基于OSSIM平台下华为交换机日志收集插件的开发

长期以来，大家在收集华为交换机日志是往往通过syslog协议转发的方式，将华为交换机日志转发到日志收集器上，简单存储，但这样并没有将日志标准化，也就是OSSIM中对日志的归一化处理，在《开源安全运维平台－OSSIM最佳实践》一书的第七章专门讲解了日志收集与插件的自定义，本文将继续本书内容，为大家分享华为交换机插件，根据书中讲解，我们在OSSIM Agent插件目录中建立插件名称,huawei.cfg，编写插件大致格式可按书里面内容编写，不过还需要注意插件的导入过程，下面举个华为插件的实际例子。

[DEFAULT]

plugin_id=1728

[config]

type=detector

enable=yes

source=log

location=/var/log/huawei.log

create_file=yes

process=

start=no

stop=no

startup=

shutdown=

[translation]

SESSION_TEARDOWN=1

BOTNET=2

DETECT=3

CMDRECORD=4

DISPLAY_CMDRECORD=5

LOAD_OK=6

UPDATESUCCESS=7

LOAD_FAIL=8

PASS=9

OUT=10

TRAPLOG=11

LOGIN_SUCCED=9

LOGIN_SUCCEED=9

FIREWALLATCK=12

USER_ACCESSRESULT=13

USER_OFFLINERESULT=14

DATASYNC_CFGCHANGE=15

CMDCONFIRM_UNIFORMRECORD=16

SAVE=17

STREAM=18

LOGIN=9

LOADSUCC=19

LINK_STATE=20

STATUSUP=21

IF_ENABLE=22

ONLINESUCC=23

HOT_INSERT=24

BOARD_ENABLE=25

CMDCONFIRM_UNIFORMRECORD=26

ACTIVATION=27

DEV_REG=28

GETSERVERR=29

VIRUS=30

BOARD_ABSENT=31

REMOVABLE=32

REBOOT=33

WARMSTART=34

NLOGINIT=35

TRAP=11

RECOVERSUCCESS=37

UPDATE_SUCCESS=38

ENGINE_OK=39

这里是正则表达式的例子，需要有一定基础哦

[0001 - Huawei]

event_type=event

precheck="Application"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?:\s+(?P.*?)\(.*?Policy="(?P[^"]*)",\s+SrcIp=(?P[^,]*),\s+DstIp=(?P[^,]*),\s+SrcPort=(?P[^,]*),\s+DstPort=(?P[^,]*),\s+SrcZone=(?P[^,]*),\s+DstZone=(?P[^,]*),\s+User="(?P[^"]*)",\s+Protocol=(?P[^,]*),\s+Application="(?P[^,]*)",\s+Profile="(?P[^"]*)",\s+.*?(?:SignName|VirusName)="(?P[^"]*)",\s(?:DetectionType="(?P[^,]*)",)?.*?Action=(?P[^\)]*)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

protocol={$proto}

src_ip={$src_ip}

dst_ip={$dst_ip}

src_port={$src_port}

dst_port={$dst_port}

username={$user}

userdata1={$description}

userdata2={translate($severity)}

userdata3={$policy}

userdata4={$action}

userdata5={$det_type}

userdata6={$profile}

userdata7={$sig_name}

userdata8={$app}

userdata9={$dst_zone}

[0002 - Huawei Attack]

event_type=event

precheck="AttackType"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?P\S+)\/(?P\d)\/(?P[^\(]*).*?AttackType="(?P[^"]*)",\s+.*?interface="(?P[^"]*)",\s+proto="(?P[^"]*)",\s+src="(?P[^:]*):(?P\d+)\s+",\s+dst="(?P[^:]*):(?P\d+)\s+",\s+begin\s+time="(?P[^"]*)",\s+end\s+time="(?P[^"]*)",\s+total\s+packets="(?P[^"]*)",\s+max\s+speed="(?P[^"]*)",\s+User="(?P[^"]*)",\s+Action="(?P[^"]*)""

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($src_ip)}

dst_ip={resolv($dst_ip)}

src_port={$src_port}

dst_port={$dst_port}

username={$user}

protocol={$proto}

userdata1={$action}

userdata2={translate($severity)}

userdata3={$module}

userdata4={$begin_time}

userdata5={$end_time}

userdata6={$total_pkt}

userdata7={$speed}

userdata8={$interface}

userdata9={$attack}

[0003 - Huawei]

event_type=event

precheck="SourceVpnID"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(?:\d{4}-\d{2}-\d{2}\s+\d+\d+:\d+:\d+)\s+(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\):IPVer=(?P[^,]*),Protocol=(?P[^,]*),SourceIP=(?P[^,]*),DestinationIP=(?P[^,]*),SourcePort=(?P[^,]*),DestinationPort=(?P[^,]*),BeginTime=(?P[^,]*),EndTime=(?P[^,]*),SendPkts=(?P[^,]*),SendBytes=(?P[^,]*),RcvPkts=(?P[^,]*),RcvBytes=(?P[^,]*),SourceVpnID=(?P[^,]*),DestinationVpnID=(?P[^,]*)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

