ossim plugins

If anyone has been playing with http://www.ossim.net/, it feels good to integrate your own stuff into it..

Here’s the small how to. Feel free to fix/correct it, criticize or otherwise;

$Id$by fygrave@gmail.com —————————————————————————————- 

This is brief unofficial OSSIM plugin howto document. For more details, look into agent code. This howtowill guide you through a process of integrating anew device by developing a plugin for OSSIMTo get started, go into /etc/agent/plugins/and open a file in editor. for example;

boo.cfg. This is the main plugin configuration file and also the heart of your “plugin”

[DEFAULT]# this is plugin ID. pick up a number that doesn’t cross with existing plugins.# plugin ID can be changed on the fly as you parse alert.

plugin_id=6001

[config]# there are other types of plugins. detector is what you’d usually want# (there’s also event, monitor)type=detectorenable=yes

# I think you can leave this one emptyprocess=boo# if you need to run anything whenever agent starts or stops, change this to yes and# put command lines in startup/shutdown filesstart=no ; launch plugin process when agent startsstop=no ; shutdown plugin process when agent stopsstartup=shutdown=

# could be snortlog, unix_socket, database, command, httpsource=loglocation=/var/log/boo.log

# create log file if it does not exists,# otherwise stop processing this plugincreate_file=false

# and now you can create as many parsing rules as you wish. each rule# has to have regexp entry and corresponding assignments to pass data to the agent

[01_boo_syslog]# our data looks like this:# data word identifierprotocolmessageclasssourceipportdstipportlogdataevent_type=eventregexp=^(\w+\s+\d{1,2}\s+\d\d:\d\d:\d\d\s+\d+)\s+\w+\s(\d+)\(\w+)\([^\]+)\(\w+)\(\d+\.\d+\.\d+\.\d+)\(\d+)\(\d+\.\d+\.\d+\.\d+)\(\d+)\([^\]+)\date={normalize_date($1)}# what happens here is server daemon is going to perform lookups whether such sid and# plugin ID exist in database. if it doesn’t. message will be dropped#plugin_id={$2}plugin_sid={$2}protocol={$3}src_ip={$6}src_port={$7}dst_ip={$8}dst_port={$9}userdata1={$5}data=message: {$4}priority=1log={$10}These are attributes in ACID db. You probably can use these at later point to create correlationdirectives.

possible fields are:

(from Event.py): EVENT_ATTRS = [ "type", "date", "sensor", "interface", "plugin_id", "plugin_sid", "priority", "protocol", "src_ip", "src_port", "dst_ip", "dst_port", "username", "password", "filename", "userdata1", "userdata2", "userdata3", "userdata4", "userdata5", "userdata6", "userdata7", "userdata8", "userdata9", "log", "data", "snort_sid", # snort specific "snort_cid", # snort specific ]

Shall your code require any additional parsing code in python, you can include it in Parser_util.pyfor example, and use it directly from your configuration file). for example:

plugin_sid={convert_mypluginsid($2)}

Further, you will need to create sid references in DB, to do this write a script (or do itmanually) and insert all the data into plugin_sid table in form:

insert INTO plugin_sid (plugin_id, sid, category_id, class_id, priority, reliability, name) values ( 6001, 3902, NULL, NULL, 1, 1, “Test code access”);

if message arrives from your plugin id and sid does not exist, the message will be dropped witherror message displayed in server.log: OSSIM-Message: sim_organizer_reprioritize: Error Plugin 6001, PluginSid 123

where 123 is the plugin_sid which doesn’t exist in DB.

I am not sure yet, why i don’t see the new plugin in policy/sensors, but you also may updateplugin table so your plugin appears on the configuration/plugins tab of the web frontend

Once your messages happily appear in ossim event tables, you can move on and create correlationrules.

You can create your own xml file and then include it from /etc/ossim/server/directives.xmlor you can modify existing files (generic, trojans, and so on). There’re example rules which are goodenough to get you started.

Here’s a sample rule which we can hack quickly.

That should be it