[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-dev
Subject: [ossec-dev] ossec-hids: ossec2base.sql (NEW) ossec2base.pl (HEAD)
From: OSSEC CVS <cvs-commit () ossec ! net>
Date: 2006-08-30 11:56:43
Message-ID: ossec2based.pl.1.10 () ossec ! net
[Download RAW message or body]
Module name: ossec-hids
Changes by: meirm 06/08/30 08:56:41
Modified files:
ossec2base.pl ossec2based.pl
Added files:
ossec2base.sql
Log message:
Corrected to new alert format
--- NEW FILE: ossec2base.sql ---
--
-- Table structure for table `acid_event`
--
CREATE TABLE `acid_event` (
`sid` int(10) unsigned NOT NULL,
`cid` int(10) unsigned NOT NULL,
`signature` varchar(255) NOT NULL,
`sig_name` varchar(255) default NULL,
`sig_class_id` int(10) unsigned default NULL,
`sig_priority` int(10) unsigned default NULL,
`timestamp` datetime NOT NULL,
`ip_src` int(10) unsigned default NULL,
`ip_dst` int(10) unsigned default NULL,
`ip_proto` int(11) default NULL,
`layer4_sport` int(10) unsigned default NULL,
`layer4_dport` int(10) unsigned default NULL,
PRIMARY KEY (`sid`,`cid`),
KEY `signature` (`signature`),
KEY `sig_name` (`sig_name`),
KEY `sig_class_id` (`sig_class_id`),
KEY `sig_priority` (`sig_priority`),
KEY `timestamp` (`timestamp`),
KEY `ip_src` (`ip_src`),
KEY `ip_dst` (`ip_dst`),
KEY `ip_proto` (`ip_proto`),
KEY `layer4_sport` (`layer4_sport`),
KEY `layer4_dport` (`layer4_dport`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
-- --------------------------------------------------------
--
-- Table structure for table `data`
--
CREATE TABLE `data` (
`sid` int(10) unsigned NOT NULL,
`cid` int(10) unsigned NOT NULL,
`data_payload` text,
PRIMARY KEY (`sid`,`cid`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
-- --------------------------------------------------------
--
-- Table structure for table `event`
--
CREATE TABLE `event` (
`sid` int(10) unsigned NOT NULL,
`cid` int(10) unsigned NOT NULL,
`signature` int(10) unsigned NOT NULL,
`timestamp` datetime NOT NULL,
PRIMARY KEY (`sid`,`cid`),
KEY `sig` (`signature`),
KEY `time` (`timestamp`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
-- --------------------------------------------------------
--
-- Table structure for table `sensor`
--
CREATE TABLE `sensor` (
`sid` int(10) unsigned NOT NULL auto_increment,
`hostname` text,
`interface` text,
`filter` text,
`detail` tinyint(4) default NULL,
`encoding` tinyint(4) default NULL,
`last_cid` int(10) unsigned NOT NULL,
PRIMARY KEY (`sid`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=6 ;
-- --------------------------------------------------------
--
-- Table structure for table `signature`
--
CREATE TABLE `signature` (
`sig_id` int(10) unsigned NOT NULL auto_increment,
`sig_name` varchar(255) NOT NULL,
`sig_class_id` int(10) unsigned NOT NULL,
`sig_priority` int(10) unsigned default NULL,
`sig_rev` int(10) unsigned default NULL,
`sig_sid` int(10) unsigned default NULL,
`sig_gid` int(10) unsigned default NULL,
PRIMARY KEY (`sig_id`),
KEY `sign_idx` (`sig_name`(20)),
KEY `sig_class_id_idx` (`sig_class_id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=47 ;
Index: ossec2base.pl
===================================================================
RCS file: /usr/cvsroot/ossec-ui/base/bin/ossec2base.pl,v
diff -u -r1.8 -r1.9
--- ossec2base.pl 29 Aug 2006 17:57:58 -0000 1.8
+++ ossec2base.pl 30 Aug 2006 11:56:40 -0000 1.9
@@ -1,16 +1,92 @@
#!/usr/bin/perl -w
-use strict;
-# by Meir Michanie
-# GPL licensed
-# meirm@riunx.com
use Socket;
use POSIX 'setsid';
+use strict;
+# ---------------------------------------------------------------------------
+# Author: Meir Michanie (meirm@riunx.com)
+# Co-Author: J.A.Senger (jorge@br10.com.br)
+# File: ossec2mysql.pl
+# Version 0.7 (09/2006)
+# ---------------------------------------------------------------------------
+# http://www.riunx.com/
+# http://www.jasenger.com/ossec2mysql
+# ---------------------------------------------------------------------------
+#
+# ---------------------------------------------------------------------------
+# About this script
+# ---------------------------------------------------------------------------
+#
+# "Ossec to Mysql" records the OSSEC HIDS alert logs in MySQL database.
