Dashboard OSSIM doesnt show Snort logs generate by pfSense
-
Hi,
I configured pfSense to send Snort logs (Snort 2.9.7.5 pkg v3.2.8 ) to OSSIM (v 5.2.1) via Barnyard2. The logs are arriving OK.
The problem is, no events are showing in the OSSIM dashboard.
O verified with the script regex.py and any logs are matching with the logs generates by pfSense.
I´d like to know if someone has the regex to add in snort_syslog.cfg.
My snort_syslog.cfg is default by instalation:Alienvault plugin
Author: Alienvault Team at devel@alienvault.com
Plugin snort_syslog id:1001 version: 0.0.2
Last modification: 2015-05-13 16:11
Plugin Selection Info:
Snort:Snort:-
END-HEADER
Accepted products:
snort - snort -
Description:
$Id: snort_syslog.cfg,v 1.2 2010/03/12 16:50:26 dkarg Exp $
[DEFAULT]
plugin_id=1001[config]
type=detector
enable=yesprocess=snort
start=no ; launch plugin process when agent starts
stop=no ; shutdown plugin process when agent stops
startup=/etc/init.d/%(process)s start
shutdown=/etc/init.d/%(process)s stopsource=log
#location=/var/log/%(process)s/alert
location=/var/log/snort/alert-87
create_file=false[translation]
PROTO255=139 # 139 is "OTHER" protocol in OSSIM language[01_snort-alert-format]
event_type=event
regexp=^(?P<date>\d\d/\d\d-\d\d:\d\d:\d\d.\d+) [**] [(?P<pid>\d+):(?P<sid>\d+):\d] (?P<msg>.+) [**] [Classification: .+] [Priority: .+] {(?P<proto>.+)} (?P<src$<br>date={normalize_date($date)}
plugin_id={snort_id($pid)}
plugin_sid={$sid}
protocol={$proto}
src_ip={$src_ip}
src_port={$src_port}
dst_ip={$dst_ip}
dst_port={$dst_port}[02_snort-ossim-format]
event_type=event
regexp=^(\d+/\d+(?:/?\d\d)?-\d\d:\d\d:\d\d).?[(\d+):(\d+):\d+] <(\w+)>.?{(\w+)}\s+([\d.]+):?(\d+)?\s+..\s+([\d.]+):?(\d+)?\s+[(\d+):(\d+)]$
date={normalize_date($1)}
plugin_id={snort_id($2)}
plugin_sid={$3}
interface={$4}
protocol={translate($5)}
src_ip={$6}
src_port={$7}
dst_ip={$8}
dst_port={$9}
snort_sid={$10}
snort_cid={$11}[022_snort-ossim-format-from-file]
event_type=event
regexp=^(\d+/\d+(?:/?\d\d)?-\d\d:\d\d:\d\d).?[(\d+):(\d+):\d+] <([reading from a file])>.?{(\w+)}\s+([\d.]+):?(\d+)?\s+..\s+([\d.]+):?(\d+)?\s+[(\d+):(\d+)]$
date={normalize_date($1)}
plugin_id={snort_id($2)}
plugin_sid={$3}
protocol={translate($5)}
src_ip={$6}
src_port={$7}
dst_ip={$8}
dst_port={$9}
snort_sid={$10}
snort_cid={$11}[03_snort-fast-format]
event_type=event
regexp="[(\d+):(\d+):\d+].?\n^(\d+)/(\d+)-(\d\d:\d\d:\d\d).?(\IPV4):?(\PORT)?\s+..\s+(\IPV4):?(\PORT)?"
plugin_id={snort_id($1)}
plugin_sid={$2}
src_ip={$6}
src_port={$7}
dst_ip={$8}
dst_port={$9}[04_snort-syslog-format]
event_type=event
regexp=(\w+\s+\d{1,2}\s+\d\d:\d\d:\d\d)\s+([\w-_]+|\d+.\d+.\d+.\d+)\s+snort.:\s+[(\d+):(\d+):\d+].?{(\w+)}\s+([\d.]+):?(\d+)?\s+.*\s+([\d.]+):?(\d+)?
date={normalize_date($1)}
device={resolv($2)}
plugin_id={snort_id($3)}
plugin_sid={$4}
protocol={$5}
src_ip={$6}
src_port={$7}
dst_ip={$8}
dst_port={$9}Thanks,
Wagner</src$<br></proto></msg></sid></pid></date> -
I found a regex that matches:
regexp=(\w+\s+\d{1,2}\s+\d\d:\d\d:\d\d)\s+([\w-_]+|\d+.\d+.\d+.\d+)\s+.(\d+):\s+(\d+):\d+.{(\w+).}\s+([\d.]+):(\d+).*\s+([\d+.]+):?(\d+)?
https://www.alienvault.com/forums/discussion/comment/13034/#Comment_13034
This post can be closed.