Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
OSSIM plugin for HP iLO

This is the plugin for parsing HP iLO v. 4 login/logout events on AlienVault OSSIM

# Alienvault plugin
# Author: Eugene Sokolov at esguardian@outlook.com
# Plugin myILO id:90012 version: 0.0.1
# Last modification: 2015-06-10 16:10
#
# Accepted products:
# HP iLO v.4
#
# /etc/rsyslog.d/ilo.conf
# if $rawmsg contains 'iLO 4' and ($rawmsg contains 'login' or $rawmsg contains 'logout') then -/var/log/ilo-access.log
# & ~
#
[DEFAULT]
plugin_id=90012
[config]
type=detector
enable=yes
source=log
#
location=/var/log/ilo-access.log
# create log file if it does not exists,
# otherwise stop processing this plugin
create_file=false
process=
start=yes ; launch plugin process when agent starts
stop=no ; shutdown plugin process when agent stops
# restart=yes ; restart plugin process after each interval
# restart_interval=180
startup=
shutdown=
[ilo - user login IPMI]
event_type=event
regexp="(?P<time>\d{2}:\d{2}:\d{2})\s(?P<dst_ip>\S+)\s+(?P<app_name>\S+\s\S+)\s+(?P<date>\S+)\s+(?P<host_time>\S+)\s+(?P<host_proc>\S+)\s+login\sby\s+(?P<user>\S+)\s+(?P<unknown>\S+)\s+(?P<src_ip>\S+)\("
plugin_sid=1
device={resolv($dst_ip)}
date={normalize_date($date + ' ' + $time)}
src_ip={$src_ip}
# src_port={""}
dst_ip={$dst_ip}
# dst_port={""}
# protocol={""}
username={$user}
userdata1={$host_proc}
userdata2={$unknown}
[ilo - user login Browser]
event_type=event
regexp="(?P<time>\d{2}:\d{2}:\d{2})\s(?P<dst_ip>\S+)\s+(?P<app_name>\S+\s\S+)\s+(?P<date>\S+)\s+(?P<host_time>\S+)\s+(?P<host_proc>\S+)\s+login:\s+(?P<user>\S+)\s+(?P<unknown>\S+)\s+(?P<src_ip>\S+)\("
plugin_sid=2
device={resolv($dst_ip)}
date={normalize_date($date + ' ' + $time)}
src_ip={$src_ip}
# src_port={""}
dst_ip={$dst_ip}
# dst_port={""}
# protocol={""}
username={$user}
userdata1={$host_proc}
userdata2={$unknown}
[ilo - user logout]
event_type=event
regexp="(?P<time>\d{2}:\d{2}:\d{2})\s(?P<dst_ip>\S+)\s+(?P<app_name>\S+\s\S+)\s+(?P<date>\S+)\s+(?P<host_time>\S+)\s+(?P<host_proc>\S+)\s+logout:\s+(?P<user>\S+)\s+(?P<unknown>\S+)\s+(?P<src_ip>\S+)\("
plugin_sid=3
device={resolv($dst_ip)}
date={normalize_date($date + ' ' + $time)}
src_ip={$src_ip}
# src_port={""}
dst_ip={$dst_ip}
# dst_port={""}
# protocol={""}
username={$user}
userdata1={$host_proc}
userdata2={$unknown}
[ilo - user login failure]
event_type=event
regexp="(?P<time>\d{2}:\d{2}:\d{2})\s(?P<dst_ip>\S+)\s+(?P<app_name>\S+\s\S+)\s+(?P<date>\S+)\s+(?P<host_time>\S+)\s+(?P<host_proc>\S+)\s+login\sfailure\sfrom:\s+(?P<src_ip>\S+)\("
plugin_sid=4
device={resolv($dst_ip)}
date={normalize_date($date + ' ' + $time)}
src_ip={$src_ip}
# src_port={""}
dst_ip={$dst_ip}
# dst_port={""}
# protocol={""}
#username={$user}
userdata1={$host_proc}
-- myILO
-- plugin_id: 90012
DELETE FROM plugin WHERE id = "90012";
DELETE FROM plugin_sid where plugin_id = "90012";
INSERT IGNORE INTO plugin (id, type, name, description) VALUES (90012, 1, 'myILO', 'ILO access');
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (90012, 1, NULL, NULL, 'ILO access IPMI',1, 3);
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (90012, 2, NULL, NULL, 'ILO access Browser',1, 3);
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (90012, 3, NULL, NULL, 'ILO logout',1, 3);
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (90012, 4, NULL, NULL, 'ILO access FAILURE',1, 3);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.