securityonion-elsa-extras: add parser for Bro 2.4 mysql.log #755

Security-Onion-Solutions · Aug 6, 2015 · 42b5c9d · 42b5c9d
1 parent 182a200
commit 42b5c9d
Show file tree

Hide file tree

Showing 9 changed files with 208 additions and 0 deletions.
diff --git a/contrib/parsers/bro_mysql b/contrib/parsers/bro_mysql
@@ -0,0 +1,33 @@
+	<ruleset>
+                <pattern>bro_mysql</pattern>
+                <rules>
+                        <rule class="26013" id="26013">
+                                <patterns>
+					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:i4:|@@ESTRING:s3:@</pattern>
+                                </patterns>
+                                <examples>
+                                        <example>
+						<test_message program='bro_mysql'>MESSAGE=1438800219.691536|CgGl4C24eFgIb8JYEf|192.168.0.254|56162|192.168.0.254|3306|field_list|agent|T|3|-</test_message>
+                                                <!-- id.orig_h - already in database as srcip -->
+                                                <test_value name='i0'>192.168.0.254</test_value>
+                                                <!-- id.orig_p - already in database as srcport -->
+                                                <test_value name='i1'>56162</test_value>
+                                                <!-- id.resp_h - already in database as dstip -->
+                                                <test_value name='i2'>192.168.0.254</test_value>
+                                                <!-- id.resp_p - already in database as dstport-->
+                                                <test_value name='i3'>3306</test_value>
+                                                <!-- cmd - add to database-->
+                                                <test_value name='s0'>field_list</test_value>
+                                                <!-- arg - already in database as arg-->
+                                                <test_value name='s1'>agent</test_value>
+                                                <!-- success - add to database -->
+                                                <test_value name='s2'>T</test_value>
+                                                <!-- rows - add to database -->
+                                                <test_value name='i4'>3</test_value>
+                                                <!-- response - already in database as response -->
+                                                <test_value name='s3'>-</test_value>
+                                        </example>
+                                </examples>
+                        </rule>
+                </rules>
+        </ruleset>
diff --git a/contrib/securityonion-syslog-ng.conf b/contrib/securityonion-syslog-ng.conf
@@ -52,6 +52,7 @@ source s_bro_intel { file("/nsm/bro/logs/current/intel.log" flags(no-parse) prog
 source s_bro_x509 { file("/nsm/bro/logs/current/x509.log" flags(no-parse) program_override("bro_x509")); };
 source s_bro_snmp { file("/nsm/bro/logs/current/snmp.log" flags(no-parse) program_override("bro_snmp")); };
 source s_bro_radius { file("/nsm/bro/logs/current/radius.log" flags(no-parse) program_override("bro_radius")); };
+source s_bro_mysql { file("/nsm/bro/logs/current/mysql.log" flags(no-parse) program_override("bro_mysql")); };
 
 destination d_elsa { program("perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf" template(t_db_parsed)); };
 
@@ -76,6 +77,7 @@ log {
   	source(s_bro_x509); 
   	source(s_bro_snmp); 
   	source(s_bro_radius); 
+  	source(s_bro_mysql); 
 	source(s_ossec);
 	source(s_network);
 	source(s_syslog);

diff --git a/contrib/securityonion_parsers_sql.sh b/contrib/securityonion_parsers_sql.sh
@@ -263,3 +263,7 @@ mysql -uroot < $SQL || echo "Error importing $SQL."
 # Additions for WINDOWS_PROCESS class & associated fields
 SQL="$SQL_DIR/win_process_tracking.sql"
 mysql -uroot < $SQL || echo "Error importing $SQL."
+
+# Additions for BRO_MYSQL class & associated fields
+SQL="$SQL_DIR/bro_mysql.sql"
+mysql -uroot < $SQL || echo "Error importing $SQL."
diff --git a/contrib/sql/bro_mysql.sql b/contrib/sql/bro_mysql.sql
@@ -0,0 +1,22 @@
+use syslog;
+
+/*  Create class */
+INSERT IGNORE INTO classes (id, class) VALUES (26013, "BRO_MYSQL");
+
+/*  Add new fields */
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("cmd","string", "QSTRING");  
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("success","string", "QSTRING");
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("rows","integer", "QSTRING");
+
+/*  Map integer fields */
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="srcip"), 5);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="srcport"), 6);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="dstip"), 7);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="dstport"), 8);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="rows"), 9);
+
+/*  Map string fields */
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="cmd"), 11);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="arg"), 12);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="success"), 13);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="response"), 14);
diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,9 @@
+securityonion-elsa-extras (20131117-1ubuntu0securityonion100) precise; urgency=low
+
+  * securityonion-elsa-extras: add parser for Bro 2.4 mysql.log #755 
+
+ -- Doug Burks <[email protected]>  Thu, 06 Aug 2015 15:30:24 -0400
+
 securityonion-elsa-extras (20131117-1ubuntu0securityonion99) precise; urgency=low
 
   * merge Brian's 4740 fix 

diff --git a/debian/install b/debian/install
@@ -14,6 +14,7 @@ contrib/parsers/bro_ftp etc/elsa/patterns.d/securityonion
 contrib/parsers/bro_http etc/elsa/patterns.d/securityonion
 contrib/parsers/bro_intel etc/elsa/patterns.d/securityonion
 contrib/parsers/bro_irc etc/elsa/patterns.d/securityonion
+contrib/parsers/bro_mysql etc/elsa/patterns.d/securityonion
 contrib/parsers/bro_notice etc/elsa/patterns.d/securityonion
 contrib/parsers/bro_radius etc/elsa/patterns.d/securityonion
 contrib/parsers/bro_snmp etc/elsa/patterns.d/securityonion

diff --git a/debian/patches/securityonion-elsa-extras:-add-parser-for-Bro-2.4-mysql.log-#755 b/debian/patches/securityonion-elsa-extras:-add-parser-for-Bro-2.4-mysql.log-#755
@@ -0,0 +1,114 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ securityonion-elsa-extras (20131117-1ubuntu0securityonion100) precise; urgency=low
+ .
+   * securityonion-elsa-extras: add parser for Bro 2.4 mysql.log #755
+Author: Doug Burks <[email protected]>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- securityonion-elsa-extras-20131117.orig/contrib/securityonion_parsers_sql.sh
++++ securityonion-elsa-extras-20131117/contrib/securityonion_parsers_sql.sh
+@@ -263,3 +263,7 @@ mysql -uroot < $SQL || echo "Error impor
+ # Additions for WINDOWS_PROCESS class & associated fields
+ SQL="$SQL_DIR/win_process_tracking.sql"
+ mysql -uroot < $SQL || echo "Error importing $SQL."
++
++# Additions for BRO_MYSQL class & associated fields
++SQL="$SQL_DIR/bro_mysql.sql"
++mysql -uroot < $SQL || echo "Error importing $SQL."
+--- securityonion-elsa-extras-20131117.orig/contrib/securityonion-syslog-ng.conf
++++ securityonion-elsa-extras-20131117/contrib/securityonion-syslog-ng.conf
+@@ -52,6 +52,7 @@ source s_bro_intel { file("/nsm/bro/logs
+ source s_bro_x509 { file("/nsm/bro/logs/current/x509.log" flags(no-parse) program_override("bro_x509")); };
+ source s_bro_snmp { file("/nsm/bro/logs/current/snmp.log" flags(no-parse) program_override("bro_snmp")); };
+ source s_bro_radius { file("/nsm/bro/logs/current/radius.log" flags(no-parse) program_override("bro_radius")); };
++source s_bro_mysql { file("/nsm/bro/logs/current/mysql.log" flags(no-parse) program_override("bro_mysql")); };
+
+ destination d_elsa { program("perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf" template(t_db_parsed)); };
+
+@@ -76,6 +77,7 @@ log {
+   	source(s_bro_x509); 
+   	source(s_bro_snmp); 
+   	source(s_bro_radius); 
++  	source(s_bro_mysql); 
+ 	source(s_ossec);
+ 	source(s_network);
+ 	source(s_syslog);
+--- /dev/null
++++ securityonion-elsa-extras-20131117/contrib/parsers/bro_mysql
+@@ -0,0 +1,33 @@
++	<ruleset>
++                <pattern>bro_mysql</pattern>
++                <rules>
++                        <rule class="26013" id="26013">
++                                <patterns>
++					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:i4:|@@ESTRING:s3:@</pattern>
++                                </patterns>
++                                <examples>
++                                        <example>
++						<test_message program='bro_mysql'>MESSAGE=1438800219.691536|CgGl4C24eFgIb8JYEf|192.168.0.254|56162|192.168.0.254|3306|field_list|agent|T|3|-</test_message>
++                                                <!-- id.orig_h - already in database as srcip -->
++                                                <test_value name='i0'>192.168.0.254</test_value>
++                                                <!-- id.orig_p - already in database as srcport -->
++                                                <test_value name='i1'>56162</test_value>
++                                                <!-- id.resp_h - already in database as dstip -->
++                                                <test_value name='i2'>192.168.0.254</test_value>
++                                                <!-- id.resp_p - already in database as dstport-->
++                                                <test_value name='i3'>3306</test_value>
++                                                <!-- cmd - add to database-->
++                                                <test_value name='s0'>field_list</test_value>
++                                                <!-- arg - already in database as arg-->
++                                                <test_value name='s1'>agent</test_value>
++                                                <!-- success - add to database -->
++                                                <test_value name='s2'>T</test_value>
++                                                <!-- rows - add to database -->
++                                                <test_value name='i4'>3</test_value>
++                                                <!-- response - already in database as response -->
++                                                <test_value name='s3'>-</test_value>
++                                        </example>
++                                </examples>
++                        </rule>
++                </rules>
++        </ruleset>
+--- /dev/null
++++ securityonion-elsa-extras-20131117/contrib/sql/bro_mysql.sql
+@@ -0,0 +1,22 @@
++use syslog;
++
++/*  Create class */
++INSERT IGNORE INTO classes (id, class) VALUES (26013, "BRO_MYSQL");
++
++/*  Add new fields */
++INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("cmd","string", "QSTRING");  
++INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("success","string", "QSTRING");
++INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("rows","integer", "QSTRING");
++
++/*  Map integer fields */
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="srcip"), 5);
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="srcport"), 6);
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="dstip"), 7);
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="dstport"), 8);
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="rows"), 9);
++
++/*  Map string fields */
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="cmd"), 11);
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="arg"), 12);
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="success"), 13);
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_MYSQL"), (SELECT id FROM fields WHERE field="response"), 14);
diff --git a/debian/patches/series b/debian/patches/series
@@ -59,3 +59,4 @@ Issue-773:-securityonion-elsa-extras:-add-Windows-and-Cisco-parsers-from-Brian-K
 Issue-774:-securityonion-elsa-extras:-update-bro_ssh-parser-for-Bro-2.4
 merge-Brian's-windows-parser-update
 merge-Brian's-4740-fix
+securityonion-elsa-extras:-add-parser-for-Bro-2.4-mysql.log-#755
diff --git a/debian/postinst b/debian/postinst
@@ -707,6 +707,31 @@ case "$1" in
 		fi
 	fi
 
