP address given to the interface (In the example eth0).

netmask: Network Mask

network: It is the part of the IP address which is common between all the IP addresses in the network.

broadcast: Broadcast IP of the network.

gateway: IP address of gateway in our network

dns-nameservers: IP addresses of the DNS servers used in our corporation. More than one DNS server can be used (Separated by comma). In there is a local DNS running in your network, t should be placed in first place.

70

Network Configuration • address : IP address given to the interface (In the example eth0). •

Network Configuration

Those interfaces in promiscuous mode used to collect the network traffic (Port mirroring) should have an entry in the network configuration file with the following format:

up ifconfig eth0 0.0.0.0 promisc -arp

71

Network Configuration • Those interfaces in promiscuous mode used to collect the network traffic (Port mirroring)0.0.0.0 promisc -arp 71 Thursday, May 3, 12 " id="pdf-obj-70-16" src="pdf-obj-70-16.jpg">

Network Recommendations

The collector does a lot of queries to the DNS server to normalize events, so, the local DNS should always be configured in any AlienVault box.

In case there is not a local DNS in your network, the different hostnames and their associated IP addresses should be defined in the the /etc/hosts file in your collectors.

Interfaces in promiscuous mode should only be used to collect network traffic, those interfaces should never have an assigned IP address

72

Network Recommendations • The collector does a lot of queries to the DNS server to normalize

Disk Space

The disk space left in the AlienVault machines should be monitored

The folder /var/ will use the biggest amount of disk space in AlienVault

 

Databases

Log files

The /var/ folder should be separated into another partition with the highest amount of disk available (>80%).

73

Disk Space • The disk space left in the AlienVault machines should be monitored • The

Swap Memory

Swap memory usage slows down the system so we need to make sure the system is not using frequently the swap partition

If the system is always using the Swap partition it is required to increase the amount of RAM memory installed in the system.

74

Swap Memory • Swap memory usage slows down the system so we need to make sure

Munin

Munin can monitor the status of various parameters within the operative system such as Interrupts, Load, Memory, network, and processes

Munin is really useful to monitor that our hardware is working properly

Munin can be used distributed since 3.1

75

Munin • Munin can monitor the status of various parameters within the operative system such as
Munin • Munin can monitor the status of various parameters within the operative system such as
Munin • Munin can monitor the status of various parameters within the operative system such as

AlienVault: system recovery

Backup & Recovery

simple backup script is provided

easy recovery after new installation

Backup script: see next page

76

AlienVault: system recovery • Backup & Recovery ‣ simple backup script is provided ‣ easy recovery

AlienVault: system recovery

Backup script: (Caution!!! - /var/ossim/logs is not included)

#!/bin/bash

cd /etc/init.d/

process="monit ossim-agent ossim-server ossim-framework apache2 arpwatch exim4 fprobe nagios3 nessus dnfdump nfsen ntop

munin-node openvas-scanner openvassd openvas-server osirisd osirismd pads rsyslog postfix samba snort* snmpd tomcat nfdump"

77

for i in $process

do

/etc/init.d/$i stop > /dev/null;

done

chmod 000 /etc/cron.hourly/*

chmod 000 /etc/cron.daily/*

d1r="/var/ossim/backup/db/`date +%F-%H_%M_%S`"

dbs=`echo "show databases" | ossim-db | grep -v "Database" | grep -v "information_schema"`

p4ss=`grep -i pass= /etc/ossim/ossim_setup.conf |awk -F'=' '{print$2}'`

h0st=`grep -i db_ip /etc/ossim/ossim_setup.conf |awk -F'=' '{print$2}'`

test -z $h0st && h0st="localhost"

for db in $dbs; do

test -d $d1r/$db/struct || mkdir -p $d1r/$db/struct

mysqldump -d -u root -h $h0st -p$p4ss $db > $d1r/$db/struct/$db-struct-`date +%F-%H_%M_%S`.sql

mysqldump -u root -h $h0st -p$p4ss $db > $d1r/$db/$db-`date +%F-%H_%M_%S`.sql

done

tar --preserve -czvf $d1r/

/complete_backup_`date /

.. ..

+%F-%H_%M`.tgz $d1r > /dev/null

echo "Generated /var/ossim/backup/complete_backup_`date +%F-%H_%M`.tgz file"

tar --preserve -czvf $d1r/

/

.. ..

/config_files_`date

+%F-%H_%M`.tgz /etc/* > /dev/null

echo "Generated /var/ossim/backup/config_files_`date +%F-%H_%M`.tgz file"

dpkg -l >> $d1r/

/

.. ..

/packages_list_`date

+%F-%H_%M`

chmod 755 /etc/cron.hourly/*

chmod 755 /etc/cron.daily/*

alienvault-reconfig -c -v

exit 0

AlienVault: system recovery • Backup script: (Caution!!! - /var/ossim/logs is not included) #!/bin/bash cd /etc/init.d/ process="monit
AlienVault: system recovery • Backup script: (Caution!!! - /var/ossim/logs is not included) #!/bin/bash cd /etc/init.d/ process="monit

Hands-On: CLI

alienvault-setup

 

change default admin email address

configure monitored networks

enable detector plugins: foo bar and baz

change the time zone, but if ethx to nonpromiscous mode

change the system name

delete and rebuild the complete alienvault-database

 

WARNING: all your data and configuration will be LOST

78

Hands-On: CLI • alienvault-setup ‣ change default admin email address ‣ configure monitored networks ‣ enable

AlienVault Event Collection

Get the data from the network

79

AlienVault Event Collection Get the data from the network 79 Thursday, May 3, 12

Syslog

Using Syslog is usually the easiest way to forward events to the AlienVault Sensor

All Linux, BSD and MacOSX include different Syslog

implementations by default. It's simple to configure event forwarding policies using Syslog

A large number of devices and applications allow event logging using the Syslog protocol. If it doesn’t the log files can be logged into Syslog using logger:

# tail –f /path/to/file | logger –t application

80

Syslog • Using Syslog is usually the easiest way to forward events to the AlienVault Sensor

Snare Agent

Snare forwards Windows EventLog events to a remote Syslog server.

When installing Snare, it can also configure a logging policy in the Windows System. Take care if you have already defined a logging policy.

Once Snare has been installed (Configuration -> Collection -> Downloads) download the .reg file to configure it to forward events to the remote Syslog server

81

Snare Agent • Snare forwards Windows EventLog events to a remote Syslog server. • When installing
Snare Agent • Snare forwards Windows EventLog events to a remote Syslog server. • When installing

WMI

WMI (Windows Management Instrumentation) provides an operating system interface through which instrumented components provide information and notification.

WMI allows scripting languages like VBScript or Windows PowerShell to manage Microsoft Windows personal computers and servers, both locally and remotely.

WMI is preinstalled in Windows 2000 and newer OSs. It is available as a download for Windows 95 and Windows 98.

AlienVault includes two data source connectors that allow collecting information using WMI:

Detector: wmi-system-logger.cfg

Monitor: wmi-monitor.cfg

82

WMI • WMI (Windows Management Instrumentation) provides an operating system interface through which instrumented components provide

Fw1-Loggraber

Fw1-Loggrabber allows collecting events from Checkpoint FW-1 devices using the Checkpoints LEA (Log Export Api) protocol

Fw1-Loggraber has to be installed along with the detector. It will stablish a connection to get the event from the Checkpoint FW-1 device

83

Fw1-Loggraber • Fw1-Loggrabber allows collecting events from Checkpoint FW-1 devices using the Checkpoints LEA (Log Export

Cisco SDEE

The AlienVault Sensor can collect events from Cisco devices using the SDEE protocol.

The detector allows collecting event from the following devices:

 

Cisco Network Detection Systems (IPS)

Cisco Switch IDS Cisco IOS routers with Inline Intrusion Prevention System (IPS) functions

Cisco IDS modules for routers

Cisco PIX Firewalls

Cisco Catalyst 6500 Series firewall services modules (FWSMs)

Cisco Management Center for Cisco security agents CiscoWorks Monitoring Center for Security servers

Data Source Connector configuration file: cisco-ips.cfg

84

Cisco SDEE • The AlienVault Sensor can collect events from Cisco devices using the SDEE protocol.

