Fix AlienVault HIDS Events Displaying 0.0.0.0 as IP Address

7
640

In this guide, we are going to show you how to fix AlienVault HIDS events displaying 0.0.0.0 as IP address. Are you running AlienVault OSSIM 5.7.1 and you are experiencing an issue where by it is not parsing events correctly and instead of displaying the actual hostnames or IP addresses as it is on the events, it displays 0.0.0.0?

Fix AlienVault HIDS Events Displaying 0.0.0.0 as IP Address
AlienVault HIDS Events Displaying 0.0.0.0 as IP Address

Fix AlienVault HIDS Events Displaying 0.0.0.0 as IP Address

The issue of AlienVault HIDS Events displaying 0.0.0.0 as IP address for either source or destination has been identified to be related to the ossim ossec plugin, /etc/ossim/agent/plugins/ossec-single-line.cfg which fails to translate hostnames into IPv4 addresses. This is because this plugin do not contain the resolv() function hence a failed resolution results in a value of 0.0.0.0.

Well, there has been a simple fix that has been identified to solve this issue. This involves customizing the ossec-single-line.cfg by adding the resolv() function as shown below.

Customize ossec-single-line.cfg Plugin

Before you can make changes to an existing ossec-single-line.cfg plugin, make a copy of it by appending the .local extension.

cp /etc/ossim/agent/plugins/ossec-single-line.cfg /etc/ossim/agent/plugins/ossec-single-line.cfg.local

Next, open the the backup plugin you created above,the one with the .local extension, for editing and make the following changes.

vim /etc/ossim/agent/plugins/ossec-single-line.cfg,local

Locate all the occurrences of src_ip={VARIABLE} and dst_ip={VARIABLE},

...
src_ip={$variable}
dst_ip={$variable}
...

and replace them with src_ip={resolv(VARIABLE)} and dst_ip={resolv(VARIABLE)} such that they look like;

...
src_ip={resolv($variable)}
dst_ip={resolv($variable)}
...

You can simply run the command below to make the changes;

sed -i -e '/src_ip=.*\}/ s/\S\w*/resolv(&)/4' -e '/dst_ip=.*\}/ s/\S\w*/resolv(&)/4' /etc/ossim/agent/plugins/ossec-single-line.cfg.local

Apply the Changes

Once you have made the changes, you need to run the alienvault-reconfig or ossim-reconfig command to apply the changes.

ossim-reconfig && /etc/init.d/ossim-agent restart

Your source or destination addresses should now be fine. Navigate to the GUI and confirm the same.

Fixed AlienVault HIDS Events Displaying 0.0.0.0  address

Well, that is all on how to fix AlienVault HIDS events displaying 0.0.0.0 as IP Address. We hope this was informative. Feel free to drop any comment.

See other Alienvault ossim tutorials by following the links below;

Nagios SNMP Monitoring of Linux Hosts on AlienVault USM/OSSIM

Configure Nagios Availability Monitoring on AlienVault USM/OSSIM

How to Install and Setup AlienVault HIDS Agent on a Windows Host

How to Install and Configure AlienVault HIDs Agent on a Linux Host

Import Assets to AlienVault USM/OSSIM using a CSV file

How to install and configure AlienVault OSSIM 5.5 on VirtualBox

7 COMMENTS

  1. hi,
    please help on the configuring ossec agent on the windows server especially on monitoring windows event logs like Application, system, security, setup

  2. hi,
    please help how to remove a “false alarm” such ‘alienvault hids:windows audit failure event’. Because it’s so difficult to find out on the google as well as on the other web.
    I did some changes on ossim-single-line plugins but it still doesn’t work, also i had deleted the table plugin_sid on mysql but it still comes up.
    Thank you

      • Hi Mibey,
        thank you for the reply,
        but how can I make a policy to make such event?
        would you like to give me the link/tutorial for me as a reference?
        or would you mind creating another tutorial on this web?
        surely appreciate if you don’t mind..

        Thank you,

  3. Hi,
    I did, but ossim-reconfig && /etc/init.d/ossim-agent restart after this command ossec plugin update does not continue to remain at 12%. What is the solution?

LEAVE A REPLY

Please enter your comment!
Please enter your name here