+# It can run as a daemon (ossec2mysqld.pl), recording in real-time the logs in database or
+# as a simple script (ossec2mysql.pl).
+#
+# ---------------------------------------------------------------------------
+# Prerequisites
+# ---------------------------------------------------------------------------
+#
+# MySQL Server
+# Perl DBD::mysql module
+# Perl DBI module
+#
+# ---------------------------------------------------------------------------
+# Installation steps
+# ---------------------------------------------------------------------------
+#
+# 1) Create new database
+# 2a) Run ossec2mysql.sql to create MySQL tables in your database
+# 2b) Create BASE tables with snort tables extention
+# 3) Create a user to access the database;
+# 4) Copy ossec2mysql.conf to /etc/ossec2mysql.conf with 0600 permissions
+# 3) Edit /etc/ossec2mysql.conf according to your configuration:
+# dbhost=localhost
+# database=ossecbase
+# debug=5
+# dbport=3306
+# dbpasswd=mypassword
+# dbuser=ossecuser
+# fieldseparator=;
+# daemonize=0
+# resolve=1
+#
+#
+# ---------------------------------------------------------------------------
+# License
+# ---------------------------------------------------------------------------
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+# ---------------------------------------------------------------------------
+# About OSSEC HIDS
+# ---------------------------------------------------------------------------
+#
+# OSSEC HIDS is an Open Source Host-based Intrusion Detection System.
+# It performs log analysis and correlation, integrity checking,
+# rootkit detection, time-based alerting and active response.
+# http://www.ossec.net
+#
+# ---------------------------------------------------------------------------
+
+# ---------------------------------------------------------------------------
+# Parameters
+# ---------------------------------------------------------------------------
$SIG{TERM} = sub { &gracefulend('TERM')};
$SIG{INT} = sub { &gracefulend('INT')};
my ($RUNASDAEMON)=0;
-my ($DAEMONLOGFILE)='/var/log/ossec2based.log';
-my ($DAEMONLOGERRORFILE) = '/var/log/ossec2based.err';
-my ($LOGGER)='ossec2based';
+my ($DAEMONLOGFILE)='/var/log/ossec2mysql.log';
+my ($DAEMONLOGERRORFILE) = '/var/log/ossec2mysql.err';
+my ($LOGGER)='ossec2mysql';
use ossecmysql;
my %conf;
@@ -35,6 +111,9 @@
my $dump=0;
my ($hids_id,$hids,$hids_interface,$last_cid)=(undef, 'localhost', 'ossec',0);
my ($tempvar,$VERBOSE)=(0,0);
+# ---------------------------------------------------------------------------
+# Arguments parsing
+# ---------------------------------------------------------------------------
while (@ARGV){
$_= shift @ARGV;
if (m/^-d$|^--daemon$/){
@@ -125,22 +204,27 @@
# BYPASS
# dstip=srcip
#$dstip=$srcip;
- if (exists $resolv{$alerthost}){
- $dstip=$resolv{$alerthost};
- }else{
- if ($conf{'resolve'}){
- $dstip=`host $alerthost 2>/dev/null | grep 'has address' `;
- if ($dstip =~m/(\d+\.\d+\.\d+\.\d+)/ ){
- $dstip=$1;
- }else{
- $dstip=$srcip;
- }
- }else{
- $dstip=$alerthost;
- }
- $resolv{$alerthost}=$dstip;
-
- }
+ if ($alerthostip){
+ $dstip=$alerthostip;
+ $resolv{$alerthost}=$dstip;
+ }else{
+ if (exists $resolv{$alerthost}){
+ $dstip=$resolv{$alerthost};
+ }else{
+ if ($conf{'resolve'}){
+ $dstip=`host $alerthost 2>/dev/null | grep 'has address' `;
+ if ($dstip =~m/(\d+\.\d+\.\d+\.\d+)/ ){
+ $dstip=$1;
+ }else{
+ $dstip=$srcip;
+ }
+ }else{
+ $dstip=$alerthost;
+ }
+ $resolv{$alerthost}=$dstip;
+
+ }
+ }
