基於OSSIM平臺下華爲交換機日誌收集插件的開發

時間 2020-06-05

標籤基於 ossim 平臺華爲交換機日誌收集插件開發简体版

原文原文鏈接

基於OSSIM平臺下華爲交換機日誌收集插件的開發正則表達式

長期以來，你們在收集華爲交換機日誌是每每經過syslog協議轉發的方式，將華爲交換機日誌轉發到日誌收集器上，簡單存儲，但這樣並無將日誌標準化，也就是OSSIM中對日誌的歸一化處理，在《開源安全運維平臺－OSSIM最佳實踐》一書的第七章專門講解了日誌收集與插件的自定義，本文將繼續本書內容，爲你們分享華爲交換機插件，根據書中講解，咱們在OSSIM Agent插件目錄中創建插件名稱,huawei.cfg，編寫插件大體格式可按書裏面內容編寫，不過還須要注意插件的導入過程，下面舉個華爲插件的實際例子。安全

[DEFAULT]app

plugin_id=1728運維

[config]ide

type=detector測試

enable=yesspa

source=log插件

location=/var/log/huawei.log日誌

create_file=yescode

process=

start=no

stop=no

startup=

shutdown=

[translation]

SESSION_TEARDOWN=1

BOTNET=2

DETECT=3

CMDRECORD=4

DISPLAY_CMDRECORD=5

LOAD_OK=6

UPDATESUCCESS=7

LOAD_FAIL=8

PASS=9

OUT=10

TRAPLOG=11

LOGIN_SUCCED=9

LOGIN_SUCCEED=9

FIREWALLATCK=12

USER_ACCE×××ESULT=13

USER_OFFLINERESULT=14

DATASYNC_CFGCHANGE=15

CMDCONFIRM_UNIFORMRECORD=16

SAVE=17

STREAM=18

LOADSUCC=19

LINK_STATE=20

STATUSUP=21

IF_ENABLE=22

ONLINESUCC=23

HOT_INSERT=24

BOARD_ENABLE=25

CMDCONFIRM_UNIFORMRECORD=26

ACTIVATION=27

DEV_REG=28

GETSERVERR=29

VIRUS=30

BOARD_ABSENT=31

REMOVABLE=32

REBOOT=33

WARMSTART=34

NLOGINIT=35

TRAP=11

RECOVERSUCCESS=37

UPDATE_SUCCESS=38

ENGINE_OK=39

這裏是正則表達式的例子，須要有必定基礎哦

[0001 - Huawei]

event_type=event

precheck="Application"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)$(?P\w)$.*?:\s+(?P.*?)$.*?Policy="(?P[^"]*)",\s+SrcIp=(?P[^,]*),\s+DstIp=(?P[^,]*),\s+SrcPort=(?P[^,]*),\s+DstPort=(?P[^,]*),\s+SrcZone=(?P[^,]*),\s+DstZone=(?P[^,]*),\s+User="(?P[^"]*)",\s+Protocol=(?P[^,]*),\s+Application="(?P[^,]*)",\s+Profile="(?P[^"]*)",\s+.*?(?:SignName|VirusName)="(?P[^"]*)",\s(?:DetectionType="(?P[^,]*)",)?.*?Action=(?P[^$]*)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

protocol={$proto}

src_ip={$src_ip}

dst_ip={$dst_ip}

src_port={$src_port}

dst_port={$dst_port}

username={$user}

userdata1={$description}

userdata2={translate($severity)}

userdata3={$policy}

userdata4={$action}

userdata5={$det_type}

userdata6={$profile}

userdata7={$sig_name}

userdata8={$app}

userdata9={$dst_zone}

[0002 - Huawei Attack]

event_type=event

precheck="AttackType"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?P\S+)\/(?P\d)\/(?P[^\(]*).*?AttackType="(?P[^"]*)",\s+.*?interface="(?P[^"]*)",\s+proto="(?P[^"]*)",\s+src="(?P[^:]*):(?P\d+)\s+",\s+dst="(?P[^:]*):(?P\d+)\s+",\s+begin\s+time="(?P[^"]*)",\s+end\s+time="(?P[^"]*)",\s+total\s+packets="(?P[^"]*)",\s+max\s+speed="(?P[^"]*)",\s+User="(?P[^"]*)",\s+Action="(?P[^"]*)""

