Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
OSSIM plugin for MS FEP (note about freetds.conf if you are not native american)

This is the plugin for reading MS Endpoint Protection events from System Center Configuration Manager database. Also contains configuration files for creating view in SCCM DB and for Freedts on OSSIM server (need for cyrillic chars in SCCM DB)

#create this view in SCCM Site Databes
#and create user 'username' with logon (sql native)
create view dbo.MalwareView as select
n.Type
, n.RowID
, n.Name
, n.Description
, n.Timestamp
, n.SchemaVersion
, n.ObserverHost
, n.ObserverUser
, n.ObserverProductName
, n.ObserverProductversion
, n.ObserverProtectionType
, n.ObserverProtectionVersion
, n.ObserverProtectionSignatureVersion
, n.ObserverDetection
, n.ObserverDetectionTime
, n.ActorHost
, n.ActorUser
, n.ActorProcess
, n.ActorResource
, n.ActionType
, n.TargetHost
, n.TargetUser
, n.TargetProcess
, n.TargetResource
, n.ClassificationID
, n.ClassificationType
, n.ClassificationSeverity
, n.ClassificationCategory
, n.RemediationType
, n.RemediationResult
, n.RemediationErrorCode
, n.RemediationPendingAction
, n.IsActiveMalware
, i.IP_Addresses0 as 'SrcAddress'
from v_AM_NormalizedDetectionHistory n
, System_IP_Address_ARR i
, v_RA_System_ResourceNames s
, Network_DATA d
where n.ObserverHost = s.Resource_Names0
and s.ResourceID = d.MachineID
and d.IPEnabled00 = 1
and d.MachineID = i.ItemKey
and i.IP_Addresses0 like '%.%.%.%';
# /etc/freetds/freetds.conf
# For information about the layout of this file and its settings,
# see the freetds.conf manpage "man freetds.conf".
# Global settings are overridden by those in a database
# server specific section
[global]
tds version = 7.0 # must be for Russian charset
client charset = UTF-8 # must be for Russian charset
text size = 64512
# A typical Sybase server
[egServer50]
# A typical Microsoft server
[mssql]
# Alienvault plugin
# Author: Eugene Sokolov esguardian@outlook.com
# Plugin msfep id:9003 version: 0.0.1
# Last modification: 2015-05-18
#
# accepted product MS SCCM Endpoint Protection 2012
#
#
[DEFAULT]
plugin_id=9003
[config]
type=detector
enable=yes
source=database
source_type=mssql
source_ip=server_ip
source_port=1433
user=username
password=******
db=SCCM_site_database
sleep=60
process=
start=no
stop=no
[start_query]
query="SELECT TOP 1 Timestamp FROM dbo.MalwareView ORDER BY Timestamp DESC"
regexp=
[query]
query="SELECT Timestamp, TargetHost, TargetUser, TargetProcess, TargetResource, ClassificationType, ClassificationSeverity, ClassificationCategory, RemediationType, RemediationResult, RemediationPendingAction, SrcAddress FROM dbo.MalwareView where DateDiff(second,'$1',Timestamp) > 0 ORDER BY Timestamp"
regexp=
ref=0
date=
plugin_sid=1
src_ip={$11}
dst_ip=
username={$2}
userdata1={$1}
userdata2={$3}
userdata3={$5}
userdata4={$6}
userdata5={$7}
userdata6={$8}
userdata7={$9}
userdata8={$10}
userdata9={$4}
# Payload
log={$0}, Host: {$1}, User: {$2}, Process: {$3}, Resource: {$4}, Malware: {$5}, Severity: {$6}, Category: {$7}, Action {$8}, Result: {$9}, TODO: {$10}, SRC IP: {$11}
-- MSFEP
-- plugin_id: 9003
DELETE FROM plugin WHERE id = "9003";
DELETE FROM plugin_sid where plugin_id = "9003";
INSERT IGNORE INTO plugin (id, type, name, description) VALUES (9003, 1, 'MSFEP', 'MSFEP Malware');
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9003, 1, NULL, NULL, 'MSFEP Malware',1, 3);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.