• Support
  • Forums
  • Blogs

Plugin / Regex Tutorial (Broken Down Barney Style)


Spaceship Training
I've been asked several times how I can generate a plugin so quickly for folks on here, so I figured I would make a tutorial on what a regular expression is and how you toss one into an alienvault plugin.

Understanding an Alienvault plugin:

Each alienvault plugin has 2 required fields..

  1. A configuration section
  2. A plugin definition section

The configuration section is used for log file location, service related controls and configuring the type of plugin you've created.

The plugin definition section is where you define the regular expression that is used to search each message for a match. It's also used to define variables that you see later within the SIEM.. for example (but not limited to) Source IP, Source Port, Destination IP, Destination Port, Username, Password, Userdata#.

Along with the two required fields above, there is a lesser known section called translation that an be used to convert one value to another. A great example of this is if you captured firewall data that listed an ICMP as a number, but you wanted to display the human readable form to someone.. this is where you'd do it.. For example: Source Quench=4. This means that an ICMP type of 4 would return "Source Quench" rather than a number 4. More on this later though. :)


Share post:


  • This is good news, will this work for all plugins (syslog)?
  • So apparently you can have multiple locations:

    I didn't know that myself.  However I think splitting them is still a better idea, as each plugin makes it's own thread.  So you can throw more CPU at the parsing if you split them.
  • I have a a little question... well, I have been trying to find the proper way to assign to field plugin_sid the value through the specific command "translate".

    It's better with sample, part of my custom plugin:

    Search Success=1
    Search No results returned=2

    in the rule:
    regexp="(?P<log>^AuditV3--(\d\d\d\d)-(\d\d)-(\d\d)-(\d\d):(\d\d):(\d\d).\S+--(?P<version>\S+)\s(?P<protocol>\S+)\s(?P<operation>\S+)--bindDN: (?P<username>\S+)--\S+: (?P<src_ip>\d+.\d+.\d+.\d+):(?P<port>\d+)--(?P<connectionID>\S.*?)--.*?--(?P<result>.*))"
    and obviously, doesn't work, I'm not pretty sure how I can build the correct form.

    As I couldn't see anything, I did some changes to watch the result:


    I already do many tests, like:

    with another plugin which has one function, like this:
    Start Function union
    def union(self,operation,result):
    return operation+result
    End Function

    I did this function because I guess that "translate" only accept one parameter.

    Thanks in advance!
  • shouldnt be translate instead of traslate?
  • yes, sorry, my fault, but, the problem is not that.

    If you want and have a custom plugin, you can try to pass two arguments to translate...
  • so.. it's possible to do the translate passing two arguments?

    Has anyone ever tried this?
  • hi,
    is not possible passing two argument to translate.
  • ok, it's clear...

    but, It could be possible any way to concatenate two or more arguments into one which can translate?
  • there is a cat function but it can't be used in conjunction with another function. You could make a custom function though. It's described in the doc on bloomfire.
  • there is a cat function but it can't be used in conjunction with another function. You could make a custom function though. It's described in the doc on bloomfire.
    I don't understand at all... What "cat function" is?

    I'll try to find on bloomfire that doc that you said.
  • concatenate aka merge two strings together.
  • that's more or less what I'm looking but, the problem comes when I try translate the merge.
This discussion has been closed.