#
$last_cid= &prepair2basedata(
$hids_id,
@@ -159,7 +243,7 @@
$user,
$text
);
- ($timestamp,$sec,$mail,$date,$alerthost,$datasource,$rule,$level,$description,
+ ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,
$srcip,$dstip,$user,$text)=();
next ;
}
@@ -174,10 +258,18 @@
$sec=$2;
$mail=$3;
$mail=$mail ? $mail : 'nomail';
- }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s(.*?)->(.*)$/){
+#2006 Aug 29 17:19:52 firewall -> /var/log/messages
+#
+ }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+(\S+)\s+->(.*)$/){
$date=$1;
$alerthost=$2;
$datasource=$3;
+#2006 Aug 29 17:33:31 (recepcao) 10.0.3.154 -> syscheck
+ }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+\((.*?)\)\s+(\S+)\s+->(.*)$/){
+ $date=$1;
+ $alerthost=$2;
+ $alerthostip=$3;
+ $datasource=$4;
}elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s(.*?)$/){
$date=$1;
$alerthost='localhost';
Index: ossec2based.pl
===================================================================
RCS file: /usr/cvsroot/ossec-ui/base/bin/ossec2based.pl,v
diff -u -r1.9 -r1.10
--- ossec2based.pl 29 Aug 2006 17:57:58 -0000 1.9
+++ ossec2based.pl 30 Aug 2006 11:56:40 -0000 1.10
@@ -1,16 +1,92 @@
#!/usr/bin/perl -w
use strict;
-# by Meir Michanie
-# GPL licensed
-# meirm@riunx.com
use Socket;
use POSIX 'setsid';
+# ---------------------------------------------------------------------------
+# Author: Meir Michanie (meirm@riunx.com)
+# Co-Author: J.A.Senger (jorge@br10.com.br)
+# File: ossec2mysql.pl
+# Version 0.7 (09/2006)
+# ---------------------------------------------------------------------------
+# http://www.riunx.com/
+# http://www.jasenger.com/ossec2mysql
+# ---------------------------------------------------------------------------
+#
+# ---------------------------------------------------------------------------
+# About this script
+# ---------------------------------------------------------------------------
+#
+# "Ossec to Mysql" records the OSSEC HIDS alert logs in MySQL database.
+# It can run as a daemon (ossec2mysqld.pl), recording in real-time the logs in database or
+# as a simple script (ossec2mysql.pl).
+#
+# ---------------------------------------------------------------------------
+# Prerequisites
+# ---------------------------------------------------------------------------
+#
+# MySQL Server
+# Perl DBD::mysql module
+# Perl DBI module
+#
+# ---------------------------------------------------------------------------
+# Installation steps
+# ---------------------------------------------------------------------------
+#
+# 1) Create new database
+# 2a) Run ossec2mysql.sql to create MySQL tables in your database
+# 2b) Create BASE tables with snort tables extention
+# 3) Create a user to access the database;
+# 4) Copy ossec2mysql.conf to /etc/ossec2mysql.conf with 0600 permissions
+# 3) Edit /etc/ossec2mysql.conf according to your configuration:
+# dbhost=localhost
+# database=ossecbase
+# debug=5
+# dbport=3306
+# dbpasswd=mypassword
+# dbuser=ossecuser
+# fieldseparator=;
+# daemonize=0
+# resolve=1
+#
+#
+# ---------------------------------------------------------------------------
+# License
+# ---------------------------------------------------------------------------
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+# ---------------------------------------------------------------------------
+# About OSSEC HIDS
+# ---------------------------------------------------------------------------
+#
+# OSSEC HIDS is an Open Source Host-based Intrusion Detection System.
