Shulou(Shulou.com)06/01 Report--

Development of log collection plug-in for Huawei switch based on OSSIM platform

For a long time, when we collect Huawei switch logs, we often forward the Huawei switch logs to the log collector through the syslog protocol for simple storage, but this does not standardize the logs, that is, the normalization of logs in OSSIM. The seventh chapter of the book "Open Source Security Operation and maintenance platform-OSSIM Best practices" focuses on log collection and plug-in customization. This article will continue the contents of this book. To share the Huawei switch plug-in, according to the book, we set up the plug-in name, huawei.cfg, in the OSSIM Agent plug-in directory. The general format of the plug-in can be written according to the content in the book, but we also need to pay attention to the plug-in import process. Here is an actual example of Huawei plug-in.

[DEFAULT]

Plugin_id=1728

[config]

Type=detector

Enable=yes

Source=log

Location=/var/log/huawei.log

Create_file=yes

Process=

Start=no

Stop=no

Startup=

Shutdown=

[translation]

SESSION_TEARDOWN=1

BOTNET=2

DETECT=3

CMDRECORD=4

DISPLAY_CMDRECORD=5

LOAD_OK=6

UPDATESUCCESS=7

LOAD_FAIL=8

PASS=9

OUT=10

TRAPLOG=11

LOGIN_SUCCED=9

LOGIN_SUCCEED=9

FIREWALLATCK=12

USER_ACCE × × ESULT=13

USER_OFFLINERESULT=14

DATASYNC_CFGCHANGE=15

CMDCONFIRM_UNIFORMRECORD=16

SAVE=17

STREAM=18

LOGIN=9

LOADSUCC=19

LINK_STATE=20

STATUSUP=21

IF_ENABLE=22

ONLINESUCC=23

HOT_INSERT=24

BOARD_ENABLE=25

CMDCONFIRM_UNIFORMRECORD=26

ACTIVATION=27

DEV_REG=28

GETSERVERR=29

VIRUS=30

BOARD_ABSENT=31

REMOVABLE=32

REBOOT=33

WARMSTART=34

NLOGINIT=35

TRAP=11

RECOVERSUCCESS=37

UPDATE_SUCCESS=38

ENGINE_OK=39

Here is an example of regular expression, which needs to have a certain foundation.

[0001-Huawei]

Event_type=event

Precheck= "Application"

Regexp= "(? P\ w {3}\ s +\ d:\ d\ d:\ d:\ d\ d)\ s + (? P\ d {1J 3}\.\ d {1J 3}\.\ d {1J 3})\. (? P\ S+)\ s + (?%) (? P\ d\ d) (? P\ S+)\ (? P\ d)\ / (? P\ d)\ / (? P\ w)\). *:\ s + (? P.C.?)\ (. *? Policy= "(? P [^"] *) " \ sroomSrcIp = (? P [^,] *),\ sroomDstIp = (? P [^,] *),\ sroomSrcPort = (? P [^,] *),\ sroomDstPort = (? P [^,] *),\ sroomDstZone= (? P [^,] *),\ sroomDstZone= (? P [^,] *),\ sroomUser= "(? P [^"] *) ",\ sroomProtocol= (? P [^,] *),\ sroomApplication =" (? P [^,] *) ",\ sroomProfile=" (? P [^] *) (?: SignName | VirusName) = "(? P [^"] *) ",\ s (?: DetectionType=" (? P [^,] *) ",). *? Action= (? P [^\)] *)"

Date= {normalize_date ($syslog_date)}

Device= {resolv ($hostname)}

Plugin_sid= {translate ($brief)}

Protocol= {$proto}

Src_ip= {$src_ip}

Dst_ip= {$dst_ip}

Src_port= {$src_port}

Dst_port= {$dst_port}

Username= {$user}

Userdata1= {$description}

Userdata2= {translate ($severity)}

Userdata3= {$policy}

Userdata4= {$action}

Userdata5= {$det_type}

Userdata6= {$profile}

Userdata7= {$sig_name}

Userdata8= {$app}

Userdata9= {$dst_zone}

[0002-Huawei Attack]

