• Support
  • Forums
  • Blogs

How to start oracle-sql plugin?

ismael_mcismael_mc

Big Time
+11
Hi there!

I had spent several days thinking about how I can to do that oracle-sql start working. I did this steps:

1. Configure /etc/ossim/agent/plugins/oracle-sql.cfg, only changes the paramethers:
- dsn="(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(Host=192.168.100.100)(Port=1521)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=servicename)))"
- user=sysdba
- password="whatever"

2. Restarting Ossim-agent (/etc/inint.d/ossim-agent restart)

3. Monitoring agent.log: ( tailf /var/log/ossim/agent.log | grep 1651 )

2014-05-23 10:06:33,459 Detector [INFO]: Starting detector oracle-sql(1651).. Plugin tzone: Europe/Madrid
2014-05-23 10:06:33,461 ParserDatabase [INFO]: IDM is disabled for plugin 1651
& agent_error.log
Nothing related to plugin...

4. netstat -putanc | grep 1521 (nothing too)

This is in Ossim system, but, I'm working in a AV(Pro) system, and the plugin works just doing two first steps, even though I can see how the plugin writes in the agent.log, example:
2014-05-23 10:28:53,805 Agent [INFO]: Plugin[1651] Total lines [0] TotalEvents:[0] EPS: [0.0] ELAPSED [10.0013959408] seconds

when I tried to see the comunication... nothing at all.

What am I doing wrong?
Did I miss something?
Anyone here has this plugin working?

Thanks in advance!
alievault

Share post:

Comments

  • Please, I need some help with this kind of plugins (databases), I read manuals "how to" about plugins, but nothing working...
  • I have gotten make it work a custom plugin with source_type=mssql and then with source_type=mysql. (It not works properly, because at the moment I haven't databases MSsql/MySql, but I could see some error events in agent_error.log)
  • I've also asked about the oracle-sql plugin but never received a response http://forums.alienvault.com/discussion/1897/oracle-event-collection-oracle-sql
  • I've also asked about the oracle-sql plugin but never received a response http://forums.alienvault.com/discussion/1897/oracle-event-collection-oracle-sql
    It's a shame... @slick_x‌ I had try doing several things, but as agent.log either agent_error.log show anything, I don't know where is the fail...

    I'll carry on trying it...
  • edited June 2014
    Well... I think I've made ​​some progress with this.

    First at all, I followed the line how to works this kind of plugin, and oracle is a "database" that calling to ParserDatabases.py (on free versions) or ParserDatabases.pyc (from 4.3 alienvault versions onwards), the problem is in this point, 'cause I already read the code, and this python try to import the library cx_Oracle; Here a part of the code:
    """
    Parser Database
    """

    try:
    import ibm_db
    db2notloaded = False
    except ImportError:
    db2notloaded = True

    try:
    import MySQLdb
    mysqlnotloaded = False
    except ImportError:
    mysqlnotloaded = True
    try:
    import pymssql
    mssqlnotloaded = False
    except ImportError:
    mssqlnotloaded = True
    try:
    import cx_Oracle
    oraclenotloaded = False
    except ImportError:
    oraclenotloaded = True
    MAX_TRIES_DB_CONNECT = 10


    it's simple, in command line:

    # python
    Python 2.6.6 (r266:84292, Dec 26 2010, 22:31:48)
    [GCC 4.4.5] on linux2
    Type "help", "copyright", "credits" or "license" for more information.
    >>> import cx_Oracle
    ImportError: No module named cx_Oracle
    So, I downloaded this library "cx_Oracle-5.1.1-11g-py26-1.x86_64.rpm", copied to sensor, and I executed alien to install the package (I guess that you could have to install alien,"apt-get install alien):
    # alien cx_Oracle-5.1.1-11g-py26-1.x86_64.rpm

    and I could see a new file with .deb extension which I installed it:
    dpkg -i cx-oracle_5.1.1-2_amd64.deb
    after that, I try again, and... another error:

    Python 2.6.6 (r266:84292, Dec 26 2010, 22:31:48)
    [GCC 4.4.5] on linux2
    Type "help", "copyright", "credits" or "license" for more information.
    >>> import cx_Oracle
    Traceback (most recent call last):
    File "", line 1, in
    ImportError: libclntsh.so.11.1: cannot open shared object file: No such file or directory

    Ok....

    I download the client "oracle-instantclient11.1-basic-11.1.0.7.0-1.x86_64.rpm"(I already tried these last days in another environment with the last client (12_1), and didn't work)

    The same steps, convert to .deb, and install.

    At the end, It works on python properly, I could to connect with my Oracle DB, doing all kind of queries. I did a little file test.py:

    import cx_Oracle
    con = cx_Oracle.connect("myusername", "mypassword", "(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(Host = nameOfhost.domain)(Port = 1522)))(CONNECT_DATA = (SID = mysid )))")
    cur = con.cursor()
    cur.execute("SELECT * from sys.aud$ ")
    for result in cur:
    print result
    cur.close()
    con.close()
    command in console:
    # python test.py
    and below, it started to show all the data of query.
    :smile:

    Even I thought that already the plugin would work, but it doesn't. agent.log keep showing "Can't connect Oracle database", so, I'm kind of irritating about that. :( I'm so close...

    Greetings!
    alievault
  • Good news, I've gotten that plugin works.

