Dashboard OSSIM doesnt show Snort logs generate by pfSense



  • Hi,

    I configured pfSense to send Snort logs (Snort 2.9.7.5 pkg v3.2.8 ) to OSSIM (v 5.2.1) via Barnyard2. The logs are arriving OK.
    The problem is, no events are showing in the OSSIM dashboard.
    O verified with the script regex.py and any logs are matching with the logs generates by pfSense.
    I´d like to know if someone has the regex to add in snort_syslog.cfg.
    My snort_syslog.cfg is default by instalation:

    Alienvault plugin

    Author: Alienvault Team at devel@alienvault.com

    Plugin snort_syslog id:1001 version: 0.0.2

    Last modification: 2015-05-13 16:11

    Plugin Selection Info:

    Snort:Snort:-

    END-HEADER

    Accepted products:

    snort - snort -

    Description:

    $Id: snort_syslog.cfg,v 1.2 2010/03/12 16:50:26 dkarg Exp $

    [DEFAULT]
    plugin_id=1001

    [config]
    type=detector
    enable=yes

    process=snort
    start=no  ; launch plugin process when agent starts
    stop=no    ; shutdown plugin process when agent stops
    startup=/etc/init.d/%(process)s start
    shutdown=/etc/init.d/%(process)s stop

    source=log
    #location=/var/log/%(process)s/alert
    location=/var/log/snort/alert-87
    create_file=false

    [translation]
    PROTO255=139 # 139 is "OTHER" protocol in OSSIM language

    [01_snort-alert-format]
    event_type=event
    regexp=^(?P<date>\d\d/\d\d-\d\d:\d\d:\d\d.\d+)  [**] [(?P<pid>\d+):(?P<sid>\d+):\d] (?P<msg>.+) [**] [Classification: .+] [Priority: .+] {(?P<proto>.+)} (?P<src$<br>date={normalize_date($date)}
    plugin_id={snort_id($pid)}
    plugin_sid={$sid}
    protocol={$proto}
    src_ip={$src_ip}
    src_port={$src_port}
    dst_ip={$dst_ip}
    dst_port={$dst_port}

    [02_snort-ossim-format]
    event_type=event
    regexp=^(\d+/\d+(?:/?\d\d)?-\d\d:\d\d:\d\d).?[(\d+):(\d+):\d+] <(\w+)>.?{(\w+)}\s+([\d.]+):?(\d+)?\s+..\s+([\d.]+):?(\d+)?\s+[(\d+):(\d+)]$
    date={normalize_date($1)}
    plugin_id={snort_id($2)}
    plugin_sid={$3}
    interface={$4}
    protocol={translate($5)}
    src_ip={$6}
    src_port={$7}
    dst_ip={$8}
    dst_port={$9}
    snort_sid={$10}
    snort_cid={$11}

    [022_snort-ossim-format-from-file]
    event_type=event
    regexp=^(\d+/\d+(?:/?\d\d)?-\d\d:\d\d:\d\d).?[(\d+):(\d+):\d+] <([reading from a file])>.?{(\w+)}\s+([\d.]+):?(\d+)?\s+..\s+([\d.]+):?(\d+)?\s+[(\d+):(\d+)]$
    date={normalize_date($1)}
    plugin_id={snort_id($2)}
    plugin_sid={$3}
    protocol={translate($5)}
    src_ip={$6}
    src_port={$7}
    dst_ip={$8}
    dst_port={$9}
    snort_sid={$10}
    snort_cid={$11}

    [03_snort-fast-format]
    event_type=event
    regexp="[(\d+):(\d+):\d+].?\n^(\d+)/(\d+)-(\d\d:\d\d:\d\d).?(\IPV4):?(\PORT)?\s+..\s+(\IPV4):?(\PORT)?"
    plugin_id={snort_id($1)}
    plugin_sid={$2}
    src_ip={$6}
    src_port={$7}
    dst_ip={$8}
    dst_port={$9}

    [04_snort-syslog-format]
    event_type=event
    regexp=(\w+\s+\d{1,2}\s+\d\d:\d\d:\d\d)\s+([\w-_]+|\d+.\d+.\d+.\d+)\s+snort.:\s+[(\d+):(\d+):\d+].?{(\w+)}\s+([\d.]+):?(\d+)?\s+.*\s+([\d.]+):?(\d+)?
    date={normalize_date($1)}
    device={resolv($2)}
    plugin_id={snort_id($3)}
    plugin_sid={$4}
    protocol={$5}
    src_ip={$6}
    src_port={$7}
    dst_ip={$8}
    dst_port={$9}

    Thanks,
    Wagner</src$<br></proto></msg></sid></pid></date>



  • I found a regex that matches:

    regexp=(\w+\s+\d{1,2}\s+\d\d:\d\d:\d\d)\s+([\w-_]+|\d+.\d+.\d+.\d+)\s+.(\d+):\s+(\d+):\d+.{(\w+).}\s+([\d.]+):(\d+).*\s+([\d+.]+):?(\d+)?

    https://www.alienvault.com/forums/discussion/comment/13034/#Comment_13034

    This post can be closed.