Skip to content
This repository has been archived by the owner on Apr 19, 2021. It is now read-only.

Commit

Permalink
Issue 1036: securityonion-elsa-extras: add pattern for Bro rfb.log
Browse files Browse the repository at this point in the history
  • Loading branch information
dougburks committed Jan 10, 2017
1 parent 57e651a commit f294262
Show file tree
Hide file tree
Showing 9 changed files with 264 additions and 0 deletions.
43 changes: 43 additions & 0 deletions contrib/parsers/bro_rfb
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
<ruleset name="bro_rfb" id="26020">
<pattern>bro_rfb</pattern>
<rules>
<rule provider="Security_Onion" class="26020" id="26020">
<patterns>
<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING:s5:|@@ESTRING:i4:|@@ESTRING:i5:@</pattern>
</patterns>
<examples>
<example>
<test_message program='bro_rfb'>1484079685.745596|Cjoynh4xFlb9GzUNv9|192.168.2.115|52353|192.168.2.16|5900|003|889|003|889|Apple Remote Desktop|T|T|\x00\x00\x00\x00\x00\x02\xbf\xfe\xe7\x03\xe0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00MacMini SSD|1920|1080</test_message>
<!-- ts -->
<!-- uid -->
<!-- id.orig_h srcip (already in fields table) -->
<test_value name="i0">192.168.2.115</test_value>
<!-- id.orig_p srcport (already in fields table) -->
<test_value name="i1">52353</test_value>
<!-- id.resp_h dstip (already in fields table) -->
<test_value name="i2">192.168.2.16</test_value>
<!-- id.resp.p dstport (already in fields table) -->
<test_value name="i3">5900</test_value>
<!-- client_major_version -->
<test_value name="s0">003</test_value>
<!-- client_minor_version -->
<test_value name="s1">889</test_value>
<!-- server_major_version -->
<test_value name="s2">003</test_value>
<!-- server_minor_version -->
<test_value name="s3">889</test_value>
<!-- authentication_method -->
<test_value name="s4">Apple Remote Desktop</test_value>
<!-- auth -->
<!-- share_flag -->
<!-- desktop_name -->
<test_value name="s5">\x00\x00\x00\x00\x00\x02\xbf\xfe\xe7\x03\xe0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00MacMini SSD</test_value>
<!-- width -->
<test_value name="i4">1920</test_value>
<!-- height -->
<test_value name="i5">1080</test_value>
</example>
</examples>
</rule>
</rules>
</ruleset>
2 changes: 2 additions & 0 deletions contrib/securityonion-syslog-ng.conf
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ source s_bro_pe { file("/nsm/bro/logs/current/pe.log" flags(no-parse) program_ov
source s_bro_sip { file("/nsm/bro/logs/current/sip.log" flags(no-parse) program_override("bro_sip")); };
source s_bro_modbus { file("/nsm/bro/logs/current/modbus.log" flags(no-parse) program_override("bro_modbus")); };
source s_bro_dnp3 { file("/nsm/bro/logs/current/dnp3.log" flags(no-parse) program_override("bro_dnp3")); };
source s_bro_rfb { file("/nsm/bro/logs/current/rfb.log" flags(no-parse) program_override("bro_rfb")); };

destination d_elsa { program("sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh" template(t_db_parsed)); };

Expand Down Expand Up @@ -90,6 +91,7 @@ log {
source(s_bro_sip);
source(s_bro_modbus);
source(s_bro_dnp3);
source(s_bro_rfb);
source(s_ossec);
source(s_network);
source(s_syslog);
Expand Down
5 changes: 5 additions & 0 deletions contrib/securityonion_parsers_sql.sh
Original file line number Diff line number Diff line change
Expand Up @@ -307,3 +307,8 @@ mysql -uroot < $SQL || echo "Error importing $SQL."
# Additions for Cisco ASA Botnet
SQL="$SQL_DIR/asa_botnet.sql"
mysql -uroot < $SQL || echo "Error importing $SQL."

