Looking for documentation? Check out our new learning center!
AlienVault v4.5 Released! Download here

Snare, Windows, GUI console good regexp

IdrielIdriel Contactee
edited January 2013 in Data Source Plugins
OSSIM version
Alienvault OSSIM Server Version : 4.1.0.free.commit:(1:4.1.2-127)
  (c) 2007-2012 AlienVault

Installed OSSIM with only one plugin SNARE as log colletion.

On Windows Server 2008 R2 x64 machine I installed SNARE, import .reg file and make ";" as delimiter.

I create file inside /etc/rsyslog.d/snare.conf and there i put
if ($fromhost-ip == 'XXX.XX.X.XXX') then -/var/log/snare.log
& ~     #This line means discard after match

Now when I go tail -f /var/log/snare.log I am getting events from windows
Jan 10 15:48:46 HOSTNAME.domain.local MSWinEventLog;1;System;8;čet sij 10 15:48:45 2013;7036;Service Control Manager;N/A;N/A;Information;HOSTNAME.domain.local;None;;The Application Experience service entered the stopped state.;5

But I don't get events into GUI console and that is true if I run
/usr/share/ossim/scripts/regexp.py /var/log/snare.log /etc/ossim/agent/plugins/snare.cfg q
Multiple regexp mode used, parsing /etc/ossim/agent/plugins/snare.cfg
-----------------------------------------------------------------------------
Rule:   010Snare
                                                Matched 0 times
Rule:   020Snare
                                                Matched 0 times
Rule:   090Snare
                                                Matched 0 times

Rule:   ZZZZ - ##GENERIC-RULE##
                                                Matched 100 times
Counted 100 lines.
Matched 100 lines.

This is how plugin looks like in this version. Does anyone have good regex for Windows machine?

[010Snare]
event_type=event
regexp="(?P<date>\SYSLOG_DATE)\s+(?P<host>\S+)(#011|\s)MSWinEventLog(#011|;)\d+(#011|;)(?P<type>\w+?)(#011|;)\d+(#011|;)\w{2,3}\s(?P<date_event>\w{3}\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})\s\d{4}(#011|;)(?P<sid>\d+)(#011|;)(?P<msg>.*)(#011|;)(?P<user>.*)(#011|;).*(#011|;)(?P<type_2>\w+)(#011|;)(?P<hostname>.*)(#011|;).*(#011|;)(#011|;)(?P<msg_event>.*)(#011|;)"
date={normalize_date($date)}
plugin_id=1518
plugin_sid={$sid}
src_ip={resolv($host)}
username={$user}
userdata1={$hostname}
userdata1={$type_2}
userdata2={$type}
userdata3={$msg}
userdata4={$msg_event}

[020Snare]
precheck="Security"
event_type=event
regexp="^(?P<date>\SYSLOG_DATE)\s+(?P<host>\S+)(#011|\s)MSWinEventLog(#011|;)\d+(#011|;)Security(#011|;)\d+(#011|;)\w{2,3}\s(?P<date_event>\w{3}\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})\s\d{4}(#011|;)(?P<sid>\d+)(;|#011)(?P<msg>[^(;|#011)]+)(;|#011)(?P<user>.*?)(#011|;).*?(;|#011)(?P<type_2>.*?)(;|#011)[^#;]+(;|#011)(?P<msg_2>[^#;]+)(;|#011)(;|#011)(?P<msg_3>[^:]+):"
date={normalize_date($date)}
plugin_id=1518
plugin_sid={$sid}
src_ip={resolv($host)}
src_ip={resolv($host)}
username={$user}
userdata1={$type_2}
userdata2={$msg}
userdata3={$msg_2}
userdata4={$msg_3}

[090Snare]
event_type=event
regexp="^(?P<date>\SYSLOG_DATE)\s+(?P<host>\S+)(#011|\s)MSWinEventLog(#011|;)\d+(#011|;)(?P<type>\S+?)(#011|;)\d+(#011|;)\w{2,3}\s(?P<date_event>\w{3}\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})\s\d{4}(#011|;)(?P<sid>\d+)(;|#011)(?P<msg>[^(;|#011)]+)(;|#011)(?P<user>.*?)"
date={normalize_date($date)}
plugin_id=1518
plugin_sid={$sid}
src_ip={resolv($host)}
username={$user}
userdata1={$type}
userdata2={$msg}

[ZZZZ - ##GENERIC-RULE##]
event_type=event
regexp="^(?P<date>\SYSLOG_DATE)\s+(?P<host>\S+)(?P<msgbody>.*)"
date={normalize_date($date)}
plugin_id=1518
plugin_sid=2000000000
src_ip={resolv($host)}
userdata2={$msgbody}
Tagged:

Best Answer

Answers

  • IdrielIdriel Contactee
    Tnx. It worked
    alienvault:~# /usr/share/ossim/scripts/regexp.py /var/log/snare.log /etc/ossim/agent/plugins/snare.cfg q
    Multiple regexp mode used, parsing /etc/ossim/agent/plugins/snare.cfg
    -----------------------------------------------------------------------------
    Rule:   010Snare
                                                    Matched 0 times
    Rule:   020Snare
                                                    Matched 0 times
    Rule:   090Snare
                                                    Matched 47 times
    Rule:   095Snare
                                                    Matched 308 times
    Counted 355 lines.
    Matched 355 lines.

Sign In or Register to comment.