protocol={$proto}

src_ip={$src_ip}

dst_ip={$dst_ip}

src_port={$src_port}

dst_port={$dst_port}

userdata1={$module}

userdata2={translate($severity)}

userdata3={$send_pkt}

userdata4={$send_b}

userdata5={$rcv_pkt}

userdata6={$rcv_b}

userdata7={$src_vpn_id}

userdata8={$dst_vpn_id}

userdata9={$module}

[0004 - Huawei]

event_type=event

precheck="AuthenticationMethod"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?:(?P.*?)\(Task=(?P[^,]*),\s+Ip=(?P[^,]*),\s+VpnName=(?P[^,]*),\s+User=(?P[^,]*),\s+AuthenticationMethod="(?P[^,]*)",\s+Command="(?P[^,]*)""

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($ip)}

username={$user}

userdata1={$identifier}

userdata2={translate($severity)}

userdata3={$task}

userdata5={$vpn_name}

userdata6={$method}

userdata7={$command}

userdata8={$module}

userdata9={$description}

[0005 - Huawei updates]

event_type=event

precheck="Version"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?:(?P.*?)\(SyslogId=(?P[^,]*),\s+(User=(?P[^,]*),\s+IP=(?P[^,]*),\s+)?Module=(?P[^,]*),.*?Version=(?P[^,]*),\s+(UpdateVersion=(?P[^,]*),\s+Status=(?P[^,]*),\s+)?Duration\(s\)=(?P[^,|\)]*)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($ip)}

username={$user}

userdata1={$version}

userdata2={translate($severity)}

userdata3={$module}

userdata4={$module1}

userdata5={$version1}

userdata6={$duration}

userdata7={$status}

userdata8={$module}

userdata9={$description}

[0006 - Huawei login logout]

event_type=event

precheck="IP"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?:User\s+(?P\S+)\(IP:(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+ID:(?P\d+)\)\s+(?Plogin|logout)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($user_address)}

username={$username}

userdata1={$version}

userdata2={translate($severity)}

userdata3={$module}

userdata5={$id}

userdata6={$action}

userdata7={$module}

userdata8={$identifier}

[0007 - Huawei config]

event_type=event

precheck="ConfigSource"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?configure changed.*?EventIndex=(?P\d),\s+CommandSource=(?P\d+),\s+ConfigSource=(?P\d+),\s+ConfigDestination=(?P\d+)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($hostname)}

userdata1={$version}

userdata2={translate($severity)}

userdata3={$module}

userdata4={$config_dst}

userdata5={$config_src}

userdata6={$command_index}

userdata7={$index}

userdata8={$identifier}

[0008 - Huawei access]

event_type=event

precheck="DEVICEMAC"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?:.*?DEVICEMAC:(?P[^;]*);DEVICENAME:(?P[^;]*);USER:(?P[^;]*);MAC:(?P[^;]*);IPADDRESS:(?P[^;]*);TIME:(?P[^;]*);ZONE:(?P[^;]*);DAYLIGHT:(?P[^;]*);ERRCODE:(?P[^;]*);RESULT:(?P[^;]*)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($ip)}

username={$user}

userdata1={$result}

userdata2={translate($severity)}

userdata3={$module}

userdata4={$dec_mac}

userdata5={$dev_name}

userdata6={$errcode}

userdata7={$identifier}

userdata8={$daylight}

userdata9={$zone}

[0009 - Huawei login]

event_type=event

precheck="User login succeed"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?P\S+)\/(?P\d)\/(?P.*?):.*?User login succeed.*?username\s+=\s+(?P[^,]*),\s+loginIP\s+=\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),\s+loginTime\s+=\s+(?P[^,]*),\s+loginType\s=\s(?P[^,]*),\s+userLevel\s+=\s+(?P[^,|)]*)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($ip)}

username={$user}

userdata1={translate($severity)}

userdata2={$module}

userdata3={$login_time}

userdata4={$login_type}

userdata5={$level}

[0030 - Huawei generic]

event_type=event

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)?(?P\d\d)?(?P\S+)\/(?P\d)\/(?P[^:|\(]*)(?:\((?P\w)\))?.*?:(?P.*)"

date={normalize_date($syslog_date)}

device={resolv($hostname)}

plugin_sid={translate($brief)}

src_ip={resolv($hostname)}

userdata1={translate($severity)}

userdata2={$module}

userdata3={$identifier}

userdata4={$msg}

userdata5={$version}

完成插件编写之后就要进行反复测试与修改，待测试通过后就要进行插件导入工作，最后是插件启用,如下图所示。

以上是华为交换机插件的一个例子，还有其他华为设备的日志也是照此编写，如果有不明白指出大家参阅《开源安全运维平台OSSIM最佳实践》一书或与该书作者联系。