Event_type=event

Precheck= "AttackType"

Regexp= "(? P\ w {3}\ s +\ d:\ d\ d:\ d:\ d\ d)\ s + (? P\ d {1J 3}\.\ d {1J 3})\ s +? (? P\ S+)\ s + (? P\ S+)\ / (? P\ d)\ / (? P [^\ (*). *? AttackType=" (? P [^] *) (? P [^ "] *)",\ sroomsrc = "(? P [^:] *): (? P [^] *),\ s+begin\ stimetime =" (? P ["^] *)",\ s+end\ sroomtime = "(? P ["] *) ",\ s+total\ spackets =" (? P [^ "] *)" \ s+max\ sclassifier = "(? P [^"] *) ",\ sroomUser=" (? P [^ "] *)",\ sroomAction = "(? P [^"] *) ""

Date= {normalize_date ($syslog_date)}

Device= {resolv ($hostname)}

Plugin_sid= {translate ($brief)}

Src_ip= {resolv ($src_ip)}

Dst_ip= {resolv ($dst_ip)}

Src_port= {$src_port}

Dst_port= {$dst_port}

Username= {$user}

Protocol= {$proto}

Userdata1= {$action}

Userdata2= {translate ($severity)}

Userdata3= {$module}

Userdata4= {$begin_time}

Userdata5= {$end_time}

Userdata6= {$total_pkt}

Userdata7= {$speed}

Userdata8= {$interface}

Userdata9= {$attack}

[0003-Huawei]

Event_type=event

Precheck= "Source***ID"

Regexp= "(? P\ w {3}\ s +\ d:\ d\ d)\ s + (? P\ d {1J 3}\.\ d {1J 3})\ s + (?:\ d {4} -\ d {2}\ d {2}\ s +\ d +:\ dcards:\ d:\ d +)\ s+ (? P\ S+)\ s + (?%) (?%) \ d\ d) (? P\ S+)\ / (? P\ d)\ / (? P.C.?)\ ((? P\ w)\): IPVer= (? P [^) ] *), Protocol= (? P [^,] *), SourceIP= (? P [^,] *), DestinationIP= (? P [^,] *), SourcePort= (? P [^,] *), DestinationPort= (? P [^,] *), BeginTime= (? P [^,] *), EndTime= (? P [^,] *), SendPkts= (? P [^,] *), SendBytes= (? P [^,] *), RcvPkts= (? P [^,] *), RcvBytes= (? P [^,] *) Source***ID= (? P [^,] *), Destination***ID= (? P [^,] *) "

Date= {normalize_date ($syslog_date)}

Device= {resolv ($hostname)}

Plugin_sid= {translate ($brief)}

Protocol= {$proto}

Src_ip= {$src_ip}

Dst_ip= {$dst_ip}

Src_port= {$src_port}

Dst_port= {$dst_port}

Userdata1= {$module}

Userdata2= {translate ($severity)}

Userdata3= {$send_pkt}

Userdata4= {$send_b}

Userdata5= {$rcv_pkt}

Userdata6= {$rcv_b}

Userdata7= {$src_***_id}

Userdata8= {$dst_***_id}

Userdata9= {$module}

[0004-Huawei]

Event_type=event

Precheck= "AuthenticationMethod"

Regexp= "(? P\ w {3}\ s +\ d:\ d\ d:\ d:\ d\ d)\ s + (? P\ d {1J 3}\.\ d {1J 3}\.\ d {1J 3})\. (? P\ S+)\ s + (?%) (? P\ d\ d) (? P\ S+)\ (? P\ d)\ / (? P\ d)\ / (? P\ w)\). *: (? P.C.)\ (Task= (? P [^) ] *),\ sroomIp = (? P [^,] *),\ sroomauthenticationUserName= (? P [^,] *),\ sroomUser= (? P [^,] *),\ sroomauthenticationMethod= "(? P [^,] *)",\ sroomCommand= "(? P [^,] *)"

