Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #SDK DB Properties for OSSEC v2.4
- #ID Based DB
- #Change to TB based DB for OSSEC v2.5
- #Author: Chris Botelho - chris@erroredsecurity.com
- #Version 1.2 - 7/7/2011
- #Released under GPL v3.0 - http://www.gnu.org/licenses/gpl-3.0.txt
- version.order=1
- version.id=2.4.1
- version.query=select version from server
- query=select alert.id as alert_id, (CASE SUBSTRING_INDEX(SUBSTRING_INDEX(location.name,' ',-1),'->',1) REGEXP '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' WHEN 1 \
- THEN SUBSTRING_INDEX(SUBSTRING_INDEX(location.name,' ',-1),'->',1) WHEN 0 THEN '' END) AS address, TRIM(LEADING'(' FROM \
- SUBSTRING_INDEX(SUBSTRING_INDEX(location.name,')',1),'->',1)) AS host, SUBSTRING_INDEX(SUBSTRING_INDEX(location.name,'->',-1),'->',1) AS logtype, \
- (CASE data.full_log REGEXP '^Integrity.*' WHEN 1 THEN SUBSTRING_INDEX(SUBSTRING_INDEX(full_log,'`',2),'`',-1) WHEN 0 THEN '' END) AS file_changed, \
- (CASE data.full_log REGEXP '^Integrity.*' WHEN 1 THEN SUBSTRING_INDEX(SUBSTRING_INDEX(full_log,'`',4),'`',-1) WHEN 0 THEN '' END) AS old_size, \
- (CASE data.full_log REGEXP '^Integrity.*' WHEN 1 THEN SUBSTRING_INDEX(SUBSTRING_INDEX(full_log,'`',6),'`',-1) WHEN 0 THEN '' END) AS new_size, \
- (CASE data.full_log REGEXP '^Integrity.*' WHEN 1 THEN SUBSTRING_INDEX(SUBSTRING_INDEX(full_log,'`',12),'`',-1) WHEN 0 THEN '' END) AS oldsha1, \
- (CASE data.full_log REGEXP '^Integrity.*' WHEN 1 THEN SUBSTRING_INDEX(SUBSTRING_INDEX(full_log,'`',14),'`',-1) WHEN 0 THEN '' END) AS newsha1, \
- alert.rule_id as rule_id, from_unixtime(alert.timestamp) AS timestamp, alert.src_ip as src_ip, alert.dst_ip as dst_ip, \
- alert.src_port as src_port, alert.dst_port as dst_port, server.hostname as hostname, from_unixtime(server.last_contact) as last_contact, \
- server.version as version, data.user as user, signature.description as description, signature.level as level, data.full_log as full_log \
- FROM alert JOIN location ON alert.location_id=location.id JOIN server ON alert.server_id = server.id JOIN data ON alert.id = data.id JOIN signature \
- ON alert.rule_id = signature.rule_id \
- WHERE alert.id > ? \
- ORDER BY alert.id
- #required fields
- timestamp.field=timestamp
- id.field=alert_id
- #uniqueid.fields=alert_id
- maxid.query=select max(alert.id) from alert
- #event mappings
- event.name=description
- event.deviceAddress=address
- event.deviceHostName=host
- event.deviceFacility=logtype
- event.externalId=alert_id
- event.deviceEventClassId=rule_id
- event.sourceAddress=src_ip
- event.destinationAddress=dst_ip
- event.sourcePort=src_port
- event.destinationPort=dst_port
- event.deviceCustomString1=user
- event.deviceCustomString1Label=__stringConstant("Device Username")
- event.deviceSeverity=level
- event.deviceCustomDate1=last_contact
- event.deviceCustomDate1Label=__stringConstant("Last Time Device Connected")
- event.deviceVersion=version
- event.deviceVendor=__stringConstant("OSSEC")
- event.deviceProduct=__stringConstant("OSSEC HIDS")
- event.rawEvent=full_log
- event.deviceCustomString2=hostname
- event.deviceCustomString2Label=__stringConstant("OSSEC Server Hostname")
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement