Thursday, April 12, 2018

Alienvault and Squid-Access logs

While playing with OSSIM and Squid, I found that the logs were not processed: though they were correctly received by the sensor and they appeared in /var/log/alienvault/agent/agent.log, I did not see any event being created or appearing in the server.

Whenever ossim-agent was restarted on the sensor, a message appeared in /var/log/alienvault/agent/agent.log at the first event received. This message ended with "Plugin sid not a number". In the line above that one, which contained the event as parsed by ossim-agent, indeed the plugin sid value was "TCP_TUNNEL".

In /etc/ossim/agent/plugins/squid.cfg, there is a translation table between the status (TCP_HIT, TCP_MISS, ...) and a numerical value. This translation does not exist for TCP_TUNNEL.

After adding it with the next available value to the translation table in squid.cfg and restarting the agent, the TCP_TUNNEL events generated by Squid appear as "Generic event" in Alienvault OSSIM. The rest of the data (source IP, destination IP, hostname et al.)

The same happened with the message TAG_NONE. Adding it to the corresponding plugin fixed the issue.