Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

Add more Bro logs to ELSA #343

Closed
GoogleCodeExporter opened this issue Mar 24, 2015 · 7 comments
Closed

Add more Bro logs to ELSA #343

GoogleCodeExporter opened this issue Mar 24, 2015 · 7 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

At minimum:
ftp.log
syslog.log
weird.log

Original issue reported on code.google.com by doug.bu...@gmail.com on 18 Jun 2013 at 9:59
@GoogleCodeExporter
Copy link
Author 

[deleted comment]

@GoogleCodeExporter
Copy link
Author 

Also:
tunnel.log

Original comment by doug.bu...@gmail.com on 18 Jul 2013 at 1:13

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author 

I wonder if we could adjust the conn.log parser to also get the country code 
and sensorname (hostname-interface).

Original comment by doug.bu...@gmail.com on 18 Jul 2013 at 1:14

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author 

Attempt at BRO_FTP:


INSERT INTO fields (field, field_type, pattern_type) VALUES ("command", 
"string", "QSTRING");
INSERT INTO fields (field, field_type, pattern_type) VALUES ("arg", "string", 
"QSTRING");
INSERT INTO classes (id, class) VALUES (10006, "BRO_FTP");
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="BRO_FTP"), (SELECT id FROM fields WHERE 
field="srcip"), 5);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="BRO_FTP"), (SELECT id FROM fields WHERE 
field="srcport"), 6);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="BRO_FTP"), (SELECT id FROM fields WHERE 
field="dstip"), 7);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="BRO_FTP"), (SELECT id FROM fields WHERE 
field="dstport"), 8);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="BRO_FTP"), (SELECT id FROM fields WHERE 
field="status_code"), 9);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="BRO_FTP"), (SELECT id FROM fields WHERE 
field="user"), 11);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="BRO_FTP"), (SELECT id FROM fields WHERE 
field="command"), 12);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="BRO_FTP"), (SELECT id FROM fields WHERE 
field="arg"), 13);

mysql> SELECT id,field, field_type, pattern_type,input_validation,b.field_order 
    FROM fields a  INNER JOIN fields_classes_map b  ON a.id = b.field_id  WHERE 
b.class_id = (select id from classes where class = "BRO_FTP");
+-----+-------------+------------+--------------+------------------+------------
-+
| id  | field       | field_type | pattern_type | input_validation | 
field_order |
+-----+-------------+------------+--------------+------------------+------------
-+
|  12 | srcip       | int        | IPv4         | IPv4             |           
5 |
|  13 | srcport     | int        | NUMBER       | NULL             |           
6 |
|  15 | dstip       | int        | IPv4         | IPv4             |           
7 |
|  16 | dstport     | int        | NUMBER       | NULL             |           
8 |
|  22 | user        | string     | QSTRING      | NULL             |          
11 |
| 116 | command     | string     | QSTRING      | NULL             |          
12 |
| 117 | arg         | string     | QSTRING      | NULL             |          
13 |
|  33 | status_code | int        | NUMBER       | NULL             |           
9 |
+-----+-------------+------------+--------------+------------------+------------
-+
8 rows in set (0.00 sec)

        <ruleset>
                <pattern>bro_ftp</pattern>
                <rules>
                        <rule class="10006" id="10006">
                                <patterns>
                                        <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s0:|@@ESTRING::|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:i4:|@@ANYSTRING::@</pattern>
                                </patterns>
                                <examples>
                                        <example>
                                                <test_message program="bro_ftp">1383916516.044020|haEncCcRVM4|1.2.3.4|60660|5.6.7.8|21|myuser|<hidden>|STOR|ftp://5.6.7.8/directory/myfile.txt|-|-|-|226|Transfer complete.|-|-</test_message>
                                                <!-- srcip -->
                                                <test_value name="i0">1.2.3.4</test_value>
                                                <!-- srcport -->
                                                <test_value name="i1">60660</test_value>
                                                <!-- dstip -->
                                                <test_value name="i2">5.6.7.8</test_value>
                                                <!-- dstport -->
                                                <test_value name="i3">21</test_value>
                                                <!-- user -->
                                                <test_value name="s0">myuser</test_value>
                                                <!-- command -->
                                                <test_value name="s1">STOR</test_value>
                                                <!-- arg -->
                                                <test_value name="s2">ftp://5.6.7.8/directory/myfile.txt</test_value>
                                                <!-- status_code -->
                                                <test_value name="i4">226</test_value>
                                        </example>
                                </examples>
                        </rule>
                </rules>
        </ruleset>