# Additions for BRO_RFB class & associated fields
SQL="$SQL_DIR/bro_rfb.sql"
mysql -uroot < $SQL || echo "Error importing $SQL."

32 changes: 32 additions & 0 deletions contrib/sql/bro_rfb.sql
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
use syslog;

/* Create bro_rfb class */
INSERT IGNORE INTO classes (id, class) VALUES (26020, "BRO_RFB");

/* add new integers that don't already exist in fields table */
INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("width","int", "QSTRING");
INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("height","int", "QSTRING");

/* add new strings that don't already exist in fields table */
INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("client_major_version","string", "QSTRING");
INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("client_minor_version","string", "QSTRING");
INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("server_major_version","string", "QSTRING");
INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("server_minor_version","string", "QSTRING");
INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("authentication_method","string", "QSTRING");
INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("desktop_name","string", "QSTRING");

/* integers i0 through i5 are field order 5 through 10 */
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="srcip"), 5);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="srcport"), 6);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="dstip"), 7);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="dstport"), 8);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="width"), 9);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="height"), 10);

/* strings s0 through s5 are field order 11 through 16 */
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="client_major_version"), 11);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="client_minor_version"), 12);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="server_major_version"), 13);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="server_minor_version"), 14);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="authentication_method"), 15);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="desktop_name"), 16);
6 changes: 6 additions & 0 deletions debian/changelog
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
securityonion-elsa-extras (20151011-1ubuntu1securityonion48) trusty; urgency=medium

* Issue 1036: securityonion-elsa-extras: add pattern for Bro rfb.log

-- Doug Burks <doug.burks@gmail.com> Tue, 10 Jan 2017 16:26:11 -0500

securityonion-elsa-extras (20151011-1ubuntu1securityonion47) trusty; urgency=medium

* fix bro_ftp pattern
Expand Down
1 change: 1 addition & 0 deletions debian/install
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ contrib/parsers/bro_notice etc/elsa/patterns.d/securityonion
contrib/parsers/bro_pe etc/elsa/patterns.d/securityonion
contrib/parsers/bro_radius etc/elsa/patterns.d/securityonion
contrib/parsers/bro_rdp etc/elsa/patterns.d/securityonion
contrib/parsers/bro_rfb etc/elsa/patterns.d/securityonion
contrib/parsers/bro_sip etc/elsa/patterns.d/securityonion
contrib/parsers/bro_smtp etc/elsa/patterns.d/securityonion
contrib/parsers/bro_snmp etc/elsa/patterns.d/securityonion
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
Description: <short summary of the patch>
TODO: Put a short summary on the line above and replace this paragraph
with a longer explanation of this change. Complete the meta-information
with other relevant fields (see below for details). To make it easier, the
information below has been extracted from the changelog. Adjust it or drop
it.
.
securityonion-elsa-extras (20151011-1ubuntu1securityonion48) trusty; urgency=medium
.
* Issue 1036: securityonion-elsa-extras: add pattern for Bro rfb.log
Author: Doug Burks <doug.burks@gmail.com>

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: <vendor|upstream|other>, <url of original patch>
Bug: <url in upstream bugtracker>
Bug-Debian: http://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: <YYYY-MM-DD>

--- /dev/null
+++ securityonion-elsa-extras-20151011/contrib/parsers/bro_rfb
@@ -0,0 +1,43 @@
+<ruleset name="bro_rfb" id="26020">
+ <pattern>bro_rfb</pattern>
+ <rules>
+ <rule provider="Security_Onion" class="26020" id="26020">
+ <patterns>
+ <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING:s5:|@@ESTRING:i4:|@@ESTRING:i5:@</pattern>
+ </patterns>
+ <examples>
+ <example>
+ <test_message program='bro_rfb'>1484079685.745596|Cjoynh4xFlb9GzUNv9|192.168.2.115|52353|192.168.2.16|5900|003|889|003|889|Apple Remote Desktop|T|T|\x00\x00\x00\x00\x00\x02\xbf\xfe\xe7\x03\xe0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00MacMini SSD|1920|1080</test_message>
+ <!-- ts -->
+ <!-- uid -->
+ <!-- id.orig_h srcip (already in fields table) -->
+ <test_value name="i0">192.168.2.115</test_value>
+ <!-- id.orig_p srcport (already in fields table) -->
+ <test_value name="i1">52353</test_value>
+ <!-- id.resp_h dstip (already in fields table) -->
+ <test_value name="i2">192.168.2.16</test_value>
+ <!-- id.resp.p dstport (already in fields table) -->
+ <test_value name="i3">5900</test_value>
+ <!-- client_major_version -->
+ <test_value name="s0">003</test_value>
+ <!-- client_minor_version -->
+ <test_value name="s1">889</test_value>
+ <!-- server_major_version -->
+ <test_value name="s2">003</test_value>
+ <!-- server_minor_version -->
+ <test_value name="s3">889</test_value>
+ <!-- authentication_method -->
+ <test_value name="s4">Apple Remote Desktop</test_value>
+ <!-- auth -->
+ <!-- share_flag -->
+ <!-- desktop_name -->
+ <test_value name="s5">\x00\x00\x00\x00\x00\x02\xbf\xfe\xe7\x03\xe0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00MacMini SSD</test_value>
+ <!-- width -->
+ <test_value name="i4">1920</test_value>
+ <!-- height -->
+ <test_value name="i5">1080</test_value>
+ </example>
+ </examples>
+ </rule>
+ </rules>
+</ruleset>
--- securityonion-elsa-extras-20151011.orig/contrib/securityonion-syslog-ng.conf
+++ securityonion-elsa-extras-20151011/contrib/securityonion-syslog-ng.conf
@@ -59,6 +59,7 @@ source s_bro_pe { file("/nsm/bro/logs/cu
source s_bro_sip { file("/nsm/bro/logs/current/sip.log" flags(no-parse) program_override("bro_sip")); };
source s_bro_modbus { file("/nsm/bro/logs/current/modbus.log" flags(no-parse) program_override("bro_modbus")); };
source s_bro_dnp3 { file("/nsm/bro/logs/current/dnp3.log" flags(no-parse) program_override("bro_dnp3")); };
+source s_bro_rfb { file("/nsm/bro/logs/current/rfb.log" flags(no-parse) program_override("bro_rfb")); };

destination d_elsa { program("sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh" template(t_db_parsed)); };

@@ -90,6 +91,7 @@ log {
source(s_bro_sip);
source(s_bro_modbus);
source(s_bro_dnp3);
+ source(s_bro_rfb);
source(s_ossec);
source(s_network);
source(s_syslog);
--- securityonion-elsa-extras-20151011.orig/contrib/securityonion_parsers_sql.sh
+++ securityonion-elsa-extras-20151011/contrib/securityonion_parsers_sql.sh
@@ -307,3 +307,8 @@ mysql -uroot < $SQL || echo "Error impor
# Additions for Cisco ASA Botnet
SQL="$SQL_DIR/asa_botnet.sql"
mysql -uroot < $SQL || echo "Error importing $SQL."
+
+# Additions for BRO_RFB class & associated fields
+SQL="$SQL_DIR/bro_rfb.sql"
+mysql -uroot < $SQL || echo "Error importing $SQL."
+
--- /dev/null
+++ securityonion-elsa-extras-20151011/contrib/sql/bro_rfb.sql
@@ -0,0 +1,32 @@
+use syslog;
+
+/* Create bro_rfb class */
+INSERT IGNORE INTO classes (id, class) VALUES (26020, "BRO_RFB");
+
+/* add new integers that don't already exist in fields table */
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("width","int", "QSTRING");
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("height","int", "QSTRING");
+
+/* add new strings that don't already exist in fields table */
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("client_major_version","string", "QSTRING");
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("client_minor_version","string", "QSTRING");
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("server_major_version","string", "QSTRING");
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("server_minor_version","string", "QSTRING");
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("authentication_method","string", "QSTRING");
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("desktop_name","string", "QSTRING");
+
+/* integers i0 through i5 are field order 5 through 10 */
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="srcip"), 5);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="srcport"), 6);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="dstip"), 7);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="dstport"), 8);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="width"), 9);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="height"), 10);
+
+/* strings s0 through s5 are field order 11 through 16 */
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="client_major_version"), 11);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="client_minor_version"), 12);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="server_major_version"), 13);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="server_minor_version"), 14);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="authentication_method"), 15);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="desktop_name"), 16);
1 change: 1 addition & 0 deletions debian/patches/series
Original file line number Diff line number Diff line change
Expand Up @@ -32,3 +32,4 @@ update-bro_intel-pattern-for-Bro-2.5
update-bro_smtp-pattern-for-Bro-2.5
update-bro_ssh-pattern-for-Bro-2.5
fix-bro_ftp-pattern
Issue-1036:-securityonion-elsa-extras:-add-pattern-for-Bro-rfb.log
39 changes: 39 additions & 0 deletions debian/postinst
Original file line number Diff line number Diff line change
Expand Up @@ -892,6 +892,45 @@ case "$1" in
touch $FILE
fi

