{"id":2966,"date":"2019-05-19T23:00:05","date_gmt":"2019-05-19T20:00:05","guid":{"rendered":"https:\/\/kifarunix.com\/?p=2966"},"modified":"2024-03-11T22:52:38","modified_gmt":"2024-03-11T19:52:38","slug":"fix-alienvault-hids-events-displaying-0-0-0-0-as-ip-address","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/fix-alienvault-hids-events-displaying-0-0-0-0-as-ip-address\/","title":{"rendered":"Fix AlienVault HIDS Events Displaying 0.0.0.0 as IP Address"},"content":{"rendered":"\n

In this guide, we are going to show you how to fix AlienVault HIDS events displaying 0.0.0.0 as IP address. Are you running AlienVault OSSIM 5.7.1 and you are experiencing an issue where by it is not parsing events correctly and instead of displaying the actual hostnames or IP addresses as it is on the events, it displays 0.0.0.0?<\/p>\n\n\n\n

\"Fix<\/a><\/figure>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n

Fixing AlienVault HIDS Events Displaying 0.0.0.0 as IP Address<\/h3>\n\n\n\n

The issue of AlienVault HIDS Events displaying 0.0.0.0 as IP address for either source or destination has been identified to be related to the ossim ossec plugin, \/etc\/ossim\/agent\/plugins\/ossec-single-line.cfg<\/strong> which fails to translate hostnames into IPv4 addresses. This is because this plugin do not contain the resolv()<\/strong> function hence a failed resolution results in a value of 0.0.0.0.<\/p>\n\n\n\n

Well, there has been a simple fix that has been identified to solve this issue. This involves customizing the ossec-single-line.cfg<\/strong> by adding the resolv()<\/strong> function as shown below.<\/p>\n\n\n\n

Customize ossec-single-line.cfg<\/strong> Plugin<\/h4>\n\n\n\n

Before you can make changes to an existing ossec-single-line.cfg<\/strong> plugin, make a copy of it by appending the .local<\/strong> extension.<\/p>\n\n\n\n

cp \/etc\/ossim\/agent\/plugins\/ossec-single-line.cfg{,.local}<\/code><\/pre>\n\n\n\n
Next, open the the backup plugin you created above,the one with the .local<\/strong> extension, for editing and make the following changes.<\/p>\n\n\n\n
vim \/etc\/ossim\/agent\/plugins\/ossec-single-line.cfg.local<\/code><\/pre>\n\n\n\n
Locate all the occurrences of src_ip={VARIABLE}<\/strong> and dst_ip={VARIABLE}<\/strong>, <\/p>\n\n\n\n
...\nsrc_ip={$variable<\/strong>}\ndst_ip={$variable<\/strong>}\n...<\/code><\/pre>\n\n\n\n
For example;<\/p>\n\n\n\n
src_ip={$hostname}\ndst_ip={$hostname}<\/code><\/pre>\n\n\n\n
and replace them with src_ip={resolv(VARIABLE)}<\/strong> and dst_ip={resolv(VARIABLE)}<\/strong> such that they look like;<\/p>\n\n\n\n
...\nsrc_ip={resolv(<\/strong>$variable<\/strong>)}\ndst_ip={resolv(<\/strong>$variable<\/strong>)}\n...<\/code><\/pre>\n\n\n\n
You can simply run the command below to make the changes;<\/p>\n\n\n\n
sed -i -e '\/src_ip=.*\\}\/ s\/\\S\\w*\/resolv(&)\/4' -e '\/dst_ip=.*\\}\/ s\/\\S\\w*\/resolv(&)\/4' \/etc\/ossim\/agent\/plugins\/ossec-single-line.cfg.local<\/code><\/pre>\n\n\n\n
After making the changes, the variable looks like, for example;<\/p>\n\n\n\n
src_ip={resolv($hostname)}\ndst_ip={resolv($hostname)}<\/code><\/pre>\n\n\n\n
Apply the Changes<\/h4>\n\n\n\n
Once you have made the changes, you need to run the alienvault-reconfig<\/strong> or ossim-reconfig<\/strong> command to apply the changes.<\/p>\n\n\n\n
ossim-reconfig && \/etc\/init.d\/ossim-agent restart<\/code><\/pre>\n\n\n\n
Your source  or destination addresses should now be fine. Navigate to the GUI and confirm the same.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Well, that is all on how to fix IP address showing as 0.0.0.0 on AlienVault HIDS events. We hope this was informative. Feel free to drop any comment.<\/p>\n\n\n\n
See other Alienvault ossim tutorials by following the links below;<\/p>\n\n\n\n
Nagios SNMP Monitoring of Linux Hosts on AlienVault USM\/OSSIM<\/a><\/p>\n\n\n\n
Configure Nagios Availability Monitoring on AlienVault USM\/OSSIM<\/a><\/p>\n\n\n\n
How to Install and Setup AlienVault HIDS Agent on a Windows Host<\/a><\/p>\n\n\n\n
How to Install and Configure AlienVault HIDs Agent on a Linux Host<\/a><\/p>\n\n\n\n
Import Assets to AlienVault USM\/OSSIM using a CSV file<\/a><\/p>\n\n\n\n
How to install and configure AlienVault OSSIM 5.5 on VirtualBox<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this guide, we are going to show you how to fix AlienVault HIDS events displaying 0.0.0.0 as IP address. Are you running AlienVault OSSIM<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,103],"tags":[956,955,957],"class_list":["post-2966","post","type-post","status-publish","format-standard","hentry","category-monitoring","category-alienvault","tag-0-0-0-0","tag-alienvault-ossim","tag-hids-events","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2966"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=2966"}],"version-history":[{"count":8,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2966\/revisions"}],"predecessor-version":[{"id":21150,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2966\/revisions\/21150"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=2966"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=2966"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=2966"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}