+# It performs log analysis and correlation, integrity checking,
+# rootkit detection, time-based alerting and active response.
+# http://www.ossec.net
+#
+# ---------------------------------------------------------------------------
+
+# ---------------------------------------------------------------------------
+# Parameters
+# ---------------------------------------------------------------------------
$SIG{TERM} = sub { &gracefulend('TERM')};
$SIG{INT} = sub { &gracefulend('INT')};
my ($RUNASDAEMON)=0;
-my ($DAEMONLOGFILE)='/var/log/ossec2based.log';
-my ($DAEMONLOGERRORFILE) = '/var/log/ossec2based.err';
-my ($LOGGER)='ossec2based';
+my ($DAEMONLOGFILE)='/var/log/ossec2mysql.log';
+my ($DAEMONLOGERRORFILE) = '/var/log/ossec2mysql.err';
+my ($LOGGER)='ossec2mysql';
use ossecmysql;
my %conf;
@@ -35,6 +111,10 @@
my $dump=0;
my ($hids_id,$hids,$hids_interface,$last_cid)=(undef, 'localhost', 'ossec',0);
my ($tempvar,$VERBOSE)=(0,0);
+# ---------------------------------------------------------------------------
+# Arguments parsing
+# ---------------------------------------------------------------------------
+
while (@ARGV){
$_= shift @ARGV;
if (m/^-d$|^--daemon$/){
@@ -99,7 +179,7 @@
my $newrecord=0;
my %stats;
my %resolv;
-my ($timestamp,$sec,$mail,$date,$alerthost,$datasource,$rule,$level,$description,
+my ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,
$srcip,$dstip,$user,$text)=();
my $lasttimestamp=0;
my $delta=0;
@@ -152,21 +232,26 @@
# dstip=srcip
#$dstip=$srcip;
#
- if (exists $resolv{$alerthost}){
- $dstip=$resolv{$alerthost};
+ if ($alerthostip){
+ $dstip=$alerthostip;
+ $resolv{$alerthost}=$dstip;
}else{
- if ($conf{'resolve'}){
- $dstip=`host $alerthost 2>/dev/null | grep 'has address' `;
- if ($dstip =~m/(\d+\.\d+\.\d+\.\d+)/ ){
- $dstip=$1;
+ if (exists $resolv{$alerthost}){
+ $dstip=$resolv{$alerthost};
+ }else{
+ if ($conf{'resolve'}){
+ $dstip=`host $alerthost 2>/dev/null | grep 'has address' `;
+ if ($dstip =~m/(\d+\.\d+\.\d+\.\d+)/ ){
+ $dstip=$1;
+ }else{
+ $dstip=$srcip;
+ }
}else{
- $dstip=$srcip;
+ $dstip=$alerthost;
}
- }else{
- $dstip=$alerthost;
+ $resolv{$alerthost}=$dstip;
+
}
- $resolv{$alerthost}=$dstip;
-
}
$last_cid= &prepair2basedata(
$hids_id,
@@ -185,7 +270,7 @@
$user,
$text
);
- ($timestamp,$sec,$mail,$date,$alerthost,$datasource,$rule,$level,$description,
+ ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,
$srcip,$dstip,$user,$text)=();
next ;
}
@@ -200,10 +285,18 @@
$sec=$2;
$mail=$3;
$mail=$mail ? $mail : 'nomail';
- }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s(.*?)->(.*)$/){
+#2006 Aug 29 17:19:52 firewall -> /var/log/messages
+#
+ }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+(\S+)\s+->(.*)$/){
$date=$1;
$alerthost=$2;
$datasource=$3;
+#2006 Aug 29 17:33:31 (recepcao) 10.0.3.154 -> syscheck
+ }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+\((.*?)\)\s+(\S+)\s+->(.*)$/){
+ $date=$1;
+ $alerthost=$2;
+ $alerthostip=$3;
+ $datasource=$4;
}elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s(.*?)$/){
$date=$1;
$alerthost='localhost';
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic