ESGuardian/!ossim_plugin_myILO.md

## !ossim_plugin_myILO.md

      
    Raw
  

              !ossim_plugin_myILO.md
            
          
    This is the plugin for parsing HP iLO v. 4 login/logout events on AlienVault OSSIM

  
## myILO.cfg
# Alienvault plugin
# Author: Eugene Sokolov at esguardian@outlook.com
# Plugin myILO id:90012 version: 0.0.1
# Last modification: 2015-06-10 16:10
#
# Accepted products:
# HP iLO v.4
#
# /etc/rsyslog.d/ilo.conf
# if $rawmsg contains 'iLO 4' and ($rawmsg contains 'login' or $rawmsg contains 'logout') then -/var/log/ilo-access.log
# & ~
#

[DEFAULT]
plugin_id=90012

[config]
type=detector
enable=yes

source=log
#
location=/var/log/ilo-access.log

# create log file if it does not exists,
# otherwise stop processing this plugin
create_file=false

process=
start=yes   ; launch plugin process when agent starts
stop=no     ; shutdown plugin process when agent stops
# restart=yes  ; restart plugin process after each interval
# restart_interval=180
startup=
shutdown=


[ilo - user login IPMI]
event_type=event
regexp="(?P<time>\d{2}:\d{2}:\d{2})\s(?P<dst_ip>\S+)\s+(?P<app_name>\S+\s\S+)\s+(?P<date>\S+)\s+(?P<host_time>\S+)\s+(?P<host_proc>\S+)\s+login\sby\s+(?P<user>\S+)\s+(?P<unknown>\S+)\s+(?P<src_ip>\S+)\("
plugin_sid=1
device={resolv($dst_ip)}
date={normalize_date($date + ' ' + $time)}
src_ip={$src_ip}
# src_port={""}
dst_ip={$dst_ip}
# dst_port={""}
# protocol={""}
username={$user}
userdata1={$host_proc}
userdata2={$unknown}

[ilo - user login Browser]
event_type=event
regexp="(?P<time>\d{2}:\d{2}:\d{2})\s(?P<dst_ip>\S+)\s+(?P<app_name>\S+\s\S+)\s+(?P<date>\S+)\s+(?P<host_time>\S+)\s+(?P<host_proc>\S+)\s+login:\s+(?P<user>\S+)\s+(?P<unknown>\S+)\s+(?P<src_ip>\S+)\("
plugin_sid=2
device={resolv($dst_ip)}
date={normalize_date($date + ' ' + $time)}
src_ip={$src_ip}
# src_port={""}
dst_ip={$dst_ip}
# dst_port={""}
# protocol={""}
username={$user}
userdata1={$host_proc}
userdata2={$unknown}

[ilo - user logout]
event_type=event
regexp="(?P<time>\d{2}:\d{2}:\d{2})\s(?P<dst_ip>\S+)\s+(?P<app_name>\S+\s\S+)\s+(?P<date>\S+)\s+(?P<host_time>\S+)\s+(?P<host_proc>\S+)\s+logout:\s+(?P<user>\S+)\s+(?P<unknown>\S+)\s+(?P<src_ip>\S+)\("
plugin_sid=3
device={resolv($dst_ip)}
date={normalize_date($date + ' ' + $time)}
src_ip={$src_ip}
# src_port={""}
dst_ip={$dst_ip}
# dst_port={""}
# protocol={""}
username={$user}
userdata1={$host_proc}
userdata2={$unknown}

[ilo - user login failure]
event_type=event
regexp="(?P<time>\d{2}:\d{2}:\d{2})\s(?P<dst_ip>\S+)\s+(?P<app_name>\S+\s\S+)\s+(?P<date>\S+)\s+(?P<host_time>\S+)\s+(?P<host_proc>\S+)\s+login\sfailure\sfrom:\s+(?P<src_ip>\S+)\("
plugin_sid=4
device={resolv($dst_ip)}
date={normalize_date($date + ' ' + $time)}
src_ip={$src_ip}
# src_port={""}
dst_ip={$dst_ip}
# dst_port={""}
# protocol={""}
#username={$user}
userdata1={$host_proc}

## myILO.sql
-- myILO
-- plugin_id: 90012

DELETE FROM plugin WHERE id = "90012";
DELETE FROM plugin_sid where plugin_id = "90012";

INSERT IGNORE INTO plugin (id, type, name, description) VALUES (90012, 1, 'myILO', 'ILO access');

INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (90012, 1, NULL, NULL, 'ILO access IPMI',1, 3);
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (90012, 2, NULL, NULL, 'ILO access Browser',1, 3);
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (90012, 3, NULL, NULL, 'ILO logout',1, 3);
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (90012, 4, NULL, NULL, 'ILO access FAILURE',1, 3);
	# Alienvault plugin
	# Author: Eugene Sokolov at esguardian@outlook.com
	# Plugin myILO id:90012 version: 0.0.1
	# Last modification: 2015-06-10 16:10
	#
	# Accepted products:
	# HP iLO v.4
	#
	# /etc/rsyslog.d/ilo.conf
	# if $rawmsg contains 'iLO 4' and ($rawmsg contains 'login' or $rawmsg contains 'logout') then -/var/log/ilo-access.log
	# & ~
	#

	[DEFAULT]
	plugin_id=90012

	[config]
	type=detector
	enable=yes

	source=log
	#
	location=/var/log/ilo-access.log

	# create log file if it does not exists,
	# otherwise stop processing this plugin
	create_file=false

	process=
	start=yes ; launch plugin process when agent starts
	stop=no ; shutdown plugin process when agent stops
	# restart=yes ; restart plugin process after each interval
	# restart_interval=180
	startup=
	shutdown=


	[ilo - user login IPMI]
	event_type=event
	regexp="(?P<time>\d{2}:\d{2}:\d{2})\s(?P<dst_ip>\S+)\s+(?P<app_name>\S+\s\S+)\s+(?P<date>\S+)\s+(?P<host_time>\S+)\s+(?P<host_proc>\S+)\s+login\sby\s+(?P<user>\S+)\s+(?P<unknown>\S+)\s+(?P<src_ip>\S+)\("
	plugin_sid=1
	device={resolv($dst_ip)}
	date={normalize_date($date + ' ' + $time)}
	src_ip={$src_ip}
	# src_port={""}
	dst_ip={$dst_ip}
	# dst_port={""}
	# protocol={""}
	username={$user}
	userdata1={$host_proc}
	userdata2={$unknown}

	[ilo - user login Browser]
	event_type=event
	regexp="(?P<time>\d{2}:\d{2}:\d{2})\s(?P<dst_ip>\S+)\s+(?P<app_name>\S+\s\S+)\s+(?P<date>\S+)\s+(?P<host_time>\S+)\s+(?P<host_proc>\S+)\s+login:\s+(?P<user>\S+)\s+(?P<unknown>\S+)\s+(?P<src_ip>\S+)\("
	plugin_sid=2
	device={resolv($dst_ip)}
	date={normalize_date($date + ' ' + $time)}
	src_ip={$src_ip}
	# src_port={""}
	dst_ip={$dst_ip}
	# dst_port={""}
	# protocol={""}
	username={$user}
	userdata1={$host_proc}
	userdata2={$unknown}

	[ilo - user logout]
	event_type=event
	regexp="(?P<time>\d{2}:\d{2}:\d{2})\s(?P<dst_ip>\S+)\s+(?P<app_name>\S+\s\S+)\s+(?P<date>\S+)\s+(?P<host_time>\S+)\s+(?P<host_proc>\S+)\s+logout:\s+(?P<user>\S+)\s+(?P<unknown>\S+)\s+(?P<src_ip>\S+)\("
	plugin_sid=3
	device={resolv($dst_ip)}
	date={normalize_date($date + ' ' + $time)}
	src_ip={$src_ip}
	# src_port={""}
	dst_ip={$dst_ip}
	# dst_port={""}
	# protocol={""}
	username={$user}
	userdata1={$host_proc}
	userdata2={$unknown}

	[ilo - user login failure]
	event_type=event
	regexp="(?P<time>\d{2}:\d{2}:\d{2})\s(?P<dst_ip>\S+)\s+(?P<app_name>\S+\s\S+)\s+(?P<date>\S+)\s+(?P<host_time>\S+)\s+(?P<host_proc>\S+)\s+login\sfailure\sfrom:\s+(?P<src_ip>\S+)\("
	plugin_sid=4
	device={resolv($dst_ip)}
	date={normalize_date($date + ' ' + $time)}
	src_ip={$src_ip}
	# src_port={""}
	dst_ip={$dst_ip}
	# dst_port={""}
	# protocol={""}
	#username={$user}
	userdata1={$host_proc}
	-- myILO
	-- plugin_id: 90012

	DELETE FROM plugin WHERE id = "90012";
	DELETE FROM plugin_sid where plugin_id = "90012";

	INSERT IGNORE INTO plugin (id, type, name, description) VALUES (90012, 1, 'myILO', 'ILO access');

	INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (90012, 1, NULL, NULL, 'ILO access IPMI',1, 3);
	INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (90012, 2, NULL, NULL, 'ILO access Browser',1, 3);
	INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (90012, 3, NULL, NULL, 'ILO logout',1, 3);
	INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (90012, 4, NULL, NULL, 'ILO access FAILURE',1, 3);