Documentation Center
AlienVault® USM Appliance™

Checking MSSQL Connectivity From the Command Line

Version: 5.x
Deployment: All deployments

In AlienVault USM Appliance, you can connect to a MSSQL database using the pymssql command.

Here's an example for connecting to an EPO4 instance:

~# python

>>> import pymssql

>>> con = pymssql.connect(host="EPO4", user="domain\\user", password="user-pass", database="database")

>>> cursor = con.cursor()

>>> cursor.execute("SELECT TOP 1 AutoID FROM EPOEvents ORDER BY AutoID DESC")

>>> print cursor.fetchall()

Ctrl + d

Note: Also check the plugin header for additional information.

The connection and data returned by the above command can be seen with tcpdump or ngrep. In the following example, the MSSQL server IP is 10.10.10.10 and the communication is through port 1433:

~# ngrep -d eth0 host 10.10.10.10

interface: eth0 (10.10.10.10/255.255.255.224)

filter: (ip or ip6) and ( host 10.10.10.10 )

##

T 10.10.10.10:1433 -> 10.10.10.20:54965 [A]

......

#

T 10.10.10.10:1433 -> 10.10.10.20:54965 [AF]

......

#####

T 10.10.10.20:54983 -> 10.10.10.10:1433 [AP]

........10.10.10.10..................siem.................... PASSWORD

..............37876...............pymssql............10.10.10.10............

...... PASSWORD....................DB-Library........us_english.............

....L.........................ANSI_X3.4-1968..................512............

#

T 10.10.10.10:1433 -> 10.10.10.20:54983 [AP]

.....g.......ePO4_HOSTNAME17.master.B.E.....-.Changed database context to

'ePO4_HOSTNAME17'..HOSTNAME15........iso_1... .......Microsoft SQL

Server.._........512.512.........

From the output above, you will find the user, password, and instance information (high lighted in bold). Populate your plugin with those information.

Example 1:

[config]

type=detector

enable=yes

custom_functions_file=/etc/ossim/agent/plugins/mac__custom_functions.cfg

source=database

source_type=mssql

source_ip=HOSTNAME17

source_port=1433

user=siem

password=PASSWORD

db=ePO4_HOSTNAME17

Example 2:

[config]

type=detector

enable=yes

custom_functions_file=/etc/ossim/agent/plugins/mac__custom_functions.cfg

source=database

source_type=mssql

source_ip=HOSTNAME17\INSTANCE

source_port=

user=siem

password=PASSWORD

db=ePO4_HOSTNAME17

There are two ways to connect to a MSSQL server

  • TCP port - Normal configuration using the normal fields. See Example 1.
  • TCP dynamic port - Leave source_port blank (do not set it to 0). For source_ip, use the "host\instance" format, with just one backslash. see Example 2.

Note: You may need to restart ossim-agent for the new plugin to establish the connection to the MSSQL database.