Looking for documentation? Check out our new learning center!

Snare, Windows, GUI console good regexp

IdrielIdriel Posts: 15 Contactee
edited January 2013 in Data Source Plugins
OSSIM version
Alienvault OSSIM Server Version : 4.1.0.free.commit:(1:4.1.2-127)
  (c) 2007-2012 AlienVault

Installed OSSIM with only one plugin SNARE as log colletion.

On Windows Server 2008 R2 x64 machine I installed SNARE, import .reg file and make ";" as delimiter.

I create file inside /etc/rsyslog.d/snare.conf and there i put
if ($fromhost-ip == 'XXX.XX.X.XXX') then -/var/log/snare.log
& ~     #This line means discard after match

Now when I go tail -f /var/log/snare.log I am getting events from windows
Jan 10 15:48:46 HOSTNAME.domain.local MSWinEventLog;1;System;8;čet sij 10 15:48:45 2013;7036;Service Control Manager;N/A;N/A;Information;HOSTNAME.domain.local;None;;The Application Experience service entered the stopped state.;5

But I don't get events into GUI console and that is true if I run
/usr/share/ossim/scripts/regexp.py /var/log/snare.log /etc/ossim/agent/plugins/snare.cfg q
Multiple regexp mode used, parsing /etc/ossim/agent/plugins/snare.cfg
-----------------------------------------------------------------------------
Rule:   010Snare
                                                Matched 0 times
Rule:   020Snare
                                                Matched 0 times
Rule:   090Snare
                                                Matched 0 times

Rule:   ZZZZ - ##GENERIC-RULE##
                                                Matched 100 times
Counted 100 lines.
Matched 100 lines.

This is how plugin looks like in this version. Does anyone have good regex for Windows machine?

[010Snare]
event_type=event
regexp="(?P<date>\SYSLOG_DATE)\s+(?P<host>\S+)(#011|\s)MSWinEventLog(#011|;)\d+(#011|;)(?P<type>\w+?)(#011|;)\d+(#011|;)\w{2,3}\s(?P<date_event>\w{3}\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})\s\d{4}(#011|;)(?P<sid>\d+)(#011|;)(?P<msg>.*)(#011|;)(?P<user>.*)(#011|;).*(#011|;)(?P<type_2>\w+)(#011|;)(?P<hostname>.*)(#011|;).*(#011|;)(#011|;)(?P<msg_event>.*)(#011|;)"
date={normalize_date($date)}
plugin_id=1518
plugin_sid={$sid}
src_ip={resolv($host)}
username={$user}
userdata1={$hostname}
userdata1={$type_2}
userdata2={$type}
userdata3={$msg}
userdata4={$msg_event}

[020Snare]
precheck="Security"
event_type=event
regexp="^(?P<date>\SYSLOG_DATE)\s+(?P<host>\S+)(#011|\s)MSWinEventLog(#011|;)\d+(#011|;)Security(#011|;)\d+(#011|;)\w{2,3}\s(?P<date_event>\w{3}\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})\s\d{4}(#011|;)(?P<sid>\d+)(;|#011)(?P<msg>[^(;|#011)]+)(;|#011)(?P<user>.*?)(#011|;).*?(;|#011)(?P<type_2>.*?)(;|#011)[^#;]+(;|#011)(?P<msg_2>[^#;]+)(;|#011)(;|#011)(?P<msg_3>[^:]+):"
date={normalize_date($date)}
plugin_id=1518
plugin_sid={$sid}
src_ip={resolv($host)}
src_ip={resolv($host)}
username={$user}
userdata1={$type_2}
userdata2={$msg}
userdata3={$msg_2}
userdata4={$msg_3}

[090Snare]
event_type=event
regexp="^(?P<date>\SYSLOG_DATE)\s+(?P<host>\S+)(#011|\s)MSWinEventLog(#011|;)\d+(#011|;)(?P<type>\S+?)(#011|;)\d+(#011|;)\w{2,3}\s(?P<date_event>\w{3}\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})\s\d{4}(#011|;)(?P<sid>\d+)(;|#011)(?P<msg>[^(;|#011)]+)(;|#011)(?P<user>.*?)"
date={normalize_date($date)}
plugin_id=1518
plugin_sid={$sid}
src_ip={resolv($host)}
username={$user}
userdata1={$type}
userdata2={$msg}

[ZZZZ - ##GENERIC-RULE##]
event_type=event
regexp="^(?P<date>\SYSLOG_DATE)\s+(?P<host>\S+)(?P<msgbody>.*)"
date={normalize_date($date)}
plugin_id=1518
plugin_sid=2000000000
src_ip={resolv($host)}
userdata2={$msgbody}
Tagged:

Best Answer

Answers

  • IdrielIdriel Posts: 15 Contactee
    Tnx. It worked
    alienvault:~# /usr/share/ossim/scripts/regexp.py /var/log/snare.log /etc/ossim/agent/plugins/snare.cfg q
    Multiple regexp mode used, parsing /etc/ossim/agent/plugins/snare.cfg
    -----------------------------------------------------------------------------
    Rule:   010Snare
                                                    Matched 0 times
    Rule:   020Snare
                                                    Matched 0 times
    Rule:   090Snare
                                                    Matched 47 times
    Rule:   095Snare
                                                    Matched 308 times
    Counted 355 lines.
    Matched 355 lines.

Sign In or Register to comment.