Rsyslog

Rsyslog is the Syslog implementation shipped with AlienVault

Rsyslog is extremely configurable and allows configuring filtering and forwarding in a really easy way

Rsyslog must allow remote connections to collect logs coming from other Syslog servers. This feature has to be enabled in the Rsyslog configuration file (/etc/rsyslog.conf) including the following lines:

$ModLoad imudp

$UDPServerRun 514

$ModLoad imtcp

$InputTCPServerRun 514

85

Rsyslog • Rsyslog is the Syslog implementation shipped with AlienVault • Rsyslog is extremely configurable and

rsyslog filters

Filter using Rsyslog ( /etc/rsyslog.d/)

Forward certain events to a local file

 

if $msg contains 'error' then /var/log/error

if $syslogfacility-text == 'local0' and $msg startswith 'DEVNAME' and ($msg contains 'error1' or $msg contains 'error0') then /var/log/ somelog

Stop processing some events

 

if $msg contains 'error' then ~

Regex in Rsyslog

 

86

rsyslog filters • Filter using Rsyslog ( /etc/rsyslog.d/) • Forward certain events to a local filehttp://www.rsyslog.com/user-regex.php 86 Thursday, May 3, 12 " id="pdf-obj-85-57" src="pdf-obj-85-57.jpg">

rsyslog customization

Separate incoming logs (syslog)

 

find a phrase in syslog to classify the logs (hostname, ip-address,

...

)

Send logs to a different logfile

 

Create a file with file extension “conf” in /etc/rsyslog.d

e.g. /etc/rsyslog.d/customize.conf

possible commands

# sends logs with “<hostname>” to cisco.log :source, isequal, "HOSTNAME" /var/log/cisco.log & ~ if $msg contains “STRING” then /var/log/xyz.log if $msg contains “STRING” ~

# ip-address examples if $fromhost == 'IP_ADDRESS' then -/var/log/ossim/device.log

&~ if $fromhost-ip isequal 'IP_ADDRESS' then -/var/log/cisco-fw.log & ~

87

:fromhost-ip, isequal, "IP_ADDRESS" & ~

-/var/log/cisco-fw.log

rsyslog customization • Separate incoming logs (syslog) ‣ find a phrase in syslog to classify thehttp://www.rsyslog.com/ Thursday, May 3, 12 " id="pdf-obj-86-64" src="pdf-obj-86-64.jpg">

The rsyslog webpage provides more useful examples, tricks and howtos:

rsyslog customization • Separate incoming logs (syslog) ‣ find a phrase in syslog to classify thehttp://www.rsyslog.com/ Thursday, May 3, 12 " id="pdf-obj-86-70" src="pdf-obj-86-70.jpg">

Log rotation

When creating new log forwarding rules (Rsyslog), it is important to ensure that the logs will not grow indefinitely

To do this we must create new entries in the logrotate configuration

/etc/logrotate.d/

/var/log/ossim/agent.log /var/log/ossim/agent-plain.log /var/log/ossim/agent_error.log / var/log/ossim/agent_stats.log { daily firstaction test -f /var/log/snort/alert || touch /var/log/snort/alert > /dev/null 2>&1 endscript prerotate /etc/init.d/ossim-agent stop > /dev/null 2>&1 endscript postrotate /etc/init.d/ossim-agent start > /dev/null 2>&1 endscript

}

Log rotation example

If you have new separated logfiles just take this example and add your new logfiles to it!

/etc/logrotate.d/alienvault

/var/log/xyz.log

/var/log/foo.log

...

