走近OSSIM传感器(Sensor)插件
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了走近OSSIM传感器(Sensor)插件相关的知识,希望对你有一定的参考价值。
走近OSSIM传感器(Sensor)插件
在上一篇博文介绍完OSSIM架构何组成,接着要介绍它“神秘”的插件,阅读插件前提示您熟练掌握正则表达式。
Sensor启用插件列表
[plugins]
apache=/etc/ossim/agent/plugins/apache.cfg
nmap-monitor=/etc/ossim/agent/plugins/nmap-monitor.cfg
ossec-single-line=/etc/ossim/agent/plugins/ossec-single-line.cfg
ossim-monitor=/etc/ossim/agent/plugins/ossim-monitor.cfg
pam_unix=/etc/ossim/agent/plugins/pam_unix.cfg
ping-monitor=/etc/ossim/agent/plugins/ping-monitor.cfg
prads_eth0=/etc/ossim/agent/plugins/prads_eth0.cfg
ssh=/etc/ossim/agent/plugins/ssh.cfg
sudo=/etc/ossim/agent/plugins/sudo.cfg
suricata=/etc/ossim/agent/plugins/suricata.cfg
whois-monitor=/etc/ossim/agent/plugins/whois-monitor.cfg
wmi-monitor=/etc/ossim/agent/plugins/wmi-monitor.cfg
Sensor插件将预处理数据发往Server,定义如下
[output-server]
enable=True
ip=192.168.91.228
port=40001
send_events=True
下面已Apache插件为例,看看插件中的正则表达式:
[0001 - apache-access] 访问日志
event_type=event
regexp=((?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(?P\d{1,5}))? )?(?P\S+) (?P\S+) (?P\S+) \[(?P\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-]\d{4}\] \"(?P[^\"]*)\" (?P\d{3}) ((?P\d+)|-)( \"(?P[^\"]*)\" \"(?P[^\"]*)\")?$
src_ip={resolv($src)}
dst_ip={resolv($dst)}
dst_port={$port}
date={normalize_date($date)}
plugin_sid={$code}
username={$user}
userdata1={$request}
userdata2={$size}
userdata3={$referer_uri}
userdata4={$useragent}
filename={$id}
[0002 - apache-error] 错误日志
event_type=event
regexp=\[(?P\w{3} \w{3} \d{2} \d{2}:\d{2}:\d{2} \d{4})\] \[(?P(emerg|alert|crit|error|warn|notice|info|debug))\] (\[client (?P\S+)\] )?(?P.*)
date={normalize_date($date)}
plugin_sid={translate($type)}
src_ip={resolv($src)}
userdata1={$data}
如果您对Apache日志基本格式不太了解请参看《Unix/Linux网络日志分析与流量监控》一书。
如果您是通过syslog转发apache日志,那么正则该这样写:
[0001 - apache-syslog-access]
event_type=event
regexp=^\w{3}\s+\d{1,2} \d\d:\d\d:\d\d (?P\S+) \S+: ((?P\S+)(:(?P\d{1,5}))? )?(?P\S+) (?P\S+) (?P\S+) \[(?P\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-]\d{4}\] \"(?P.*)\" (?P\d{3}) ((?P\d+)|-)( \"(?P.*)\" \"(?P.*)\")?$
src_ip={resolv($src)}
dst_ip={resolv($dst)}
dst_port={$port}
device={resolv($device)}
date={normalize_date($date)}
plugin_sid={$code}
username={$user}
userdata1={$request}
userdata2={$size}
userdata3={$referer_uri}
userdata4={$useragent}
filename={$id}
[0002 - apache-syslog-error]
event_type=event
regexp=^(?P\w{3}\s+\d{1,2} \d\d:\d\d:\d\d) (?P\S+) \S+: \[(?P(emerg|alert|crit|error|warn|notice|info|debug))\] (\[client (?P\S+)\] )?(?P.*)
date={normalize_date($date)}
dst_ip={resolv($device)}
device={resolv($device)}
date={normalize_date($date)}
plugin_sid={translate($type)}
src_ip={resolv($src)}
userdata1={$data}
每类插件对应了一个插件ID,大家在使用SIEM事件分析时要牢记该ID号(看多了就懂了),若大家想详细了解这种基于插件的日志采集处理方式,请参考《开源安全运维平台-OSSIM最佳实践》一书。
本文出自 “李晨光原创技术博客” 博客,请务必保留此出处http://chenguang.blog.51cto.com/350944/1739278
以上是关于走近OSSIM传感器(Sensor)插件的主要内容,如果未能解决你的问题,请参考以下文章