From 28ce80d1e0f926f5545f415c88b5cf61343274f3 Mon Sep 17 00:00:00 2001 From: theflakes Date: Wed, 3 Jun 2015 20:42:15 -0400 Subject: [PATCH 1/2] Add source of syslog as destination IP for Sguil alert Some syslogs do not contain the IP of the device sending the syslog in the body of the syslog. Cisco ASAs do this with some syslog messages. Therefore I added to the regex to pull this information out if it exists in the second line of the OSSEC alert. --- etc/nsm/ossec/ossec_agent.tcl | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/etc/nsm/ossec/ossec_agent.tcl b/etc/nsm/ossec/ossec_agent.tcl index 4686f3f..ab425c4 100755 --- a/etc/nsm/ossec/ossec_agent.tcl +++ b/etc/nsm/ossec/ossec_agent.tcl @@ -212,8 +212,8 @@ proc ProcessData { line } { } elseif { ([regexp {(?x) # ^(\d\d\d\d)\s+(...)\s+(\d\d)\s+(\d\d:\d\d:\d\d)\s+(.*)-> # ^(\d\d\d\d)\s+(...)\s+(\d\d)\s+(\d\d:\d\d:\d\d)\s+(\(.*\)\s+)*(.*)-> - ^(\d\d\d\d)\s+(...)\s+(\d\d)\s+(\d\d:\d\d:\d\d)\s+(\(.*\)\s+)*(\S+)-> - } $line MatchVar year month day time placeholder agent]) } { + ^(\d\d\d\d)\s+(...)\s+(\d\d)\s+(\d\d:\d\d:\d\d)\s+(\(.*\)\s+)*(\S+)->(\d+.\d+.\d+.\d+)* + } $line MatchVar year month day time placeholder agent SyslogSource]) } { set nDate [clock format [clock scan "$day $month $year $time" ] -gmt true -f "%Y-%m-%d %T"] # Ok, this is confusing, but the regexp can return either one # or two variables, depending on the format of the input line. @@ -222,7 +222,13 @@ proc ProcessData { line } { # usually just be one field (either a hostname or an IP address, # depending on the log source). In either case, the $agent # variable ends up holding the correct value for our purposes. - set agent [ResolveHostname $agent] + # SyslogSource will pull out the IP of the device sending a + # syslog to OSSEC. + if {[string length $SyslogSource] != 0} { + set agent $SyslogSource + } else { + set agent [ResolveHostname $agent] + } } elseif { [regexp {(?x) ^Rule:\s+(\d+)\s+\(level\s+(\d+)\)\s+->\s+'(.*)' } $line MatchVar sig_id priority message ] } { From 4ca4a0cc9dc52e2cfd8800b7c1cf2f29cbd668b4 Mon Sep 17 00:00:00 2001 From: theflakes Date: Wed, 3 Jun 2015 21:12:52 -0400 Subject: [PATCH 2/2] change variable name for syslog source --- etc/nsm/ossec/ossec_agent.tcl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/nsm/ossec/ossec_agent.tcl b/etc/nsm/ossec/ossec_agent.tcl index ab425c4..1176adf 100755 --- a/etc/nsm/ossec/ossec_agent.tcl +++ b/etc/nsm/ossec/ossec_agent.tcl @@ -213,7 +213,7 @@ proc ProcessData { line } { # ^(\d\d\d\d)\s+(...)\s+(\d\d)\s+(\d\d:\d\d:\d\d)\s+(.*)-> # ^(\d\d\d\d)\s+(...)\s+(\d\d)\s+(\d\d:\d\d:\d\d)\s+(\(.*\)\s+)*(.*)-> ^(\d\d\d\d)\s+(...)\s+(\d\d)\s+(\d\d:\d\d:\d\d)\s+(\(.*\)\s+)*(\S+)->(\d+.\d+.\d+.\d+)* - } $line MatchVar year month day time placeholder agent SyslogSource]) } { + } $line MatchVar year month day time placeholder agent syslog_source]) } { set nDate [clock format [clock scan "$day $month $year $time" ] -gmt true -f "%Y-%m-%d %T"] # Ok, this is confusing, but the regexp can return either one # or two variables, depending on the format of the input line. @@ -224,8 +224,8 @@ proc ProcessData { line } { # variable ends up holding the correct value for our purposes. # SyslogSource will pull out the IP of the device sending a # syslog to OSSEC. - if {[string length $SyslogSource] != 0} { - set agent $SyslogSource + if {[string length $syslog_source] != 0} { + set agent $syslog_source } else { set agent [ResolveHostname $agent] }