David Vassallo dvas0004

## ossec_broker_server.py
import SocketServer
import subprocess

class TCPHandler(SocketServer.BaseRequestHandler):
    def handle(self):
        # self.request is the TCP socket connected to the client
        self.data = self.request.recv(1024).strip()

        # for logging purposes, write connection information to screen
        print "Connection from: %s : %s" % (self.client_address[0], self.data)

## eps_monitor.conf
[settings]
default_interval_mins=5
default_threshold=1000
smtp_server=127.0.0.1
recipient=someone@example.com
sender=alienvault@example.com

[thresholds]
sensorname=1000

## logstash.conf
input {


tcp {

	port => 5140

	type => "windows-events"

## nxlog_linux.conf
## This is a sample configuration file. See the nxlog reference manual about the

## configuration options. It should be installed locally and is also available

## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html


## Please set the ROOT to the folder your nxlog was installed into,

## tls_common
package tls_common

/*
IMPORTANT: due to golang's encapsulation directives, variables in this file MUST start with a capital letter, else
they will not be visible from other packages

reference: http://golangtutorials.blogspot.com/2011/06/structs-in-go-instead-of-classes-in.html
 */

/*

## embeddedTLSserver.go
package main

import (
	"io"
	"net/http"
	"log"
	"crypto/tls"
	"net"
	"sixpmplc.com/golang/license_server/tls_common"
)

## logging_dynamic_template.json
{
  "template" : "logstash-*",
  "settings" : {
    "analysis": {
            "analyzer": {
                "custom_keyword": {
                    "filter": ["lowercase"],
                    "type": "keyword"
                }
            }

## nxlog.conf
define ROOT /nxlog

Moduledir /usr/local/libexec/nxlog/modules
CacheDir %ROOT%/data
Pidfile %ROOT%/data/nxlog.pid
SpoolDir %ROOT%/data
LogFile %ROOT%/data/nxlog.log

<Extension _syslog>
    Module      xm_syslog

## nxlog.conf
 Global directives                    #
########################################
User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel INFO

########################################
# Modules                              #

## gist:d600a65f474f6d313251
######## ALIENVAULT OSSIM Logs ########################################

   if [type] == "ossim-events" {

        grok {

                patterns_dir => "/elk/logstash-1.5.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.1.10/patterns"


                match => [ "message", "<entry id='%{INT:entry_id}' v='%{INT:v}' fdate='%{FDATE:fdate}' date='%{NUMBER:unix_timestamp}' plugin_id='%{NUMBER:plugin_id}' sensor='%{IP:sensor}' src_ip='%{IP:src_ip}' dst_ip='%{IP:dst_ip}' src_port='%{NUMBER:src_port}' dst_port='%{NUMBER:dst_port}' tzone='%{NUMBER:tzone}' datalen='%{NUMBER:datalen}' data='%{GREEDYDATA:data}' plugin_sid='%{NUMBER:plugin_sid}' proto='%{NUMBER:proto}'  ctx='%{GREEDYDATA:ctx}' src_host='%{GREEDYDATA:src_host}' dst_host='%{GREEDYDATA:dst_host}' src_net='%{GREEDYDATA:src_net}' dst_net='%{GREEDYDATA:dst_net}' username='%{GREEDYDATA:username}' userdata1=%{GREEDYDATA:userdata}' idm_host_src='%{GREEDYDATA:idm_host_src}' idm_host_dst='%{GREEDYDATA:idm_host_dst}' idm_mac_src='%{MAC:idm_mac_src}' idm_ma
	import SocketServer
	import subprocess

	class TCPHandler(SocketServer.BaseRequestHandler):
	def handle(self):
	# self.request is the TCP socket connected to the client
	self.data = self.request.recv(1024).strip()

	# for logging purposes, write connection information to screen
	print "Connection from: %s : %s" % (self.client_address[0], self.data)
	[settings]
	default_interval_mins=5
	default_threshold=1000
	smtp_server=127.0.0.1
	recipient=someone@example.com
	sender=alienvault@example.com

	[thresholds]
	sensorname=1000
	## This is a sample configuration file. See the nxlog reference manual about the

	## configuration options. It should be installed locally and is also available

	## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html



	## Please set the ROOT to the folder your nxlog was installed into,
	package tls_common

	/*
	IMPORTANT: due to golang's encapsulation directives, variables in this file MUST start with a capital letter, else
	they will not be visible from other packages

	reference: http://golangtutorials.blogspot.com/2011/06/structs-in-go-instead-of-classes-in.html
	*/

	/*
	package main

	import (
	"io"
	"net/http"
	"log"
	"crypto/tls"
	"net"
	"sixpmplc.com/golang/license_server/tls_common"
	)
	{
	"template" : "logstash-*",
	"settings" : {
	"analysis": {
	"analyzer": {
	"custom_keyword": {
	"filter": ["lowercase"],
	"type": "keyword"
	}
	}
	define ROOT /nxlog

	Moduledir /usr/local/libexec/nxlog/modules
	CacheDir %ROOT%/data
	Pidfile %ROOT%/data/nxlog.pid
	SpoolDir %ROOT%/data
	LogFile %ROOT%/data/nxlog.log

	<Extension _syslog>
	Module xm_syslog
	Global directives #
	########################################
	User nxlog
	Group nxlog

	LogFile /var/log/nxlog/nxlog.log
	LogLevel INFO

	########################################
	# Modules #
	######## ALIENVAULT OSSIM Logs ########################################

	if [type] == "ossim-events" {

	grok {

	patterns_dir => "/elk/logstash-1.5.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.1.10/patterns"


	match => [ "message", "<entry id='%{INT:entry_id}' v='%{INT:v}' fdate='%{FDATE:fdate}' date='%{NUMBER:unix_timestamp}' plugin_id='%{NUMBER:plugin_id}' sensor='%{IP:sensor}' src_ip='%{IP:src_ip}' dst_ip='%{IP:dst_ip}' src_port='%{NUMBER:src_port}' dst_port='%{NUMBER:dst_port}' tzone='%{NUMBER:tzone}' datalen='%{NUMBER:datalen}' data='%{GREEDYDATA:data}' plugin_sid='%{NUMBER:plugin_sid}' proto='%{NUMBER:proto}' ctx='%{GREEDYDATA:ctx}' src_host='%{GREEDYDATA:src_host}' dst_host='%{GREEDYDATA:dst_host}' src_net='%{GREEDYDATA:src_net}' dst_net='%{GREEDYDATA:dst_net}' username='%{GREEDYDATA:username}' userdata1=%{GREEDYDATA:userdata}' idm_host_src='%{GREEDYDATA:idm_host_src}' idm_host_dst='%{GREEDYDATA:idm_host_dst}' idm_mac_src='%{MAC:idm_mac_src}' idm_ma