• Support
  • Forums
  • Blogs

Default plugins improvement

ol.batardol.batard

Space invader
+12
Hello,

Why some default plugins need customisation to work efficiancy. 
Example: some events in ossec-single-line plugin don't resolve src and dest ip. This causing 0.0.0.0 in the siem that is for me useless and pollution. 

Is there a reason for not adding resolve function in default plugins ? 

Regards,
Tagged:

Share post:

Answers

  • @ol.batard The resolv function is called in all the fields related to it even if we don't call it explicitly inside the plugin (device/src_ip/dst_ip). The reason you are not seeing it anymore, is that calling it in the plugin makes a redundant call to it as the function is called twice, which is kinda problematic performance wise.

    Anyways, if you see a 0.0.0.0 in any event IP field it means one of this currently:

    1. The hostname we have matched can't be resolved within your SIEM, and gets a default value of 0.0.0.0. This only happens with hostnames since when an actual IP is captured if no hostname is resolved it places the IP. This can be easily tested configuring the hostname in the /etc/hosts file of the USM. 
    2. The plugin is not matching correctly the hostnames in your events.

    If the problem is within the plugin, could you identify for us the rule(s) causing trouble along with a sanitized log sample?
  • Hi,

    Example with the ossec-single-line.cfg for pam authentication:

    [0003 - AVAPI - PAM Login Success]
    event_type=event
    #precheck="Login session opened"
    regexp="^AV\s-\sAlert\s-\s\"(?P<date>\d+)\"\s-->\sRID:\s\"(?P<rule_id>\d+)\";\sRL:\s\"(?P<rule_level>\d+)\";\sRG:\s\"(?P<rule_group>[^\"]*)\";\sRC:\s\"(?P<rule_comment>(?:Login session opened|Successful login during non-business hours).)\";\sUSER:\s\"(?P<username>\S+)\";\sSRCIP:\s\"(?P<srcip>[^\"]*)\";\sHOSTNAME:\s\"(?P<agent_name>\([^\)]*\)\s+)?(?:\[email protected])?\(?(?P<hostname>(?(agent_name)(?:\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})|(?:[^)\s]*)))(?:->\S+)?";\sLOCATION:\s\"(?P<location>[^\"]*)\";\sEVENT:\s\"\[INIT\](?P<log>.*?session opened for user (?P<user>avapi|avserver|www\-data) by .*?)\[END\]\";"
    date={normalize_date($date)}
    device={$hostname}
    src_ip={$hostname} # get 0.0.0.0 in the siem, the hostname is in /etc/hosts
    dst_ip={$hostname} # get 0.0.0.0 in the siem, the hostname is in /etc/hosts 
    plugin_sid={translate2($rule_id,$avapi-sids)}
    plugin_id={translate($rule_id)}
    username={$user}
    userdata1={$location}
    userdata2={$rule_comment}
    userdata3={$rule_group}
    userdata4={$srcip} # don't understand why there is a custom userdata for the src ip, OSSIM has a special field for it.


  • Ok, that's weird then. I'm going to investigate it since that should not happen.
  • @ol.batard My USM shows the expected behavior....


    Captura de pantalla 2017-06-08 a las 17.40.48


    Captura de pantalla 2017-06-08 a las 17.41.23

    This was the line :

    AV - Alert - "1496936168" --> RID: "5501"; RL: "3"; RG: "pam,syslog,authentication_success,"; RC: "Login session opened."; USER: "None"; SRCIP: "None"; HOSTNAME: "matrix-dev"; LOCATION: "/var/log/auth.log"; EVENT: "[INIT]Jun  8 06:26:35 alienvault sshd[3862]: pam_unix(sshd:session): session opened for user avapi by (uid=0)[END]";

    Don't know why it works differently for you, but it's definetly not plugin related.
  • Hi,

    I cheched on 3 different platforms (2 OSSIM, 1 USM). The 3 have this issue. 
    My /etc/hosts contains the  IP address + hostname of the SIEM. 

    Did you test on a fresh install ?


  • Hi, 

    Are you sure that DNS resolution operates on all related fields ?

    2017-06-16 14:33:09,143 Detector [WARNING]: Event's field dst_ip (<myhostname>) is not a valid IP.v4/IP.v6 address, set it to default ip 0.0.0.0



  • @ol.batard Yes, it's hardcoded. You can try to add the resolv function as a test to see if there's a different behavior.
  • Hi,

    I tried with the resolv function. It doesn't work. Still have the 

    2017-06-21 19:33:09,143 Detector [WARNING]: Event's field dst_ip (<myhostname>) is not a valid IP.v4/IP.v6 address, set it to default ip 0.0.0.0

    I don't understand. My /etc/hosts is populated.
  • I am on a fresh install of 5.5 OSSIM and i am coming across the same issue.  I have also populated the Hosts file.

    Was this supposed to have been resolved?
  • Sorry i meant to state that i am only testing NXLog at the moment.  I number of machines are not on the domain so i added them to the hosts file.  The domain computers seem to be ok (not 100% as i can see some events again as 0.0.0.0.
  • I recently had the same issue with ossec logs for IIS.  I had to change the decoder.xml (tried doing this via local_decoder.xml but it wouldnt identify the correct type (web-log) even though it was specified) to a slightly different regex and then it started working.
  • @kr1spy84  can u plz elaborate the changes you made regarding the regex. As I am also same issue regarding the MSWindows logs. The issue stated as "Event's field src_ip alienvault is not a valid IP.v4/IP.v6 address, falling back to default: 0.0.0.0 "
  • @vpvishal67

    I detailed my notes on it (see link below).  I also submitted a support ticket which at last report was noted as "I have created a ticket with Plugin Development
    team and will now move this case to Development queue"

    https://www.alienvault.com/forums/discussion/16793/fix-iis-logs-in-ossec-decoder#latest
  • Hi

    I have an installation of OSSIM 5.5.1 and I have the same problem 

    I have installed HIDS agents in sever  Apache load balancers.

    In alerts related to internal checks, the destination is displayed correctly. But in the alerts related to web attacks the destination is 0.0.0.0


    ossim


    AV - Alert - "1531245432" --> RID: "30105"; RL: "5"; RG: "apache,access_denied,"; RC: "Attempt to access forbidden file or directory."; USER:
    "None"; SRCIP: "190.132.192.70"; HOSTNAME: "(example_01) 172.16.11.74->/var/log/httpd22/example.com.error_log"; LOCATION: "(example_01)
    172.16.11.74->/var/log/httpd22/example.com.error_log"; EVENT: "[INIT][Tue Jul 10 14:56:28 2018] [error] [client 190.132.192.70] client
    denied by server configuration: proxy:balancer://cluster/logout[END]"; 


    I appreciate your help

    regards

Sign In or Register to comment.