Alienvault Warning: Mysql Db Connection Closed. Trying to Open It Again
USM Appliance™
Configure Database Plugins
| Applies to Product: |  USM Appliance™ |  AlienVault OSSIM ® |
Database plugins extract data from an external database and plow them into Events. USM Apparatus supports MySQL and Microsoft SQL Server using the UTF-8 character set encoding.
The database plugin configuration file provides information on how USM Apparatus should connect to and query the database.
Database Plugin Sample File
# Plugin mcafee-epo id:4008 version: 0.0.2
# Last modification: 2015-05-13 sixteen:11
#
# Plugin Pick Info:
# McAfee:ePolicy Orchestrator:-
#
# End-HEADER
# Accepted products:
# mcafee - epo_mcafee_virtual_technician 1.0.9
# Description:
# McAfee EPO plugin
# MSSQL connection can be configured using a static port or
# a dynamic port (using instances)
# Static port config:
# source_ip=database_addr_or_hostname
# source_port=database_port (empty = default port 1433)
#
# Dynamic port config:
# source_ip=database_addr_or_hostname\database_instance (note: only i '\')
# no source_port
#
[DEFAULT]
plugin_id=4008
[config]
blazon=detector
enable=aye
custom_functions_file=/etc/ossim/agent/plugins/custom_functions/mcafee_epo_custom_functions.cfg
source=database
source_type=mssql
source_ip=
source_port=1433
user=db_user
password=db_pass
db=db_epo
slumber=60
process=
starting time=no
stop=no
[start_query]
query="SELECT Summit 1 AutoID FROM EPOEvents Society Past AutoID DESC"
regexp=
[query]
query="SELECT AutoID, CONVERT(nvarchar(40), AutoGUID), ServerID, DetectedUTC, SourceIPV4, TargetIPV4, TargetUserName, TargetFileName, ThreatCategory, ThreatEventID, ThreatSeverity, ThreatName FROM EPOEvents where AutoID > $i Order By AutoID"
regexp=
ref=0
plugin_sid={$ix}
date={normalize_date($three)}
src_ip={:mcafeeIP($4)}
dst_ip={:mcafeeIP($5)}
filename={$8}
username={$six}
userdata1=GUID {$two}
userdata2=ServerID {$two}
userdata3=Severity {$10}
userdata4={$9}
userdata5={$11}
userdata6={$1}
Anatomy of the Plugin Configuration File
See beneath for a description of diverse sections in the database plugin configuration file above.
The Config Section
In the database plugin configuration file example, the section that starts with [config] tells USM Apparatus how to connect to the database. This consists of the post-obit parameters.
[config]
blazon=detector
source=database
source_type=
source_ip=
source_port=
user=
countersign=
db=
sleep=
| Parameter | Description |
|---|---|
| source_type | Database type that USM Appliance supports, which is mssql or mysql. |
| source_ip | Fully qualified domain proper name, hostname, or IP address. |
| source_port | Port number of the external database. |
| user | Proper name of the user with admission to the database. |
| password | Password for user with access to the database. |
| db | Machine proper noun of the external database. |
| sleep | Elapsing, in seconds, between plugin queries to the database. |
The Start_Query Section
To notice the point where the database plugin should brainstorm capturing information, USM Appliance uses a query called start_query. This query obtains the last row in a table identified past a sequence number. The following lawmaking example initiates a query to select the largest AutoID number from the EPOEvents table.
[start_query]
query="SELECT Elevation 1 AutoID FROM EPOEvents Club Past AutoID DESC"
The Query Section
USM Apparatus queries the database as soon as a database plugin is loaded and, thereafter, every few seconds.
The duration between queries depends on the value of slumber in each plugin's configuration file. Default values range from two to 60 seconds and are configurable. For information well-nigh customizing existing or developing new plugins, run into Customize and Develop New Plugins and its related topics.
This query starts with [query] and also references the [start_query] code line, shown in bold below.
