• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Custom plugin and SQL

p3tterp3tter

New Life Form
edited December 2018 in AlienVault USM Appliance > Plugins
Hi,
This might be a n00b question but.
I have added a custom plugin with sql file and it works:


cisco-wlc_snmp.cfg:
===
[DEFAULT]
plugin_id=99999

[config]
enable=yes
type=detector

process=
start=no   ; launch plugin process when agent starts
stop=no     ; shutdown plugin process when agent stops
startup=
shutdown=

source=log
location=/var/log/snmptrap.log

create_file=false

[01_rogue_detected]
event_type=event
regexp="(?P<date>\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d) .*UDP: \[(?P<wlc_ip>[^\]]+)\].*ciscoLwappApRogueDetected,.*cLApRogueApMacAddress.0 = (?P<mac>\w+:\w+:\w+:\w+:\w+:\w+)"
plugin_sid=1
device={resolv($wlc_ip)}
date={normalize_date($date)}
src_ip={$wlc_ip}
dst_ip={$wlc_ip}
userdata1={$ssid}
userdata2={$class}
userdata3={$mac}

===

cisco-wlc_snmp.sql
===
DELETE FROM plugin WHERE id = '99999';
DELETE FROM plugin_sid where plugin_id = '99999';

INSERT IGNORE INTO plugin (id, type, name, description, product_type, vendor ) VALUES (99999, 1, 'cisco-wlc_snmp', 'Cisco Wireless LAN Controller - SNMP', 30, 'Cisco' );

INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, priority, reliability, name, subcategory_id ) VALUES ( 99999, 1, 17, NULL, 1, 2, 'CiscoWLC: Rogue AP Detected', 190 );


However, I want to add another event to the plugin called:

[02_rogue_Removed]
event_type=event
regexp="whatever..."
plugin_sid=2

How do I update the SQL file with the new parameters? 
Something like this?

DELETE FROM plugin WHERE id = '99999';
DELETE FROM plugin_sid where plugin_id = '99999';

INSERT IGNORE INTO plugin (id, type, name, description, product_type, vendor ) VALUES (99999, 1, 'cisco-wlc_snmp', 'Cisco Wireless LAN Controller - SNMP', 30, 'Cisco' );

INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, priority, reliability, name, subcategory_id ) VALUES ( 99999, 1, 17, NULL, 1, 2, 'CiscoWLC: Rogue AP Detected', 190 );


INSERT IGNORE INTO plugin (id, type, name, description, product_type, vendor ) VALUES (99999, 2, 'cisco-wlc_snmp', 'Cisco Wireless LAN Controller - SNMP', 30, 'Cisco' );

INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, priority, reliability, name, subcategory_id ) VALUES ( 99999, 2, 17, NULL, 1, 2, 'CiscoWLC: Rogue AP Removed', 190 );


Thanks!

Share post:

Sign In or Register to comment.