Original comment by alec.wat...@gmail.com on 12 Nov 2013 at 10:57

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author 

And for BRO_SSH:

INSERT INTO fields (field, field_type, pattern_type) VALUES ("client", 
"string", "QSTRING");
INSERT INTO classes (id, class) VALUES (10007, "BRO_SSH");
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="BRO_SSH"), (SELECT id FROM fields WHERE 
field="srcip"), 5);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="BRO_SSH"), (SELECT id FROM fields WHERE 
field="srcport"), 6);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="BRO_SSH"), (SELECT id FROM fields WHERE 
field="dstip"), 7);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="BRO_SSH"), (SELECT id FROM fields WHERE 
field="dstport"), 8);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="BRO_SSH"), (SELECT id FROM fields WHERE 
field="status"), 11);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="BRO_SSH"), (SELECT id FROM fields WHERE 
field="client"), 12);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="BRO_SSH"), (SELECT id FROM fields WHERE 
field="server"), 13);



mysql> SELECT id,field, field_type, pattern_type,input_validation,b.field_order 
    FROM fields a  INNER JOIN fields_classes_map b  ON a.id = b.field_id  WHERE 
b.class_id = (select id from classes where class = "BRO_SSH");
+-----+---------+------------+--------------+------------------+-------------+
| id  | field   | field_type | pattern_type | input_validation | field_order |
+-----+---------+------------+--------------+------------------+-------------+
|  12 | srcip   | int        | IPv4         | IPv4             |           5 |
|  13 | srcport | int        | NUMBER       | NULL             |           6 |
|  15 | dstip   | int        | IPv4         | IPv4             |           7 |
|  16 | dstport | int        | NUMBER       | NULL             |           8 |
|  62 | status  | string     | QSTRING      | NULL             |          11 |
| 118 | client  | string     | QSTRING      | NULL             |          12 |
|  48 | server  | string     | QSTRING      | NULL             |          13 |
+-----+---------+------------+--------------+------------------+-------------+
7 rows in set (0.00 sec)


       <ruleset>
                <pattern>bro_ssh</pattern>
                <rules>
                        <rule class="10007" id="10007">
                               <patterns>
                                        <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s0:|@@ESTRING::|@@ESTRING:s1:|@@ESTRING:s2:|@@ANYSTRING@</pattern>
                                </patterns>
                                <examples>
                                        <example>
                                                <test_message program="bro_ssh">1384190093.281010|50akqOBtFCb|1.2.3.4|64675|5.6.7.8|22|success|INBOUND|SSH-2.0-PuTTY_Release_0.62|SSH-1.99-Cisco-1.25|68872|GB|-|-|-|-</test_message>

                                                <!-- srcip -->
                                                <test_value name="i0">1.2.3.4</test_value>
                                                <!-- srcport -->
                                                <test_value name="i1">64675</test_value>
                                                <!-- dstip -->
                                                <test_value name="i2">5.6.7.8</test_value>
                                                <!-- dstport -->
                                                <test_value name="i3">22</test_value>
                                                <!-- status -->
                                                <test_value name="s0">success</test_value>
                                                <!-- client -->
                                                <test_value name="s1">SSH-2.0-PuTTY_Release_0.62</test_value>
                                                <!-- server -->
                                                <test_value name="s2">SSH-1.99-Cisco-1.25</test_value>
                                       </example>
                                </examples>
                        </rule>
                </rules>
        </ruleset>

Original comment by alec.wat...@gmail.com on 12 Nov 2013 at 2:23

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author 

Thanks Alec.  

I've already got ftp.log, tunnels.log, syslog.log, weird.log, dhcp.log and 
files.log rolled into an update for our next push in ELSA.  I hadn't taken a 
look at SSH though so I'll likely test yours and include it if it all looks 
okay.  

Thanks again!

Original comment by srunn...@gmail.com on 12 Nov 2013 at 2:26

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author 

Published:
http://blog.securityonion.net/2013/12/bro-22-and-elsa-15-packages-now.html

Original comment by doug.bu...@gmail.com on 10 Dec 2013 at 9:03

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter