This is the plugin for reading MS Endpoint Protection events from System Center Configuration Manager database. Also contains configuration files for creating view in SCCM DB and for Freedts on OSSIM server (need for cyrillic chars in SCCM DB)
Last active
August 29, 2015 14:23
-
-
Save ESGuardian/3d5cab533067affd0634 to your computer and use it in GitHub Desktop.
OSSIM plugin for MS FEP (note about freetds.conf if you are not native american)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #create this view in SCCM Site Databes | |
| #and create user 'username' with logon (sql native) | |
| create view dbo.MalwareView as select | |
| n.Type | |
| , n.RowID | |
| , n.Name | |
| , n.Description | |
| , n.Timestamp | |
| , n.SchemaVersion | |
| , n.ObserverHost | |
| , n.ObserverUser | |
| , n.ObserverProductName | |
| , n.ObserverProductversion | |
| , n.ObserverProtectionType | |
| , n.ObserverProtectionVersion | |
| , n.ObserverProtectionSignatureVersion | |
| , n.ObserverDetection | |
| , n.ObserverDetectionTime | |
| , n.ActorHost | |
| , n.ActorUser | |
| , n.ActorProcess | |
| , n.ActorResource | |
| , n.ActionType | |
| , n.TargetHost | |
| , n.TargetUser | |
| , n.TargetProcess | |
| , n.TargetResource | |
| , n.ClassificationID | |
| , n.ClassificationType | |
| , n.ClassificationSeverity | |
| , n.ClassificationCategory | |
| , n.RemediationType | |
| , n.RemediationResult | |
| , n.RemediationErrorCode | |
| , n.RemediationPendingAction | |
| , n.IsActiveMalware | |
| , i.IP_Addresses0 as 'SrcAddress' | |
| from v_AM_NormalizedDetectionHistory n | |
| , System_IP_Address_ARR i | |
| , v_RA_System_ResourceNames s | |
| , Network_DATA d | |
| where n.ObserverHost = s.Resource_Names0 | |
| and s.ResourceID = d.MachineID | |
| and d.IPEnabled00 = 1 | |
| and d.MachineID = i.ItemKey | |
| and i.IP_Addresses0 like '%.%.%.%'; | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/freetds/freetds.conf | |
| # For information about the layout of this file and its settings, | |
| # see the freetds.conf manpage "man freetds.conf". | |
| # Global settings are overridden by those in a database | |
| # server specific section | |
| [global] | |
| tds version = 7.0 # must be for Russian charset | |
| client charset = UTF-8 # must be for Russian charset | |
| text size = 64512 | |
| # A typical Sybase server | |
| [egServer50] | |
| # A typical Microsoft server | |
| [mssql] | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Alienvault plugin | |
| # Author: Eugene Sokolov esguardian@outlook.com | |
| # Plugin msfep id:9003 version: 0.0.1 | |
| # Last modification: 2015-05-18 | |
| # | |
| # accepted product MS SCCM Endpoint Protection 2012 | |
| # | |
| # | |
| [DEFAULT] | |
| plugin_id=9003 | |
| [config] | |
| type=detector | |
| enable=yes | |
| source=database | |
| source_type=mssql | |
| source_ip=server_ip | |
| source_port=1433 | |
| user=username | |
| password=****** | |
| db=SCCM_site_database | |
| sleep=60 | |
| process= | |
| start=no | |
| stop=no | |
| [start_query] | |
| query="SELECT TOP 1 Timestamp FROM dbo.MalwareView ORDER BY Timestamp DESC" | |
| regexp= | |
| [query] | |
| query="SELECT Timestamp, TargetHost, TargetUser, TargetProcess, TargetResource, ClassificationType, ClassificationSeverity, ClassificationCategory, RemediationType, RemediationResult, RemediationPendingAction, SrcAddress FROM dbo.MalwareView where DateDiff(second,'$1',Timestamp) > 0 ORDER BY Timestamp" | |
| regexp= | |
| ref=0 | |
| date= | |
| plugin_sid=1 | |
| src_ip={$11} | |
| dst_ip= | |
| username={$2} | |
| userdata1={$1} | |
| userdata2={$3} | |
| userdata3={$5} | |
| userdata4={$6} | |
| userdata5={$7} | |
| userdata6={$8} | |
| userdata7={$9} | |
| userdata8={$10} | |
| userdata9={$4} | |
| # Payload | |
| log={$0}, Host: {$1}, User: {$2}, Process: {$3}, Resource: {$4}, Malware: {$5}, Severity: {$6}, Category: {$7}, Action {$8}, Result: {$9}, TODO: {$10}, SRC IP: {$11} | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- MSFEP | |
| -- plugin_id: 9003 | |
| DELETE FROM plugin WHERE id = "9003"; | |
| DELETE FROM plugin_sid where plugin_id = "9003"; | |
| INSERT IGNORE INTO plugin (id, type, name, description) VALUES (9003, 1, 'MSFEP', 'MSFEP Malware'); | |
| INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9003, 1, NULL, NULL, 'MSFEP Malware',1, 3); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment