Tag Archives: snort

Firesight integration with OSSIM

Firesight, which is now Cisco, was originally developed by the same guys who wrote snort. The software runs the professional VRT snort feed underneath. The output is a slightly different format but we can tweak OSSIM to read in the syslog alerts.

1. In your Firesight intrusion policy click on Advanced Settings -> Syslog Alerting.

2. Type in the IP of your OSSIM server and assign a priority etc.

3. Save and push the policy to your Sourcefire nodes.

4. Now on the OSSIM box connect over SSH and select Jailbreak from the menu.

5. Now we need to send the alerts into the alerts file. Create a new file /etc/rsyslog.d/zzzzz_snort_syslog.conf and add in this text:

if $msg contains 'SFIMS' then -/var/log/snort/alert
& ~
if $syslogtag contains 'SFIMS' then -/var/log/snort/alert
#Stop
& ~

6. Now you need to edit the snort-syslog config file so that it can understand the Firesight format. Edit /etc/ossim/agent/plugins/snort_syslog.cfg and at the bottom add:

[05_snort-syslog-sourcefire-format]
event_type=event
regexp=(\w+\s+\d{1,2}\s+\d\d:\d\d:\d\d)\s+([a-zA-Z0-9\-]+)\s+[SFIMS:]{1,6}\s+\[([a-zA-Z0-9_\s]+)\s+\(([0-9a-z\-]+)\)\]\[(.+)\]\[(([0-9]+)\:([0-9]+)\:[0-9]+)\]\s+\"(.+)\"\s+\[Classification\:\s+(.+)\]\s+User\:\s+(.+)\,\s+Application\:\s+(.+)\,\s+Client:\s+(.+)\,\s+App Protocol\:\s+(.+)\,\s+Interface Ingress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Interface Egress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Security Zone Ingress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Security Zone Egress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Context\:\s+([a-zA-Z\-\_0-9]+)\,\s+\[Priority\:\s+([0-9]+)\]\s+\{([A-Z]+)\}\s+([0-9.]+):([0-9]+)\s->\s([0-9.]+):([0-9]+)
date={normalize_date($1)}
device={resolv($2)}
plugin_id=1001
plugin_sid={$8}
protocol={$21}
src_ip={$22}
src_port={$23}
dst_ip={$24}
dst_port={$25}
userdata1={$5}
userdata2={$4}
userdata3={$9}
userdata4={$15}
userdata5={$16}
userdata6={$17}
userdata7={$18}
userdata8={$20}

7. Save the file.

8. Now enable the collector. Type ossim-setup to load the ossim curses gui, choose Configure Sensor -> Configure Data Source Plugins -> Select snort-syslog then click OK -> Back -> Apply all Changes. This will start the snort-syslog collector.

9. Generate some dummy alerts in Sourcefire and then come back and check in the OSSIM GUI to see they have been processed.

Tagged , , ,

Updating snort and openvas rules

Openvas and snort rules in Alienvault OSSIM are deployed as part of the updates. However, you can update them more frequently directly from the Openvas and Snort repositories.

Openvas Plugin Update Script

Most of this is directly from the Alienvault configuration guide, but in assorted places. Here’s the script to update the openvas rules:

#!/bin/sh 
openvas-nvt-sync --wget /etc/init.d/openvas-scanner restart 
perl /usr/share/ossim/scripts/vulnmeter/updateplugins.pl migrate

Save this as a .sh file (e.g. update-openvas-plugins.sh) and chmod to 700 with owner root

chmod 700 update-openvas-plugins.sh 
chown root.root update-openvas-plugins.sh

Then add to root’s crontab:

crontab -e

and add the following line:

0 3 * * 6 /bin/sh /scripts/update-openvas-plugins.sh

where this one runs weekly on Saturday at 3am. For more info on editing crontab see here.

Snort Plugin Update Script

Here’s the script to update snort:

#!/bin/sh
perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/
/etc/init.d/ossim-server restart

If the box is just a snort collector and doesn’t have the ossim-server running you’ll want to change that last line to read:

/etc/init.d/snort restart

or

/etc/init.d/snort_eth1 restart

Where eth1 is the interface snort is attached to.

Then edit crontab again and add in the line:

0 4 * * 6 /bin/sh /scripts/update-snort-rules.sh

This one runs every Saturday at 4am.

Tagged , , , , , , , , , ,