[Resolvido] Alienvault OSSIM não lê assinaturas Snort geradas pelo PFSense



  • Boa tarde

    Configurei o pfSense para enviar logs do Snort (Snort 2.9.7.5 pkg v3.2.8 ) para o OSSIM (v 5.2.1) via Barnyard2. Os logs estão chegando OK.
    O problema que estou tendo é que esses logs não estão aparecendo no dashboard do OSSIM.
    Verifiquei com o script regex.py e nenhum log está dando match nos logs gerados pelo pfSense. Estou em busca de uma regex para colocar no plugin snort_syslog.cfg. Atualmente meu snort_syslog.cfg está assim (padrão de instalação):

    
    # Alienvault plugin
    # Author: Alienvault Team at devel@alienvault.com
    # Plugin snort_syslog id:1001 version: 0.0.2
    # Last modification: 2015-05-13 16:11
    #
    # Plugin Selection Info:
    # Snort:Snort:-
    #
    # END-HEADER
    # Accepted products:
    # snort - snort -
    # Description:
    # $Id: snort_syslog.cfg,v 1.2 2010/03/12 16:50:26 dkarg Exp $
    #
    #
    
    [DEFAULT]
    plugin_id=1001
    
    [config]
    type=detector
    enable=yes
    
    process=snort
    start=no   ; launch plugin process when agent starts
    stop=no     ; shutdown plugin process when agent stops
    startup=/etc/init.d/%(process)s start
    shutdown=/etc/init.d/%(process)s stop
    
    source=log
    #location=/var/log/%(process)s/alert
    location=/var/log/snort/alert-87
    create_file=false
    
    [translation]
    PROTO255=139 # 139 is "OTHER" protocol in OSSIM language
    
    [01_snort-alert-format]
    event_type=event
    regexp=^(?P<date>\d\d/\d\d-\d\d:\d\d:\d\d.\d+)  [\*\*] [(?P<pid>\d+):(?P<sid>\d+):\d] (?P<msg>.+) [\*\*] [Classification: .+] [Priority: .+] \{(?P<proto>.+)\} (?P<src$<br>date={normalize_date($date)}
    plugin_id={snort_id($pid)}
    plugin_sid={$sid}
    protocol={$proto}
    src_ip={$src_ip}
    src_port={$src_port}
    dst_ip={$dst_ip}
    dst_port={$dst_port}
    
    [02_snort-ossim-format]
    event_type=event
    regexp=^(\d+/\d+(?:/?\d\d)?-\d\d:\d\d:\d\d).*?[(\d+):(\d+):\d+] <(\w+)>.*?{(\w+)}\s+([\d\.]+):?(\d+)?\s+..\s+([\d\.]+):?(\d+)?\s+[(\d+):(\d+)]$
    date={normalize_date($1)}
    plugin_id={snort_id($2)}
    plugin_sid={$3}
    interface={$4}
    protocol={translate($5)}
    src_ip={$6}
    src_port={$7}
    dst_ip={$8}
    dst_port={$9}
    snort_sid={$10}
    snort_cid={$11}
    
    [022_snort-ossim-format-from-file]
    event_type=event
    regexp=^(\d+/\d+(?:/?\d\d)?-\d\d:\d\d:\d\d).*?[(\d+):(\d+):\d+] <([reading from a file])>.*?{(\w+)}\s+([\d\.]+):?(\d+)?\s+..\s+([\d\.]+):?(\d+)?\s+[(\d+):(\d+)]$
    date={normalize_date($1)}
    plugin_id={snort_id($2)}
    plugin_sid={$3}
    protocol={translate($5)}
    src_ip={$6}
    src_port={$7}
    dst_ip={$8}
    dst_port={$9}
    snort_sid={$10}
    snort_cid={$11}
    
    [03_snort-fast-format]
    event_type=event
    regexp="[(\d+):(\d+):\d+].*?\n^(\d+)/(\d+)-(\d\d:\d\d:\d\d).*?(\IPV4):?(\PORT)?\s+..\s+(\IPV4):?(\PORT)?"
    plugin_id={snort_id($1)}
    plugin_sid={$2}
    src_ip={$6}
    src_port={$7}
    dst_ip={$8}
    dst_port={$9}
    
    [04_snort-syslog-format]
    event_type=event
    regexp=(\w+\s+\d{1,2}\s+\d\d:\d\d:\d\d)\s+([\w\-\_]+|\d+.\d+.\d+.\d+)\s+snort.*:\s+[(\d+):(\d+):\d+].*?{(\w+)}\s+([\d\.]+):?(\d+)?\s+.*\s+([\d\.]+):?(\d+)?
    date={normalize_date($1)}
    device={resolv($2)}
    plugin_id={snort_id($3)}
    plugin_sid={$4}
    protocol={$5}
    src_ip={$6}
    src_port={$7}
    dst_ip={$8}
    dst_port={$9}</src$<br></proto></msg></sid></pid></date> 
    

    Obrigado,
    Wagner



  • Eu encontrei a regex que funciona:

    
    regexp=(\w+\s+\d{1,2}\s+\d\d:\d\d:\d\d)\s+([\w\-\_]+|\d+.\d+.\d+.\d+)\s+.(\d+):\s+(\d+):\d+.*{(\w+).*}\s+([\d\.]+):(\d+).*\s+([\d+\.]+):?(\d+)?
    
    

    https://www.alienvault.com/forums/discussion/comment/13034/#Comment_13034

    Esse post pode ser fechado.

    Wagner Queiroz