{

 

rotate 7 daily missingok notifempty

# Save the last 7 logs # rotate daily # if file doesn’t exist continue # if log is empty, the log don’t rotate

delaycompress

# postpone compression of previous log-file to next cycle

compress

# Compress the log

postrotate invoke-rc.d rsyslog reload > /dev/null

}

89

Log rotation example • If you have new separated logfiles just take this example and add

see also > man logrotate

Log rotation example • If you have new separated logfiles just take this example and add

Hands-On: CLI

Define a syslog source and filter to /var/log/foo ...

enable logrotation on the source you just configured

alienvault-setup

 

change default admin email address

configure monitored networks

enable detector plugins: foo bar and baz

change the time zone

change the system name

delete and rebuild the complete alienvault-database

 

WARNING: all your data and configuration will be LOST

90

Hands-On: CLI • Define a syslog source and filter to /var/log/foo ... • enable logrotation on

Hands-On: CLI

Logfiles

send some example logs to /var/log/syslog

  • - use the following script:

while true

do

cat /var/log/firewall.log | logger -t <STRING> sleep 10

done

Hands-On: CLI • Logfiles ‣ send some example logs to /var/log/syslog - use the following script:

filter the log and send it to a separated log file and be sure that this log is not filling up your disk space (rotate the file daily with compression enabled)

91

Hands-On: CLI • Logfiles ‣ send some example logs to /var/log/syslog - use the following script:

AlienVault Data Sources

Adapt collection to your organization

92

AlienVault Data Sources Adapt collection to your organization 92 Thursday, May 3, 12

Types of DS Connectors

Two types of Data Source Connectors

Detectors: They offer events (Snort, Firewalls, Antivirus, Web

servers, OS events )

..

• Two types of Data Source Connectors • Detectors: They offer events (Snort, Firewalls, Antivirus, Web

Monitors: They offer indicators (Ntop, Tcptrack, Nmap, Webs,

Compromise & Attack

...

)

93

Types of DS Connectors • Two types of Data Source Connectors • Detectors: They offer events
Types of DS Connectors • Two types of Data Source Connectors • Detectors: They offer events

Files

Each DS Connector (monitors and detectors) is built on two files:

Plugin.cfg

Contains the configuration parameters of the plugins and the rules that an event has to match in order to be collected and normalized.

Plugin.sql

Contains the description of every possible event that can be

collected using the plugin (Plugin_id, Plugin_sid, Name given to the event, priority and reliability)

94

Files • Each DS Connector (monitors and detectors) is built on two files: ‣ Plugin.cfg Contains

Ds Connector: Detector

Numerical identifier of the plugin [DEFAULT] plugin_id=4003
Numerical identifier of the plugin
[DEFAULT]
plugin_id=4003

# default values for dst_ip and dst_port

# they can be overwritten in each rule

dst_ip=\_CFG(plugin-defaults,sensor)

dst_port=22

Default fields for every event

Ds Connector: Detector Numerical identifier of the plugin [DEFAULT] plugin_id=4003 # default values for dst_ip and

[config]

type=detector

enable=yes

Type of plugin: Detector

Ds Connector: Detector Numerical identifier of the plugin [DEFAULT] plugin_id=4003 # default values for dst_ip and

Source of the events (log, mssql,mysql or wmi)

source=log

location=/var/log/auth.log

Ds Connector: Detector Numerical identifier of the plugin [DEFAULT] plugin_id=4003 # default values for dst_ip and

create_file=false

process=sshd

start=no

stop=no

Associated process and start/stop options

Ds Connector: Detector Numerical identifier of the plugin [DEFAULT] plugin_id=4003 # default values for dst_ip and

startup=/etc/init.d/ssh start

shutdown=/etc/init.d/ssh stop

[ssh - Failed password]

# Feb 8 10:09:06 golgotha sshd[24472]: Failed password for dgil from

Type of event

Ds Connector: Detector Numerical identifier of the plugin [DEFAULT] plugin_id=4003 # default values for dst_ip and

192.168.6.69 port 33992 ssh2

event_type=event

regexp="(\SYSLOG_DATE)\s+(?P<sensor>[^\s]*).*?ssh.*?Failed password for (?