Date= {normalize_date ($syslog_date)}

Device= {resolv ($hostname)}

Plugin_sid= {translate ($brief)}

Src_ip= {resolv ($ip)}

Username= {$user}

Userdata1= {$identifier}

Userdata2= {translate ($severity)}

Userdata3= {$task}

Userdata5= {$* * _ name}

Userdata6= {$method}

Userdata7= {$command}

Userdata8= {$module}

Userdata9= {$description}

[0005-Huawei updates]

Event_type=event

Precheck= "Version"

Regexp= "(? P\ w {3}\ s +\ d:\ d\ d:\ d:\ d\ d)\ s + (? P\ d {1J 3}\.\ d {1J 3}\.\ d {1J 3})\. (? P\ S+)\ s + (?%) (? P\ d\ d) (? P\ S+)\ (? P\ d)\ / (? P\ d)\ / (? P\ w)\). *: (? P.C.)\ (SyslogId= (? P [^) ] *),\ s + (User= (? P [^,] *),\ s + IP = (? P [^,] *),\ s +)? Module= (? P [^,] *),. *? Version= (? P [^,] *),\ s + (UpdateVersion= (? P [^,] *),\ sstatus = (? P [^,] *),\ s +)? Duration\ (s\) = (? P [^, |\)] *) "

Date= {normalize_date ($syslog_date)}

Device= {resolv ($hostname)}

Plugin_sid= {translate ($brief)}

Src_ip= {resolv ($ip)}

Username= {$user}

Userdata1= {$version}

Userdata2= {translate ($severity)}

Userdata3= {$module}

Userdata4= {$module1}

Userdata5= {$version1}

Userdata6= {$duration}

Userdata7= {$status}

Userdata8= {$module}

Userdata9= {$description}

[0006-Huawei login logout]

Event_type=event

Precheck= "IP"

Regexp= "(? P\ w {3}\ s +\ d:\ d\ d:\ d:\ d\ d)\ s + (? P\ d {1J 3}\.\ d {1J 3}\.\ d {1J 3})\. (? P\ S+)\ s + (?%) (? P\ d\ d) (? P\ S+)\ (? P\ d)\ / (? P\ d)\ / (? P\ w)\). *: User\ s + (? P\ S+)\ (IP: (? P\ d {1 Plogin 3}\.\ d {1 Plogin 3}\.\ d {1Magne 3})\ s+ID: (? P\ d +)\)\ s + (? Plogin | logout) "

Date= {normalize_date ($syslog_date)}

Device= {resolv ($hostname)}

Plugin_sid= {translate ($brief)}

Src_ip= {resolv ($user_address)}

Username= {$username}

Userdata1= {$version}

Userdata2= {translate ($severity)}

Userdata3= {$module}

Userdata5= {$id}

Userdata6= {$action}

Userdata7= {$module}

Userdata8= {$identifier}

[0007-Huawei config]

Event_type=event

Precheck= "ConfigSource"

Regexp= "(? P\ w {3}\ s +\ d:\ d\ d:\ d:\ d\ d)\ s + (? P\ d {1J 3}\.\ d {1J 3}\.\ d {1J 3})\. (? P\ S+)\ s + (?%) (? P\ d\ d) (? P\ S+)\ (? P\ d)\ / (? P\ d)\ / (? P\ w)\). *? configure changed.*?EventIndex= (? P\ d) \ sroomCommandSource= (? P\ d+),\ sroomConfigSource= (? P\ d+),\ sroomConfigDestination= (? P\ d+) "

