[Resolvido] Alienvault OSSIM não lê assinaturas Snort geradas pelo PFSense

wmqueiroz

Boa tarde

Configurei o pfSense para enviar logs do Snort (Snort 2.9.7.5 pkg v3.2.8 ) para o OSSIM (v 5.2.1) via Barnyard2. Os logs estão chegando OK.
O problema que estou tendo é que esses logs não estão aparecendo no dashboard do OSSIM.
Verifiquei com o script regex.py e nenhum log está dando match nos logs gerados pelo pfSense. Estou em busca de uma regex para colocar no plugin snort_syslog.cfg. Atualmente meu snort_syslog.cfg está assim (padrão de instalação):

# Alienvault plugin
# Author: Alienvault Team at devel@alienvault.com
# Plugin snort_syslog id:1001 version: 0.0.2
# Last modification: 2015-05-13 16:11
#
# Plugin Selection Info:
# Snort:Snort:-
#
# END-HEADER
# Accepted products:
# snort - snort -
# Description:
# $Id: snort_syslog.cfg,v 1.2 2010/03/12 16:50:26 dkarg Exp $
#
#

[DEFAULT]
plugin_id=1001

[config]
type=detector
enable=yes

process=snort
start=no   ; launch plugin process when agent starts
stop=no     ; shutdown plugin process when agent stops
startup=/etc/init.d/%(process)s start
shutdown=/etc/init.d/%(process)s stop

source=log
#location=/var/log/%(process)s/alert
location=/var/log/snort/alert-87
create_file=false

[translation]
PROTO255=139 # 139 is "OTHER" protocol in OSSIM language

[01_snort-alert-format]
event_type=event
regexp=^(?P<date>\d\d/\d\d-\d\d:\d\d:\d\d.\d+)  \[\*\*\] \[(?P<pid>\d+):(?P<sid>\d+):\d\] (?P<msg>.+) \[\*\*\] \[Classification: .+\] \[Priority: .+\] \{(?P<proto>.+)\} (?P<src$<br>date={normalize_date($date)}
plugin_id={snort_id($pid)}
plugin_sid={$sid}
protocol={$proto}
src_ip={$src_ip}
src_port={$src_port}
dst_ip={$dst_ip}
dst_port={$dst_port}

[02_snort-ossim-format]
event_type=event
regexp=^(\d+/\d+(?:/?\d\d)?-\d\d:\d\d:\d\d).*?\[(\d+):(\d+):\d+\] <(\w+)>.*?{(\w+)}\s+([\d\.]+):?(\d+)?\s+..\s+([\d\.]+):?(\d+)?\s+\[(\d+):(\d+)\]$
date={normalize_date($1)}
plugin_id={snort_id($2)}
plugin_sid={$3}
interface={$4}
protocol={translate($5)}
src_ip={$6}
src_port={$7}
dst_ip={$8}
dst_port={$9}
snort_sid={$10}
snort_cid={$11}

[022_snort-ossim-format-from-file]
event_type=event
regexp=^(\d+/\d+(?:/?\d\d)?-\d\d:\d\d:\d\d).*?\[(\d+):(\d+):\d+\] <(\[reading from a file\])>.*?{(\w+)}\s+([\d\.]+):?(\d+)?\s+..\s+([\d\.]+):?(\d+)?\s+\[(\d+):(\d+)\]$
date={normalize_date($1)}
plugin_id={snort_id($2)}
plugin_sid={$3}
protocol={translate($5)}
src_ip={$6}
src_port={$7}
dst_ip={$8}
dst_port={$9}
snort_sid={$10}
snort_cid={$11}

[03_snort-fast-format]
event_type=event
regexp="\[(\d+):(\d+):\d+\].*?\n^(\d+)/(\d+)-(\d\d:\d\d:\d\d).*?(\IPV4):?(\PORT)?\s+..\s+(\IPV4):?(\PORT)?"
plugin_id={snort_id($1)}
plugin_sid={$2}
src_ip={$6}
src_port={$7}
dst_ip={$8}
dst_port={$9}

[04_snort-syslog-format]
event_type=event
regexp=(\w+\s+\d{1,2}\s+\d\d:\d\d:\d\d)\s+([\w\-\_]+|\d+.\d+.\d+.\d+)\s+snort.*:\s+\[(\d+):(\d+):\d+\].*?{(\w+)}\s+([\d\.]+):?(\d+)?\s+.*\s+([\d\.]+):?(\d+)?
date={normalize_date($1)}
device={resolv($2)}
plugin_id={snort_id($3)}
plugin_sid={$4}
protocol={$5}
src_ip={$6}
src_port={$7}
dst_ip={$8}
dst_port={$9}</src$<br></proto></msg></sid></pid></date> 

Obrigado,
Wagner

wmqueiroz

Eu encontrei a regex que funciona:

regexp=(\w+\s+\d{1,2}\s+\d\d:\d\d:\d\d)\s+([\w\-\_]+|\d+.\d+.\d+.\d+)\s+.(\d+):\s+(\d+):\d+.*{(\w+).*}\s+([\d\.]+):(\d+).*\s+([\d+\.]+):?(\d+)?

https://www.alienvault.com/forums/discussion/comment/13034/#Comment_13034

Esse post pode ser fechado.

Wagner Queiroz