编写插件关键是要写好正则表达式:
在/etc/ossim/agent/plugins目录下面编写监控oracle的插件,内容如下,由于oracle的日志格式有三种(参考oracle的日志说明http://download.oracle.com/docs/cd/B14117_01/network.101/b10775/troublestng.htm#i423432),所以有三个对应的正则表达式:
;; oracle listener.log                       //插件的名称
;; plugin_id: 9004                           //插件的ID,自己写的插件ID应该在9000~10000
;;
;; MODIFICATION BY: Jiekechoo 2010/08/30
;;
;; $Id: oracle.cfg,v 1.7 2010/08/30 Exp $
;;

[DEFAULT]
plugin_id=9004

[config]
type=detector
enable=yes

source=log
location=/var/log/oracle.log                               //对应的日志文件的存放位置
create_file=true

process=
start=no
stop=no
startup=
shutdown=                                                      
//以上部分参考其他插件复制过来就可以了,只需修改相应字段,不需要自己编写,下面的部分是要自己写出来的:

[translation]

[oracle-audit-trail-1]
event_type=event
regexp=(?P<sysdate>\w+\s\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<hostname>\S+)\s+\S+\s+\d+\s+(?P<ora_date>\d{1,2}-\S+\s-\d{4}\s\d\d:\d\d:\d\d)\s\*\s\(CONNECT_DATA=(\(SID=\w+\))?(\(SERVICE_NAME=[^\)]+\))?\(CID=\(PROGRAM=(?P<program>\S+)?\)\(HOST=(?P<client>[^\)]+)\)\(USER=(?P<user>[^\)]+)?\){2,3}(\(SERVICE_NAME=[^\)]+\){1,2})?\s\*\s\(ADDRESS=(\(PROTOCOL=(?P<proto>[^\)]+)\))?\(HOST=(?P<host1>[^\)]+)\)\(PORT=(?P<sport>\d{1,5})\){2,3}\s\*\s(?P<stat>\S+)\s\*\s(?P<ora_sid>\S+)\s\*\s(?P<re_code>\d+)

date={normalize_date($sysdate)}
plugin_sid=1
protocol={$proto}
src_ip={$host1}
src_port={$sport}
dst_ip={resolv($hostname)}
dst_port=1521
username={$user}
userdata1={$ora_date}
userdata2={$client}
userdata3={$ora_sid}
userdata4={$re_code}
userdata5={$stat}
userdata6={$program}

[oracle-audit-trail-2]
event_type=event
regexp=(?P<sysdate>\w+\s\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<hostname>\S+)\s+\S+\s+\d+\s+(?P<ora_date>\d{1,2}-\S+\s-\d{4}\s\d\d:\d\d:\d\d)\s\*\s\(CONNECT_DATA=\(CID=\(PROGRAM=(?P<program>[^\)]+)?\)\(HOST=([^\)]+)?\)\(USER=(?P<user>[^\)]+)\)\)\(COMMAND=(?P<stat>[^\)]+)\)\(ARGUMENTS=(\d+)\)\(SERVICE=(\(DESCRIPTION=)?\(ADDRESS=\(PROTOCOL=(?P<proto>[^\)]+)\)\(HOST=([^\)]+)\)\(PORT=(?P<dport>\d{1,5})\){3,4}\(VERSION=\d+\)\){1,2}\s\*\s(\S+)\s\*\s(\d+)

date={normalize_date($sysdate)}
plugin_sid=2
protocol={$proto}
src_ip={resolv($host1)}
dst_ip={resolv($hostname)}
dst_port={$dport}
username={$user}
userdata1={$ora_date}
userdata4={$14}
userdata5={$stat}
userdata6={$program}

[oracle-registration-event]
event_type=event
regexp=(?P<sysdate>\w+\s\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<hostname>\S+)\s+\S+\s+\d+\s+(?P<ora_date>\d{1,2}-\S+\s-\d{4}\s\d\d:\d\d:\d\d)\s\*\s(?P<event>service_\w+)\s\*\s(?P<ins_name>\S+)\s\*\s(?P<ret_code>\d+)

date={normalize_date($sysdate)}
plugin_sid=3
dst_ip={resolv($hostname)}
src_ip={resolv($hostname)}
userdata1={$ora_date}
userdata2={$event}
userdata3={$ins_name}
userdata4={$ret_code}
在ossim-setup中选择oracle插件,并且在/etc/ossim/agent/config.cfg中添加oracle插件的存放路径
完成之后重启agent /etc/init.d/ossim-agent restart
然后在ossim-server上面编写数据库对oracle插件的支持:
cd /usr/share/doc/ossim-mysql/contrib/plugins
vi oracle.sql
--oracle
-- plugin_id: 9004
DELETE FROM plugin WHERE id = "9004";
DELETE FROM plugin_sid where plugin_id = "9004";


INSERT INTO plugin (id, type, name, description) VALUES (9004, 1, 'oracle', 'Oracle listener.log');

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 1, NULL, NULL, 'Listener Log Audit Trail Information' , 1, 1);

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 2, NULL, NULL, 'Listener Log Audit Trail Information' , 1, 1);

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 3, NULL, NULL, 'Oracle Service Registration Event Information' , 1, 1);
把oracle.sql的内容写入数据库中,ossim-db     ossim-db<oracle.sql
以上完成之后重启server /etc/init.d/ossim-server restart

在agent和server上面查看
tail -f /var/log/ossim/agent.log |grep 9004 //agent上面查看
tail -f /var/log/ossim/server.log | grep 9004 //在server上面查看
能看到日志就可以了

然后在server的web上面登录,在analysis下面的SIEM里面点击real time如果操作正确的话在右边可以看到插件oracle
文章原文链接:http://hi.baidu.com/jiekech00/blog/item/1363b1c45f9ae6d2d0006001.html