P<user>\S+)\s+from\s+.*?(?P<src>\IPV4).*?port\s+(?P<sport>\PORT)"

plugin_sid=1

Regular expressions

Ds Connector: Detector Numerical identifier of the plugin [DEFAULT] plugin_id=4003 # default values for dst_ip and

sensor={resolv($sensor)}

date={normalize_date($1)}

src_ip={$src}

dst_ip={resolv($sensor)}

Fields that will be sent to the AlienVault Server

Ds Connector: Detector Numerical identifier of the plugin [DEFAULT] plugin_id=4003 # default values for dst_ip and

src_port={$sport}

username={$user}

95

Ds Connector: Detector Numerical identifier of the plugin [DEFAULT] plugin_id=4003 # default values for dst_ip and

Ds Connector: Detector

plugin_id

 

Data Source ID. User reserved range: 9000-10000

E.g.: plugin_id=3000

source

 

log: Text file (E.g: SSH, Sudo, Apache

) ...

mssql: Mssql Database (E.g: panda-se)

mysql: Mysql Database (E.g: moodle)

wmi: Windows Management Instrumentation (wmi-system-logger)

96

Ds Connector: Detector • plugin_id ‣ Data Source ID. User reserved range: 9000-10000 ‣ E.g.: plugin_id=3000

Ds Connector: Detector

location

  • - Files in which the applications store the events

  • - E.g.: location=/var/log/file.log

create_file

  • - Create the file in case it does not exist

  • - false/true

process / start / stop / startup / shutdown

  • - Only if the process is running in the same machine that the detector

  • - If the process is not running in the machine, is there a process helping us to collect those logs? syslog? fw1-loggrabber?

97

Ds Connector: Detector location - Files in which the applications store the events - E.g.: location=/var/log/file.log

Ds Connector: Detector

Rules

 

Rules define the format of each event and how they are normalized

It is composed by a regular expression and the list of fields that the event will include when once it is sent to the AlienVault SIEM or Logger

In some cases only one regular expression will collect every event coming from one application, in some other cases more than one rule will be required

Ds Connector: Detector • Rules ‣ Rules define the format of each event and how they

98

Ds Connector: Detector • Rules ‣ Rules define the format of each event and how they

DS Connector: Detector

Rules

Rules are loading in alphabetical order based on the name given to each rule

Once the log matches one the regex of one rule the ossim agent stops processing the event

Generic rules must be the last loaded in memory as they will probably match all the events

The name of the rule is mandatory

DS Connector: Detector • Rules ‣ ‣ ‣ ‣ Rules are loading in alphabetical order based

99

DS Connector: Detector • Rules ‣ ‣ ‣ ‣ Rules are loading in alphabetical order based

DS Connector: Detector

The rule must include the event type:

 

event_type=event

 

The following fields can be used to normalize the event:

 
 

plugin_id

plugin_sid

date

sensor

interface

protocol

 

src_ip

src_port

dst_ip

dst_port

username

password

filename

userdata1

userdata2

userdata3

userdata4

userdata5

userdata6

userdata7

userdata8

userdata9

   

Values in bold are mandatory

 

Fields in red include values that always have to be defined in the plugin

 

Fields in green can will be filled by the AlienVault Agent in case they can not be found in the original log (Don’t include that line when creating the plugin)

Fields in grey are optional

 

100

DS Connector: Detector • The rule must include the event type: • event_type=event • The following

DS Connector: Detector

Regexp

The regexp field contains the regular expression that defines the format of the events, and extracts the information to normalize the event.

regexp="(\SYSLOG_DATE)\s+(?P<sensor>[^\s]*).*?ssh.*?Failed password for (?P<user>\S+)\s+.*?(?P<src>\IPV4).*?port\s+(?P<sport>\PORT)"

regexp=(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)\S+ (\S+) (\S+) (\S+) (\d+) (\w+) (\S+) \S+ (\d+)

The regular expressions are written using the Python regular expression syntax:

101

DS Connector: Detector • Regexp • The regexp field contains the regular expression that defines thehttp://docs.python.org/library/re.html 101 Thursday, May 3, 12 " id="pdf-obj-100-31" src="pdf-obj-100-31.jpg">

Regular expressions

Operator

Meaning

c

A non special character matches with itself

\c

Removes the special meaning of the character c; The RE \$ matches with $

^

Indicates located at the beginning of the line

$

Indicates located at the end of the line

.