    Some samples:
    2014-06-10 10:50:50,982 Output [INFO]: event type="detector" date="1402390250" device="10.10.4.71" interface="any" plugin_id="1651" plugin_sid="101" src_ip="0.0.0.0" dst_ip="0.0.0.0" username="U1lTVEVN" userdata1="Tm9uZQ==" userdata2="Tm9uZQ==" userdata3="Tm9uZQ==" userdata4="Tm9uZQ==" userdata5="Tm9uZQ==" userdata6="Tm9uZQ==" userdata7="Tm9uZQ==" userdata8="Tm9uZQ==" userdata9="MzM=" fdate="2014-06-10 08:50:50" tzone="2.0" event_id="f07c11e3-8f5f-000c-2987-7c5852f7a748"
    2014-06-10 10:50:50,982 ParserUtil [WARNING]: Date: None not matched
    2014-06-10 10:50:50,982 Event [WARNING]: There was an error parsing a string date (None)
    2014-06-10 10:50:50,983 Detector [WARNING]: Invalid plugin date... using system date...
    2014-06-10 10:50:50,983 Output [INFO]: event type="detector" date="1402390250" device="10.10.4.71" interface="any" plugin_id="1651" plugin_sid="101" src_ip="0.0.0.0" dst_ip="0.0.0.0" username="U1lTVEVN" userdata1="Tm9uZQ==" userdata2="Tm9uZQ==" userdata3="Tm9uZQ==" userdata4="Tm9uZQ==" userdata5="Tm9uZQ==" userdata6="Tm9uZQ==" userdata7="Tm9uZQ==" userdata8="Tm9uZQ==" userdata9="MzI=" fdate="2014-06-10 08:50:50" tzone="2.0" event_id="f07c11e3-8f5f-000c-2987-7c5852f7eb04"
    2014-06-10 10:50:50,984 ParserUtil [WARNING]: Date: None not matched
    2014-06-10 10:50:50,984 Event [WARNING]: There was an error parsing a string date (None)
    2014-06-10 10:50:50,984 Detector [WARNING]: Invalid plugin date... using system date...
    2014-06-10 10:50:50,985 Output [INFO]: event type="detector" date="1402390250" device="10.10.4.71" interface="any" plugin_id="1651" plugin_sid="100" src_ip="0.0.0.0" dst_ip="0.0.0.0" username="U1lTVEVN" userdata1="Tm9uZQ==" userdata2="Tm9uZQ==" userdata3="Tm9uZQ==" userdata4="Tm9uZQ==" userdata5="Tm9uZQ==" userdata6="Tm9uZQ==" userdata7="Tm9uZQ==" userdata8="Tm9uZQ==" userdata9="Tm9uZQ==" fdate="2014-06-10 08:50:50" tzone="2.0" event_id="f07c11e3-8f5f-000c-2987-7c5852f822fe"
    So, I could see that this plugin write the query's result in /var/log/ossim/agent.log

    (Those results are in ossim, not in AV, :disappointed: )
  • How I can to mark as "Answered" this topic?
  • edited June 2014
    Great news, I just doing it. The plugin works in both systems.
  • hai ismael_mc, can you post your oracle-sql.cfg file? I'm still getting that database connection error message :neutral_face:

    and again, how can I monitor more than one server here? thanks in advance.

  • edited June 2014
    This is my custom plugin (Oracle database is a 11g)
    # Alienvault plugin
    # Plugin oracle-sql id:1651 version: 0.0.1
    # Accepted products:
    # oracle - database_server 1.0.2.2

    [DEFAULT]
    plugin_id=1651

    [config]
    type=detector
    enable=yes

    source=database
    source_type=oracle
    dsn="(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(Host=192.168.100.128)(Port=1521)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=XE)))
    #dsn="(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(Host=yourhost)(Port=1522)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=servicename)))"
    user="myuser"
    password="mypassword"
    #db=sys.aud$
    sleep=30

    process=
    start=no
    stop=no

    [start_query]
    query="SELECT to_char(max(ntimestamp#),'yyyymmddhh24miss') from sys.aud$ "


    [query]
    query="SELECT to_char(ntimestamp#,'yyyymmddhh24miss'), timestamp#, sessionid, entryid, statement,userid,userhost,terminal,action#,returncode, OBJ$CREATOR, OBJ$NAME,AUTH$PRIVILEGES,AUTH$GRANTEE,NEW$OWNER,NEW$NAME,SES$ACTIONS,SES$TID,LOGOFF$LREAD,LOGOFF$PREAD,LOGOFF$LWRITE,LOGOFF$DEAD,LOGOFF$TIME,COMMENT$TEXT,SPARE1,SPARE2,OBJ$LABEL,SES$LABEL,PRIV$USED,CLIENTID,SESSIONCPU FROM sys.aud$ where ntimestamp# > to_date($1,'yyyymmddhh24miss')"
    ref=0
    plugin_sid={$8}
    date={normalize_date($1)}
    username={$5}
    filename=
    userdata1={$10}
    userdata2={$11}
    userdata3={$12}
    userdata4={$13}
    userdata5={$14}
    userdata6={$15}
    userdata7={$16}
    userdata8={$17}
    userdata9={$18}
    At your second question, well, I guess that you could use a tsname file where you could write all your database connections, but, I don't trust that this way works. so, due that I did two plugins quite similar with differents dsn.
  • edited June 2014
    thank you, it works :) .. (it's weird, the problem solved ONLY by removing the 'closing' double-quote in dsn section)

    and for the multiple hosts, i'll give it a try
  • yes, it's strange, it seems that each AV do things totally different in some cases..

    I'm glad for you. ;)
This discussion has been closed.