+	if [ "$2" = "20131117-1ubuntu0securityonion99" ] || [ "$2" = "20131117-1ubuntu0securityonion88" ] || [ "$2" = "20131117-1ubuntu0securityonion58" ] || [ "$2" = "20131117-1ubuntu0securityonion56" ] || [ "$2" = "20131117-1ubuntu0securityonion53" ] || [ "$2" = "20131117-1ubuntu0securityonion50" ] || [ "$2" = "20131117-1ubuntu0securityonion45" ] || [ "$2" = "20131117-1ubuntu0securityonion43" ] || [ "$2" = "20131117-1ubuntu0securityonion41" ] || [ "$2" = "20131117-1ubuntu0securityonion36" ] || [ "$2" = "20131117-1ubuntu0securityonion28" ] || [ "$2" = "20131117-1ubuntu0securityonion25" ] || [ "$2" = "20131117-1ubuntu0securityonion19" ]; then
+
+		if grep -i "ELSA=yes" /etc/nsm/securityonion.conf >/dev/null 2>&1; then
+			echo "* ELSA is enabled on this box."
+			# Only update database if Setup has already been run
+			if [ -e /var/log/nsm/sosetup.log ]; then
+				echo "* Found sosetup.log."
+
+				# Store all SQL schema updates as files in $SQL_DIR
+				SQL_DIR="/opt/elsa/contrib/securityonion/contrib/sql"
+
+        	                echo "* Adding fields for new BRO_MYSQL parser."
+				SQL="$SQL_DIR/bro_mysql.sql"
+				mysql -uroot < $SQL || echo "Error importing $SQL."
+
+	                	SYSLOG_CONF="/etc/syslog-ng/syslog-ng.conf"
+        	            	if ! grep 'source s_bro_mysql { file("/nsm/bro/logs/current/mysql.log" flags(no-parse) program_override("bro_mysql")); };' $SYSLOG_CONF >> /dev/null; then
+					echo "* Updating $SYSLOG_CONF to monitor mysql.log."
+					sed -i '/^source s_bro_ssh/a source s_bro_mysql { file("/nsm/bro/logs/current/mysql.log" flags(no-parse) program_override("bro_mysql")); };' $SYSLOG_CONF || echo "Error adding s_bro_mysql to $SYSLOG_CONF."
+					sed -i '/source(s_bro_ssh);/a \\tsource(s_bro_mysql);' $SYSLOG_CONF || echo "Error adding s_bro_mysql to $SYSLOG_CONF."
+				fi
+			fi
+		fi
+	fi
+
 	# Always check to see if ELSA is enabled and, if so, update patterns
 	if grep -i "ELSA=yes" /etc/nsm/securityonion.conf >/dev/null 2>&1; then
 		echo "* ELSA is enabled on this box."