Parser for Fireeye Web MPS

577 views
Skip to first unread message

cics...@gmail.com

unread,
Oct 16, 2013, 5:55:37 PM10/16/13
to enterprise-log-s...@googlegroups.com
I have a working FireEye parser, just thought I would share...

DB changes:

INSERT INTO classes (id, class) VALUES (10003, "FENOTIFY");

 

INSERT INTO fields (field, field_type, pattern_type) VALUES ("cncip",

"int", "IPv4");

 

INSERT INTO fields (field, field_type, pattern_type) VALUES ("cncport",

"int", "NUMBER");

 

INSERT INTO fields (field, field_type, pattern_type) VALUES ("virusname",

"string", "qstring");

 


INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="FENOTIFY"), (SELECT id FROM fields WHERE field="cncip"), 5);

INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="FENOTIFY"), (SELECT id FROM fields WHERE field="dstip"), 6);

INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="FENOTIFY"), (SELECT id FROM fields WHERE field="time_taken"), 7);

INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="FENOTIFY"), (SELECT id FROM fields WHERE field="cncport"), 8);

INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="FENOTIFY"), (SELECT id FROM fields WHERE field="srcip"), 9);

INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="FENOTIFY"), (SELECT id FROM fields WHERE field="dstport"), 10);

INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="FENOTIFY"), (SELECT id FROM fields WHERE field="sig_classification"), 11);

INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="FENOTIFY"), (SELECT id FROM fields WHERE field="hostname"), 12);

INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="FENOTIFY"), (SELECT id FROM fields WHERE field="virusname"), 13);

INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="FENOTIFY"), (SELECT id FROM fields WHERE field="sourcetype"), 14);


Patterndb.xml changes:


 <ruleset name="FENOTIFY" id='10003'>

        <pattern>fenotify</pattern>

<rules>

<rule provider="ELSA" class='10003' id='10003'>

<patterns>

<pattern>@ESTRING::cnchost=@@ESTRING:i0:,@alertType=@ESTRING:s0:,@shost=@ESTRING:s1:,@dst=@ESTRING:i1:,@@ESTRING::sname=@@ESTRING:s2:,@fileHash=@ESTRING:s3:,@@ESTRING::occurred=@@ESTRING:i2:,@@ESTRING::cncport=@@ESTRING:i3:,@src=@ESTRING:i4:,@dpt=@ESTRING:i5:,@</pattern>

</patterns>

<example>

<test_message program="fenotify">CSV:0:FireEye:Web MPS:7.0.0.138133:IM:infection-match,osinfo=,sev=minr,malware_type=,alertid=16232,app=,spt=2791,locations=,smac=c4:7d:4f:ef:e0:03,header=,cnchost=127.0.0.1,alertType=infection-match,shost=thegibson.domain.com,dst=127.0.0.1,original_name=,application=,sid=504606,malware-note=,objurl=,mwurl=,profile=,dmac=00:0a:42:f4:94:00,product=Web MPS,sname=Local.Infection,fileHash=351f1dc4e958975661f02c86a485431e,dvchost=,occurred=2013-01-14T16:58:18Z,release=7.0.0.138133,link=,cncport=80,src=10.10.10.10,dpt=80,anomaly=,dvc=,channel=,action=notified,os=,stype=bot-command,</test_message>

<test_value name="s0">infection-match</test_value>

<test_value name="s1">thegibson.domain.com</test_value>

<test_value name="s2">Local.Infection</test_value>

<test_value name="s3">351f1dc4e958975661f02c86a485431e</test_value>

<test_value name="s4">bot-command</test_value>

<test_value name="i0">127.0.0.1</test_value>

<test_value name="i1">127.0.0.1</test_value>

<test_value name="i2">2013-01-14T16:58:18Z</test_value>

<test_value name="i3">80</test_value>

<test_value name="i4">10.10.10.10</test_value>

<test_value name="i5">80</test_value>

</example>

</rule>

</rules>

</ruleset>






I also added these lines to the syslog-ng.conf:


filter f_rewrite_fireeye_program { match('^fenotify' value("PROGRAM") type("pcre") flags("store-matches" "nobackref")); };
rewrite r_fireeye{set("fenotify", value("PROGRAM") condition(filter(f_rewrite_fireeye_program)));};





Martin Holste

unread,
Oct 17, 2013, 9:54:38 AM10/17/13
to enterprise-log-s...@googlegroups.com
Great, thanks!  I've added the SQL and pattern, the class is called "FIREEYE."  I don't think your rewrite in syslog-ng should be necessary because a program pattern match is a partial match, so as long as the program name begins with "fenotify" then <pattern>fenotify</pattern> should hit on it.  Did you find that was not the case?


--
You received this message because you are subscribed to the Google Groups "enterprise-log-search-and-archive" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise-log-search-...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

cics...@gmail.com

unread,
Oct 17, 2013, 2:07:17 PM10/17/13
to enterprise-log-s...@googlegroups.com
I think you are right.  It was part of my troubleshooting.  I had put "fenotify" as "FENOTIFY" everywhere within the patterndb.xml file and it wasn't parsing.  I thought it was because it wasn't matching but it may have been just because of the case.  Hope that makes sense.  Also make sure you configure FireEye to send in the CSV format.


Martin Holste

unread,
Oct 21, 2013, 12:38:30 PM10/21/13
to enterprise-log-s...@googlegroups.com
Got it, thanks again for the contribution!


On Thu, Oct 17, 2013 at 1:07 PM, <cics...@gmail.com> wrote:
I think you are right.  It was part of my troubleshooting.  I had put "fenotify" as "FENOTIFY" everywhere within the patterndb.xml file and it wasn't parsing.  I thought it was because it wasn't matching but it may have been just because of the case.  Hope that makes sense.  Also make sure you configure FireEye to send in the CSV format.


Reply all
Reply to author
Forward
0 new messages