Exporting Suricata a Log File with an HIDS Agent to AlienVault

on April 25th, 2017 by Hades | No Comments »

In this process we will configure an HIDS Agent, installed on a Linux system with Suricata appliance, to read logs from a file. This can be useful when we try to grab data from an application that logs directly into a file.

Configure HIDS Agent to read a file on Suricata host

  1. Edit /var/ossec/etc/ossec.conf
  2. Add the following settings inside the element of the ossec.conf file:
  3. Restart the ossec-agent service.

Enable “logall” on USM Appliance

  1. In the USM Appliance web UI, go to Environment -> Detection -> HIDS -> Config -> Configuration.
  2. Add <logall>yes</logall> to the <global> section of the file:

    Adding this setting allows logging of all events to /var/ossec/logs/archives/archives.log.
  3. Click Save at the bottom of the screen.
  4. Restart the HIDS Service:
    1. Go to Environment -> Detection -> HIDS -> HIDS Control.
    2. Click Restart.

Confirm that USM Appliance receives the log line

  1. Run surricata on the host /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth1 -D
  2. On USM Appliance, check for the newly added line in
    /var/ossec/logs/archives/archives.log
    You can check for log line by running the following command:

    You should see an output similar to the following:

     

Create a new decoder on USM Appliance to parse the incoming log lines

  1. On USM Appliance edit /var/ossec/alienvault/decoders/local_decoder.xml(same as decoder.xml but this one is not overwritten when updating the system).If this file does not exist you can create it with the following command:
  2. In local_decoder.xml add a new decoder to parse first part of the log message and save your changes:
  3. In the USM Appliance web UI, go to Environment -> Detection -> HIDS -> Config -> Configuration.
  4. Add <decoder>alienvault/decoders/local_decoder.xml</decoder> right after <decoder>:
    Adding this setting enables the usage of a custom decoder.
  5. Click Save at the bottom of the screen.
  6. Restart the HIDS service
    1. Go to Environment -> Detection -> HIDS -> HIDS Control.
    2. Click Restart.
  7. Run /var/ossec/bin/ossec-logtest and paste the log line “2017 Apr 25 06:20:02 (flowserver) 10.10.220.23->/var/log/suricata/fast.log 04/25/2017-10:19:59.500595 [**] [1:2210010:2] SURICATA STREAM 3way handshake wrong seq wrong ack [**] [
    Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 84.246.11.25:51418 -> 192.168.223.39:80”
  8. Check if it recognizes the decoder.
    If it works you will see the newly created decoder listed, as shown below:

Create a new rule on USM Appliance to parse lines processed by the decoder

  1. On USM Appliance edit /var/ossec/alienvault/rules/local_rules.xml.
  2. Add the following lines to the file:
  3. Restart the HIDS service
    1. Go to Environment -> Detection -> HIDS -> HIDS Control.
    2. Click Restart.
  4. Run /var/ossec/bin/ossec-logtest and paste a log line (in this case “suricata: This is another Test“).
  5. Check if it recognizes the decoder.
    If it works you will see the newly created decoder listed, as shown below:

Create a new rule on USM Appliance to parse lines processed by the decoder

  1. On USM Appliance edit /var/ossec/alienvault/rules/local_rules.xml.
  2. Add the following lines to the file:
  3. Restart the HIDS service
    1. Go to Environment -> Detection -> HIDS -> HIDS Control.
    2. Click Restart.
  4. Run /var/ossec/bin/ossec-logtest and paste a log line (in this case “suricata: This is another Test“”).
  5. Check if it recognizes the rule:
    You will see Phase 3 of the Log Test has completed and matched our new rule:

Create and configure local version of the ossec-single-line plugin

  1. Create a .local version of the ossec-single-line plugin (if it does not already exist) and ensure it has the correct owner, group and permissions:
  2. Insert or add the following translation to the ossec-single-line.cfg.local file:
  3. Insert a new plugin_sid with value “106001” for the ossec-single-line plugin. This can be done using the following command:
  4. Run the command below to ensure the new configuration takes effect :

Test your configuration

  1. You should see an output
  2. (Alternatively) Generate new logs and look in theUSM Appliance web UI for results:
      1. Go to Analysis > Security Events (SIEM).
      2. Under Datasource, select “AlienVault HIDS”.
      3. Click Grouped to view the events in groups.

Disable “logall”

Repeat all actions taken in Enable “logall” on USM Appliance, but this time delete the line “<logall>yes</logall>” from ossec.conf. This is to prevent the archives.logfile from growing too large.