Any individual character

[…]

One or any of the characters …; accepts intervals of the type a-z, 0-9, A-Z

[^…]

A char different from … ; Accepts intervals of the type a-z, 0-9, A-Z

102

Regular expressions Operator Meaning c A non special character matches with itself \c Removes the specialhttp://www.regexpal.com Windows: RegEx Tester Linux: http://kodos.sf.net / Regexhibit (OSX): http://homepage.mac.com/roger_jolly/software/ Thursday, May 3, 12 " id="pdf-obj-101-54" src="pdf-obj-101-54.jpg">

Useful tools for testing regular expressions:

Regular expressions Operator Meaning c A non special character matches with itself \c Removes the specialhttp://www.regexpal.com Windows: RegEx Tester Linux: http://kodos.sf.net / Regexhibit (OSX): http://homepage.mac.com/roger_jolly/software/ Thursday, May 3, 12 " id="pdf-obj-101-66" src="pdf-obj-101-66.jpg">

Regular expressions

Regular expression

Matches with

a.b

axb aab abb aSb a#b ...

 

a b ..

axxb aaab abbb a4$b ...

 

[abc]

a b c (one character srtings)

 

[aA]

a A (one character srtings)

 

[aA][bB]

ab Ab aB AB (two character srtings)

[0123456789]

  • 0 1 2 3 4 5 6 7 8 9

[0-9]

  • 0 1 2 3 4 5 6 7 8 9

[A-Za-z]

A B C

Z a b c

Z

[0-9][0-9][0-9]

000 001

009 010

019 100

999

[0-9]*

empty_chain 0 1 9 00 99 123 456 999 9999 ...

[0-9][0-9]*

0 1 9 00 99 123 456 999 9999 99999 99999999 ...

^.*$

A full line

103

Regular expressions Regular expression Matches with a.b axb aab abb aSb a#b ... a b ..

Regular expressions

Operator

Meaning

r*

  • 0 or more occurrences of the RE r

r+

  • 1 or more occurrences of the RE r

r?

0 or an occurrences of the RE r, and no more

r{n}

No occurrences of the RE r

r{,m}

0 or at most m occurrences of the RE r

r{n,m}

N or more occurrences of the RE r, but at most m

r1|r2

The RE r1 or the RE r2

Regular

Matches with

 

expression

[0-9]+

0 1 9 00 99 123 456 999 9999 99999 99999999 ..

[0-9]?

empty_string 0 1 2

9

(ab)*

empty_string ab ababab abababababab

([0-9]+ab)*

empty_string 1234ab 9ab9ab9ab 9876543210ab 99ab99ab ...

104

Regular expressions Operator Meaning r* 0 or more occurrences of the RE r r+ 1 or

Regular expressions

Regular

Matches with

Equals

expression

\d

Any decimal character

[0-9]

\D

Any non decimal character

[^0-9]

\s

Any space character

[ \t\n\r\f\v]

\S

Any non space character

[^ \t\n\r\f\v]

\w

Any alphanumeric character and “_”

[a-zA-Z0-9_]

\W

Any non alphanumeric character

[^a-zA-Z0-9_]

\Z

End of line

 

105

Regular expressions Regular Matches with Equals expression \d Any decimal character [0-9] \D Any non decimal

Regular expressions

Pattern

Description

b,c,X,8

Ordinary characters just match themselves exactly. The meta-characters which do not match themselves because they have special meanings are: . ^ $ * + ? { [ ] \ | ( )

.

Matches any single character except newline (\n).

\w

Lowercase w matches a "word" character: a letter or digit or under-bar [a-zA-Z0-9_]. It only matches a single word char, not a whole word.

\W

Uppercase w matches any non-word character.

\s

Lowercase s matches a single whitespace character -- space, newline, return, tab, form [ \n\r\t\f].

\S

Upper case s matches any non-whitespace character.

\d

Lowercase d matches a single Decimal digit [0-9]

\D

Uppercase d matches any non decimal character

\t