# 2017-01-10 Merge pattern for Bro rfb.log
UPDATE="2017-01-10"
FILE="/nsm/elsa/$UPDATE"
if [ ! -f $FILE ]; then
if grep -i "ELSA=yes" /etc/nsm/securityonion.conf >/dev/null 2>&1; then
echo "* ELSA is enabled on this box."
# Only update database if Setup has already been run
if [ -e /var/log/nsm/sosetup.log ]; then
echo "* Found sosetup.log."
echo "* Did NOT find $FILE, so applying $UPDATE database schema update."

# Store all SQL schema updates as files in $SQL_DIR
SQL_DIR="/opt/elsa/contrib/securityonion/contrib/sql"

echo "* Adding fields for Bro rfb.log."
SQL="$SQL_DIR/bro_rfb.sql"
mysql --defaults-file=/etc/mysql/debian.cnf < $SQL || echo "Error importing $SQL."

# backup syslog-ng.conf with today's date as file extension
DATE=`date '+%Y%m%d'`
SYSLOG_CONF="/etc/syslog-ng/syslog-ng.conf"
SYSLOG_CONFBAK="$SYSLOG_CONF.$DATE"
if [ -f $SYSLOG_CONF ]; then
echo "* Backing up $SYSLOG_CONF to $SYSLOG_CONFBAK."
cp $SYSLOG_CONF $SYSLOG_CONFBAK || echo "Error backing up $SYSLOG_CONF to $SYSLOG_CONFBAK."

if ! grep 'source s_bro_rfb { file("/nsm/bro/logs/current/rfb.log" flags(no-parse) program_override("bro_rfb")); };' $SYSLOG_CONF >> /dev/null; then
echo "* Updating $SYSLOG_CONF to monitor Bro rfb.log."
sed -i '/^source s_bro_sip/a source s_bro_rfb { file("/nsm/bro/logs/current/rfb.log" flags(no-parse) program_override("bro_rfb")); };' $SYSLOG_CONF || echo "Error adding s_bro_rfb to $SYSLOG_CONF."
sed -i '/source(s_bro_ssh);/a \\tsource(s_bro_rfb);' $SYSLOG_CONF || echo "Error adding s_bro_rfb to $SYSLOG_CONF."
fi
fi

fi
fi
# Now that we've applied the update, record that we've applied it
touch $FILE
fi

# Always check to see if ELSA is enabled and, if so, update patterns
if grep -i "ELSA=yes" /etc/nsm/securityonion.conf >/dev/null 2>&1; then
echo "* ELSA is enabled on this box."
Expand Down

0 comments on commit f294262

Please sign in to comment.