[query]
query="SELECT AutoID, Catechumen(nvarchar(40), AutoGUID), ServerID, DetectedUTC, SourceIPV4, TargetIPV4, TargetUserName, TargetFileName, ThreatCategory, ThreatEventID, ThreatSeverity, ThreatName FROM EPOEvents where AutoID > $1 ORDER Past AutoID"
regexp=
Important: You must leave the regexp field empty (shown below the query), because database plugins utilize it in functioning.
Fields containing $ stand for to fields in the database query. For case
| $0 | First chemical element in the query (AutoID) |
| $i | Second element in the query (AutoGUID) |
| $ii | Third element in the query (ServerID) |
| ... | """" |
And you tin map them to whatsoever of the issue fields, like this
username={$6}
userdata1=GUID {$2}
userdata2=ServerID {$2}
userdata3=Severity {$10}
userdata4={$9}
userdata5={$11}
userdata6={$1}
Modify the Plugin Configuration File
Before modifying the plugin configuration file, yous must first obtain the IP address, port number, and an authenticated user account of your database.
Alarm: For Microsoft SQL Servers, you must use SQL Server Authentication. You lot will receive a "Connexion refused" error if you utilise Windows Authentication instead.
This task enables advice with the external database from which the plugin receives data. You volition need control line access to USM Appliance to complete this task.
To configure communication with an external database
-
Connect to the AlienVault Panel through SSH and apply your credentials to log in.
The AlienVault Setup card displays.
-
On the AlienVault Setup chief bill of fare, select Jailbreak System to gain command line access.
Select Yes when prompted. You will exist in the root directory.
-
Create the file /etc/ossim/agent/plugins/<database-plugin>.cfg.local.
For example, to configure the mcafee-epo plugin, you demand to create the mcafee-epo.cfg.local file.
-
In the .local file, add the fields shown beneath and supervene upon the angle subclass part (including the brackets) with your database settings.
[config]
source_ip=<database_IP>
source_port=<database_port>
user=<username>
password=<user_password>
db=<database_name>
sleep=<number_of_seconds_between_sending_queries>
- Save the file.
-
Restart all services for changes to apply:
alienvault-reconfig -c -v -d
Of import: If connecting to multiple databases, you lot must repeat this task for every external database you want to receive information from. In other words, you must create a different <database-plugin>.cfg.local file for each database you want to connect to.
If you do not meet any events in Analysis > Security Events (SIEM) later y'all have modified the plugin configuration file and enabled the plugin, you can troubleshoot the database connexion using tcpdump or ngrep. The following example examines the traffic to a MSSQL database.
ngrep -d eth0 host ten.ten.10.10
where 10.10.10.10 is the IP address of the database server. If the database connexion is established, y'all will see output like to the post-obit. You can confirm the user name, countersign, and database name (loftier-lighted in bold) from the output.
interface: eth0 (ten.ten.10.10/255.255.255.224)
filter: (ip or ip6) and ( host 10.x.x.10 )
......
#####
T 10.10.10.20:54983 -> ten.ten.x.10:1433 [AP]
........10.x.10.x..................siem.................... Password
..............37876...............pymssql............10.x.ten.10............
...... PASSWORD....................DB-Library........us_english.............
....L.........................ANSI_X3.iv-1968..................512............
#
T 10.ten.10.10:1433 -> 10.10.ten.20:54983 [AP]
.....chiliad.......ePO4_HOSTNAME17.master.B.E.....-.Inverse database context to
'ePO4_HOSTNAME17'..HOSTNAME15........iso_1... .......Microsoft SQL
Server.._........512.512.........
If the database connexion cannot be established, yous will receive an error instead.
Source: https://cybersecurity.att.com/documentation/usm-appliance/plugin-management/configuring-database-plugins.htm
0 Response to "Alienvault Warning: Mysql Db Connection Closed. Trying to Open It Again"
ارسال یک نظر