基于OSSIM平臺下華為交換機日志收集插件的開發(fā)

       基于OSSIM平臺下華為交換機日志收集插件的開發(fā)

       長期以來，大家在收集華為交換機日志是往往通過syslog協(xié)議轉發(fā)的方式，將華為交換機日志轉發(fā)到日志收集器上，簡單存儲，但這樣并沒有將日志標準化，也就是OSSIM中對日志的歸一化處理，在《開源安全運維平臺－OSSIM最佳實踐》一書的第七章專門講解了日志收集與插件的自定義，本文將繼續(xù)本書內容，為大家分享華為交換機插件，根據書中講解，我們在OSSIM Agent插件目錄中建立插件名稱,huawei.cfg，編寫插件大致格式可按書里面內容編寫，不過還需要注意插件的導入過程，下面舉個華為插件的實際例子。

[DEFAULT]

plugin_id=1728

[config]

type=detector

enable=yes

source=log

location=/var/log/huawei.log

create_file=yes

process=

start=no

stop=no

startup=

shutdown=

[translation]

SESSION_TEARDOWN=1

BOTNET=2

DETECT=3

CMDRECORD=4

DISPLAY_CMDRECORD=5

LOAD_OK=6

UPDATESUCCESS=7

LOAD_FAIL=8

PASS=9

OUT=10

TRAPLOG=11

LOGIN_SUCCED=9

LOGIN_SUCCEED=9

FIREWALLATCK=12

USER_ACCE×××ESULT=13

USER_OFFLINERESULT=14

DATASYNC_CFGCHANGE=15

CMDCONFIRM_UNIFORMRECORD=16

SAVE=17

STREAM=18

LOGIN=9

LOADSUCC=19

LINK_STATE=20

STATUSUP=21

IF_ENABLE=22

ONLINESUCC=23

HOT_INSERT=24

BOARD_ENABLE=25

CMDCONFIRM_UNIFORMRECORD=26

ACTIVATION=27

DEV_REG=28

GETSERVERR=29

VIRUS=30

BOARD_ABSENT=31

REMOVABLE=32

REBOOT=33

WARMSTART=34

NLOGINIT=35

TRAP=11

RECOVERSUCCESS=37

UPDATE_SUCCESS=38

ENGINE_OK=39

這里是正則表達式的例子，需要有一定基礎哦

[0001 - Huawei]

event_type=event

precheck="Application"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?:\s+(?P.*?)\(.*?Policy="(?P[^"]*)",\s+SrcIp=(?P[^,]*),\s+DstIp=(?P[^,]*),\s+SrcPort=(?P[^,]*),\s+DstPort=(?P[^,]*),\s+SrcZone=(?P[^,]*),\s+DstZone=(?P[^,]*),\s+User="(?P[^"]*)",\s+Protocol=(?P[^,]*),\s+Application="(?P[^,]*)",\s+Profile="(?P[^"]*)",\s+.*?(?:SignName|VirusName)="(?P[^"]*)",\s(?:DetectionType="(?P[^,]*)",)?.*?Action=(?P[^\)]*)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

protocol={$proto}

src_ip={$src_ip}

dst_ip={$dst_ip}

src_port={$src_port}

dst_port={$dst_port}

username={$user}

userdata1={$description}

userdata2={translate($severity)}

userdata3={$policy}

userdata4={$action}

userdata5={$det_type}

userdata6={$profile}

userdata7={$sig_name}

userdata8={$app}

userdata9={$dst_zone}

[0002 - Huawei Attack]

event_type=event

precheck="AttackType"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?P\S+)\/(?P\d)\/(?P[^\(]*).*?AttackType="(?P[^"]*)",\s+.*?interface="(?P[^"]*)",\s+proto="(?P[^"]*)",\s+src="(?P[^:]*):(?P\d+)\s+",\s+dst="(?P[^:]*):(?P\d+)\s+",\s+begin\s+time="(?P[^"]*)",\s+end\s+time="(?P[^"]*)",\s+total\s+packets="(?P[^"]*)",\s+max\s+speed="(?P[^"]*)",\s+User="(?P[^"]*)",\s+Action="(?P[^"]*)""

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($src_ip)}

dst_ip={resolv($dst_ip)}

src_port={$src_port}

dst_port={$dst_port}

username={$user}

protocol={$proto}

userdata1={$action}

userdata2={translate($severity)}

userdata3={$module}

userdata4={$begin_time}

userdata5={$end_time}

userdata6={$total_pkt}

userdata7={$speed}

userdata8={$interface}

userdata9={$attack}

[0003 - Huawei]

event_type=event

precheck="Source***ID"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(?:\d{4}-\d{2}-\d{2}\s+\d+\d+:\d+:\d+)\s+(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\):IPVer=(?P[^,]*),Protocol=(?P[^,]*),SourceIP=(?P[^,]*),DestinationIP=(?P[^,]*),SourcePort=(?P[^,]*),DestinationPort=(?P[^,]*),BeginTime=(?P[^,]*),EndTime=(?P[^,]*),SendPkts=(?P[^,]*),SendBytes=(?P[^,]*),RcvPkts=(?P[^,]*),RcvBytes=(?P[^,]*),Source***ID=(?P[^,]*),Destination***ID=(?P[^,]*)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