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($src_ip)}

dst_ip={resolv($dst_ip)}

src_port={$src_port}

dst_port={$dst_port}

username={$user}

protocol={$proto}

userdata1={$action}

userdata2={translate($severity)}

userdata3={$module}

userdata4={$begin_time}

userdata5={$end_time}

userdata6={$total_pkt}

userdata7={$speed}

userdata8={$interface}

userdata9={$attack}

[0003 - Huawei]

event_type=event

precheck="Source***ID"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(?:\d{4}-\d{2}-\d{2}\s+\d+\d+:\d+:\d+)\s+(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)$(?P\w)$:IPVer=(?P[^,]*),Protocol=(?P[^,]*),SourceIP=(?P[^,]*),DestinationIP=(?P[^,]*),SourcePort=(?P[^,]*),DestinationPort=(?P[^,]*),BeginTime=(?P[^,]*),EndTime=(?P[^,]*),SendPkts=(?P[^,]*),SendBytes=(?P[^,]*),RcvPkts=(?P[^,]*),RcvBytes=(?P[^,]*),Source***ID=(?P[^,]*),Destination***ID=(?P[^,]*)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

protocol={$proto}

src_ip={$src_ip}

dst_ip={$dst_ip}

src_port={$src_port}

dst_port={$dst_port}

userdata1={$module}

userdata2={translate($severity)}

userdata3={$send_pkt}

userdata4={$send_b}

userdata5={$rcv_pkt}

userdata6={$rcv_b}

userdata7={$src_***_id}

userdata8={$dst_***_id}

userdata9={$module}

[0004 - Huawei]

event_type=event

precheck="AuthenticationMethod"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($ip)}

username={$user}

userdata1={$identifier}

userdata2={translate($severity)}

userdata3={$task}

userdata5={$***_name}

userdata6={$method}

userdata7={$command}

userdata8={$module}

userdata9={$description}

[0005 - Huawei updates]

event_type=event

precheck="Version"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($ip)}

username={$user}

userdata1={$version}

userdata2={translate($severity)}

userdata3={$module}

userdata4={$module1}

userdata5={$version1}

userdata6={$duration}

userdata7={$status}

userdata8={$module}

userdata9={$description}

[0006 - Huawei login logout]

event_type=event

precheck="IP"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($user_address)}

username={$username}

userdata1={$version}

userdata2={translate($severity)}

userdata3={$module}

userdata5={$id}

userdata6={$action}

userdata7={$module}

userdata8={$identifier}

[0007 - Huawei config]

event_type=event

precheck="ConfigSource"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($hostname)}

userdata1={$version}

userdata2={translate($severity)}

userdata3={$module}

userdata4={$config_dst}

userdata5={$config_src}

userdata6={$command_index}

userdata7={$index}

userdata8={$identifier}

[0008 - Huawei access]

event_type=event

precheck="DEVICEMAC"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)$(?P\w)$.*?:.*?DEVICEMAC:(?P[^;]*);DEVICENAME:(?P[^;]*);USER:(?P[^;]*);MAC:(?P[^;]*);IPADDRESS:(?P[^;]*);TIME:(?P[^;]*);ZONE:(?P[^;]*);DAYLIGHT:(?P[^;]*);ERRCODE:(?P[^;]*);RESULT:(?P[^;]*)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($ip)}

username={$user}

userdata1={$result}

userdata2={translate($severity)}

userdata3={$module}

userdata4={$dec_mac}

userdata5={$dev_name}

userdata6={$errcode}

userdata7={$identifier}

userdata8={$daylight}

userdata9={$zone}

[0009 - Huawei login]

event_type=event

precheck="User login succeed"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?P\S+)\/(?P\d)\/(?P.*?):.*?User login succeed.*?username\s+=\s+(?P[^,]*),\s+loginIP\s+=\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),\s+loginTime\s+=\s+(?P[^,]*),\s+loginType\s=\s(?P[^,]*),\s+userLevel\s+=\s+(?P[^,|)]*)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($ip)}

username={$user}

userdata1={translate($severity)}

userdata2={$module}

userdata3={$login_time}

userdata4={$login_type}

userdata5={$level}

[0030 - Huawei generic]

event_type=event

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)?(?P\d\d)?(?P\S+)\/(?P\d)\/(?P[^:|$]*)(?:\((?P\w)$)?.*?:(?P.*)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($hostname)}

userdata1={translate($severity)}

userdata2={$module}

userdata3={$identifier}

userdata4={$msg}

userdata5={$version}

完成插件編寫以後就要進行反覆測試與修改，待測試經過後就要進行插件導入工做，最後是插件啓用,以下圖所示。