Date= {normalize_date ($syslog_date)}

Device= {resolv ($hostname)}

Plugin_sid= {translate ($brief)}

Src_ip= {resolv ($hostname)}

Userdata1= {$version}

Userdata2= {translate ($severity)}

Userdata3= {$module}

Userdata4= {$config_dst}

Userdata5= {$config_src}

Userdata6= {$command_index}

Userdata7= {$index}

Userdata8= {$identifier}

[0008-Huawei access]

Event_type=event

Precheck= "DEVICEMAC"

Regexp= "(? P\ w {3}\ s +\ d:\ d\ d:\ d:\ d\ d)\ s + (? P\ d {1J 3}\.\ d {1J 3}\.\ d {1J 3})\. (? P\ S+)\ s + (?%) (? P\ d\ d) (? P\ S+)\ (? P\ d)\ / (? P\ d)\ / (? P\ w)\). *:. *? DEVICEMAC: (? P [^) ] *); DEVICENAME: (? P [^;] *); USER: (? P [^;] *); MAC: (? P [^;] *); IPADDRESS: (? P [^;] *); TIME: (? P [^;] *); ZONE: (? P [^;] *); DAYLIGHT: (? P [^;] *); ERRCODE: (? P [^;] *); RESULT: (? P [^;] *) "

Date= {normalize_date ($syslog_date)}

Device= {resolv ($hostname)}

Plugin_sid= {translate ($brief)}

Src_ip= {resolv ($ip)}

Username= {$user}

Userdata1= {$result}

Userdata2= {translate ($severity)}

Userdata3= {$module}

Userdata4= {$dec_mac}

Userdata5= {$dev_name}

Userdata6= {$errcode}

Userdata7= {$identifier}

Userdata8= {$daylight}

Userdata9= {$zone}

[0009-Huawei login]

Event_type=event

Precheck= "User login succeed"

Regexp= "(? P\ w {3}\ s +\ d:\ d\ d:\ d:\ d\ d)\ s + (? P\ d {1J 3}\.\ d {1J 3})\ s + (? P\ S+)\ s + (? P\ S+)\ / (? P\ d)\ / (? P.J.):. *? User login succeed.*?username\ s =\ s + (? P [^,] *) \ s+loginIP\ s =\ s + (? P\ d {1pr 3}\.\ d {1J 3}\.\ d {1J 3}\.\ d {1J 3}),\ s+loginTime\ s =\ s + (? P [^,] *),\ s+loginType\ s =\ s (? P [^,] *),\ s+userLevel\ s =\ s + (? P [^, |)] *) ")"

Date= {normalize_date ($syslog_date)}

Device= {resolv ($hostname)}

Plugin_sid= {translate ($brief)}

Src_ip= {resolv ($ip)}

Username= {$user}

Userdata1= {translate ($severity)}

Userdata2= {$module}

Userdata3= {$login_time}

Userdata4= {$login_type}

Userdata5= {$level}

[0030-Huawei generic]

Event_type=event

Regexp= "(? P\ w {3}\ s +\ d:\ d\ d:\ d:\ d\ d)\ s + (? P\ d {1J 3}\.\ d {1J 3})\ s + (? P\ S+)\ s + (?%)? (? P\ d\ d)? (? P\ S+)\ / (? P\ d)\ / (? P [:\) ] *) (?:\ ((? P\ w)\)?. *: (? P.*) "

Date= {normalize_date ($syslog_date)}

Device= {resolv ($hostname)}

Plugin_sid= {translate ($brief)}

Src_ip= {resolv ($hostname)}

Userdata1= {translate ($severity)}

Userdata2= {$module}

Userdata3= {$identifier}

Userdata4= {$msg}

Userdata5= {$version}

After the plug-in is written, the plug-in will be tested and modified repeatedly, the plug-in will be imported after the test is passed, and finally the plug-in will be enabled, as shown in the following figure.

The above is an example of Huawei switch plug-in, and the logs of other Huawei devices are also compiled in the same way. if you do not clearly point out that you can refer to the book "Best practices for Open Source Security Operation and maintenance platform OSSIM" or contact the author of the book.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.