protocol={$proto}

src_ip={$src_ip}

dst_ip={$dst_ip}

src_port={$src_port}

dst_port={$dst_port}

userdata1={$module}

userdata2={translate($severity)}

userdata3={$send_pkt}

userdata4={$send_b}

userdata5={$rcv_pkt}

userdata6={$rcv_b}

userdata7={$src_***_id}

userdata8={$dst_***_id}

userdata9={$module}

[0004 - Huawei]

event_type=event

precheck="AuthenticationMethod"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?:(?P.*?)\(Task=(?P[^,]*),\s+Ip=(?P[^,]*),\s+***Name=(?P[^,]*),\s+User=(?P[^,]*),\s+AuthenticationMethod="(?P[^,]*)",\s+Command="(?P[^,]*)""

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($ip)}

username={$user}

userdata1={$identifier}

userdata2={translate($severity)}

userdata3={$task}

userdata5={$***_name}

userdata6={$method}

userdata7={$command}

userdata8={$module}

userdata9={$description}

[0005 - Huawei updates]

event_type=event

precheck="Version"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?:(?P.*?)\(SyslogId=(?P[^,]*),\s+(User=(?P[^,]*),\s+IP=(?P[^,]*),\s+)?Module=(?P[^,]*),.*?Version=(?P[^,]*),\s+(UpdateVersion=(?P[^,]*),\s+Status=(?P[^,]*),\s+)?Duration\(s\)=(?P[^,|\)]*)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($ip)}

username={$user}

userdata1={$version}

userdata2={translate($severity)}

userdata3={$module}

userdata4={$module1}

userdata5={$version1}

userdata6={$duration}

userdata7={$status}

userdata8={$module}

userdata9={$description}

[0006 - Huawei login logout]

event_type=event

precheck="IP"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?:User\s+(?P\S+)\(IP:(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+ID:(?P\d+)\)\s+(?Plogin|logout)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($user_address)}

username={$username}

userdata1={$version}

userdata2={translate($severity)}

userdata3={$module}

userdata5={$id}

userdata6={$action}

userdata7={$module}

userdata8={$identifier}

[0007 - Huawei config]

event_type=event

precheck="ConfigSource"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?configure changed.*?EventIndex=(?P\d),\s+CommandSource=(?P\d+),\s+ConfigSource=(?P\d+),\s+ConfigDestination=(?P\d+)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($hostname)}

userdata1={$version}

userdata2={translate($severity)}

userdata3={$module}

userdata4={$config_dst}

userdata5={$config_src}

userdata6={$command_index}

userdata7={$index}

userdata8={$identifier}

[0008 - Huawei access]

event_type=event

precheck="DEVICEMAC"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?:.*?DEVICEMAC:(?P[^;]*);DEVICENAME:(?P[^;]*);USER:(?P[^;]*);MAC:(?P[^;]*);IPADDRESS:(?P[^;]*);TIME:(?P[^;]*);ZONE:(?P[^;]*);DAYLIGHT:(?P[^;]*);ERRCODE:(?P[^;]*);RESULT:(?P[^;]*)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($ip)}

username={$user}

userdata1={$result}

userdata2={translate($severity)}

userdata3={$module}

userdata4={$dec_mac}

userdata5={$dev_name}

userdata6={$errcode}

userdata7={$identifier}

userdata8={$daylight}

userdata9={$zone}

[0009 - Huawei login]

event_type=event

precheck="User login succeed"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?P\S+)\/(?P\d)\/(?P.*?):.*?User login succeed.*?username\s+=\s+(?P[^,]*),\s+loginIP\s+=\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),\s+loginTime\s+=\s+(?P[^,]*),\s+loginType\s=\s(?P[^,]*),\s+userLevel\s+=\s+(?P[^,|)]*)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($ip)}

username={$user}

userdata1={translate($severity)}

userdata2={$module}

userdata3={$login_time}

userdata4={$login_type}

userdata5={$level}

[0030 - Huawei generic]

event_type=event

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)?(?P\d\d)?(?P\S+)\/(?P\d)\/(?P[^:|\(]*)(?:\((?P\w)\))?.*?:(?P.*)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($hostname)}

userdata1={translate($severity)}

userdata2={$module}

userdata3={$identifier}

userdata4={$msg}

userdata5={$version}

完成插件編寫之后就要進行反復測試與修改，待測試通過后就要進行插件導入工作，最后是插件啟用,如下圖所示。

以上是華為交換機插件的一個例子，還有其他華為設備的日志也是照此編寫，如果有不明白指出大家參閱《開源安全運維平臺OSSIM最佳實踐》一書或與該書作者聯系。