You are here: Docs>Sheriff Web>UserGuides>SheriffCSMDocumentation>DeploymentGuide>PluginManagement>ConfigurePlugins>ConfigureDatabasePlugins (31 Aug 2021, SheriffCyberSecurity)Edit Attach
Up
Previous Next

Sheriff CSMâ„¢

Configure Database Plugins

Database plugins extract data from an external database and turn them into Events. Sheriff CSM supports MySQL and Microsoft SQL Server.

The database plugin configuration file provides information on how Sheriff CSM should connect to and query the database. 

# Plugin mcafee-epo id:4008 version: 0.0.2
# Last modification: 2015-05-13 16:11
#
# Plugin Selection Info:
# McAfee:ePolicy Orchestrator:-
#
# END-HEADER
# Accepted products:
# mcafee - epo_mcafee_virtual_technician 1.0.9
# Description:
# McAfee EPO plugin
# MSSQL connection can be configured using a static port or
# a dynamic port (using instances)
# Static port config:
# source_ip=database_addr_or_hostname
# source_port=database_port (empty = default port 1433)
#
# Dynamic port config:
# source_ip=database_addr_or_hostname\database_instance (note: only one '\')
# no source_port
#
[DEFAULT]
plugin_id=4008
 
[config]
type=detector
enable=yes
custom_functions_file=/etc/ossim/agent/plugins/custom_functions/mcafee_epo_custom_functions.cfg
source=database
source_type=mssql
source_ip=
source_port=1433
user=db_user
password=db_pass
db=db_epo
sleep=60
process=
start=no
stop=no
 
[start_query]
query="SELECT TOP 1 AutoID FROM EPOEvents ORDER BY AutoID DESC"
regexp=
 
[query]
query="SELECT AutoID, CONVERT(nvarchar(40), AutoGUID), ServerID, DetectedUTC, SourceIPV4, TargetIPV4, TargetUserName, TargetFileName, ThreatCategory, ThreatEventID, ThreatSeverity, ThreatName FROM EPOEvents where AutoID > $1 ORDER BY AutoID"
regexp=
ref=0
plugin_sid={$9}
date={normalize_date($3)}
src_ip={:mcafeeIP($4)}
dst_ip={:mcafeeIP($5)}
filename={$8}
username={$6}
userdata1=GUID {$2}
userdata2=ServerID {$2}
userdata3=Severity {$10}
userdata4={$9}
userdata5={$11}
userdata6={$1}

Anatomy of the Plugin Configuration File

See below for a description of various sections in the database plugin configuration file above.

To find the point where the database plugin should begin capturing data, USM Appliance uses a query called start_query. This query obtains the last row in a table identified by a sequence number. The following code example initiates a query to select the largest AutoID number from the EPOEvents table. 
[start_query]
query="SELECT TOP 1 AutoID FROM EPOEvents ORDER BY AutoID DESC"

In the database plugin configuration file example, the section that starts with [config] tells Sheriff CSM how to connect to the database. This consists of the following parameters. 

[config]
type=detector
source=database
source_type=
source_ip=
source_port=
user=
password=
db=
sleep=

Description of database connection parameters
ParameterDescription
source_type Database type that Sheriff CSM supports, which is mssql or mysql.
source_ip Fully qualified domain name, hostname, or IP address.
source_port Port number of the external database.
user Name of the user with access to the database.
password Password for user with access to the database.
db Machine name of the external database.
sleep Duration, in seconds, between plugin queries to the database.

Sheriff CSM queries the database as soon as a database plugin is loaded and, thereafter, every few seconds.

The duration between queries depends on the value of sleep in each plugin's configuration file. Default values range from 2 to 60 seconds and are configurable. For information about customizing existing or developing new plugins, see Customize and Develop New Plugins and its related topics.

This query starts with [query] and also references the [start_query] code line, shown in bold below. 

[query]
query="SELECT AutoID, CONVERT(nvarchar(40), AutoGUID), ServerID, DetectedUTC, SourceIPV4, TargetIPV4, TargetUserName, TargetFileName, ThreatCategory, ThreatEventID, ThreatSeverity, ThreatName FROM EPOEvents where <b>AutoID > $1 ORDER BY AutoID"</b>
regexp=

Important: You must leave the regexp field empty (shown below the query), because database plugins use it in operation.

Fields containing $ correspond to fields in the database query. For example

$0 First element in the query (AutoID)
$1 Second element in the query (AutoGUID)
$2 Third element in the query (ServerID)
... """"

And you can map them to any of the event fields, like this 
username={$6}
userdata1=GUID {$2}
userdata2=ServerID {$2}
userdata3=Severity {$10}
userdata4={$9}
userdata5={$11}
userdata6={$1}

Modify the Plugin Configuration File

Before modifying the plugin configuration file, you must first obtain the IP address, port number, and an authenticated user account of your database.

Warning: For Microsoft SQL Servers, you must use SQL Server Authentication. You will receive a "Connection refused" error if you use Windows Authentication instead.

This task enables communication with the external database from which the plugin receives data. You will need command line access to Sheriff CSM to complete this task.

To configure communication with an external database

  1. Connect to the Sheriff Console through SSH and use your credentials to log in.

    The Sheriff Setup menu displays.

  2. On the Sheriff Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  3. Create the file /etc/vigilante/agent/plugins/<database-plugin>.cfg.local.

    For example, to configure the mcafee-epo plugin, you need to create the mcafee-epo.cfg.local file.

  4. In the .local file, add the fields shown below and replace the angle bracket part (including the brackets) with your database settings.

    [config]
source_ip=<database_IP>
source_port=<
database_port> user=<username> password=<user_password>
db=<database_name>
sleep=<number_of_seconds_between_sending_queries>

  5. Save the file.

  6. Restart all services for changes to apply:

    sheriff-reconfig -c -v -d
Important: If connecting to multiple databases, you must repeat this task for every external database you want to receive data from. In other words, you must create a different <database-plugin>.cfg.local file for each database you want to connect to.

If you do not see any events in Analysis > Security Events (SIEM) after you have modified the plugin configuration file and enabled the plugin, you can troubleshoot the database connection using tcpdump or ngrep. The following example examines the traffic to a MSSQL database. 
ngrep -d eth0 host 10.10.10.10

where 10.10.10.10 is the IP address of the database server. If the database connection is established, you will see output similar to the following. You can confirm the user name, password, and database name from the output. 

interface: eth0 (10.10.10.10/255.255.255.224)
filter: (ip or ip6) and ( host 10.10.10.10 )
......
#####
T 10.10.10.20:54983 -> 10.10.10.10:1433 [AP]
........10.10.10.10..................<b>siem</b>.................... <b>PASSWORD</b>
..............37876...............pymssql............10.10.10.10............
...... PASSWORD....................DB-Library........us_english.............
....L.........................ANSI_X3.4-1968..................512............
#
T 10.10.10.10:1433 -> 10.10.10.20:54983 [AP]
.....g.......<b>ePO4_HOSTNAME17</b>.master.B.E.....-.Changed database context to
'ePO4_HOSTNAME17'..HOSTNAME15........iso_1... .......Microsoft SQL
Server.._........512.512.........

If the database connection cannot be established, you will receive an error instead.
Edit  | Attach | Print version | History: r11 < r10 < r9 < r8 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r11 - 31 Aug 2021, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.