Menu
▾
▴
Re: [Os-sim-support] OSSEC integration into OSSIM
|
From: Brian L. <br...@br...> - 2008-05-10 01:04:55
|
Pablo, Thank you for the help. I did get the agent configured. I must have had a brain lapse, because after you mentioned the config file for OSSEC, I looked and it was there. I downloaded the agent code from CVS earlier. For some reason, after looking in /etc/ossim/agent/config.cfg and not seeing the plugin listed, I originally jumped to the conclusion that there wasn't a plugin. I see there is a mapping from OSSEC to OSSIM plugin sids. OSSEC looks quite interesting. I did get the agent running, and it's time to call it a day on this stuff. Of course, in Spain it must be 1am now? brian On Fri, May 09, 2008 at 12:37:57PM -0700, Pablo R. wrote: > Hi Brian. OSSIM has a list of plugin sids related to ossec. If you > want to install OSSEC on a windows system you must get the ossec agent > configuration from the server. Go to /var/ossec/bin wher your > ossim-agent resides and execute manage_agents. It's a wizard to setup > an agent into the ossec server.Set it up (it's pretty simple) and > export a key for that agent. Then go to your windows box, set the > server IP and the key. > Now in the ossim-agent box (again) ensure that ossec plugin is > enabled. If you use a OSSIM CD Installer just add at the end of the > detectors list of the agent section the word ossec (separated by > commas) and execute the reconfig.pl script located at > /home/ossim/dist/. This should enable the ossec plugin. If not, go to > /etc/ossim/agent/plugins to check if ossec.cfg exists and add a line > for that path as ossec=/etc/ossim/agent/plugins/ossec.cfg in the file > /etc/ossim/agent/config.cfg.orig (this file is a template for the > reconfig.pl script and should have all the plugins enabled in order to > configure the original config.cfg that the ossim-agent reads) and > re-execute reconfig.pl. If you dont have that plugin look at the CVS. > If it's not a OSSIM CD Installation just go as ususal with the agent, > editing the config.cfg direcltly and adding the path to the plugin. > > Best Regards > Pablo > > 2008/5/9 Brian Lavender <br...@br...>: > > I got the snare logging working from windows, but before plugging it on > > a production system, I thought I would try out ossec. I am having a > > couple problems. One, I am not sure of the integration of ossec into the > > agent? I see on Dominique's page that OSSEC can be used in place of > > snare, but I don't see an agent plugin. But, I do see it running on the > > installer, and I also see that OSSEC performs correlation too. I am > > wondering how it is integrated into OSSIM. > > > > On the other side, I am forging ahead and putting an OSSEC agent on a > > Windows server and pointing it to the OSSIM server (the machine that was > > installed all in one (agent, server, frameworkd with the AV installer) > > I generated a key using manage-agents, and I tried copying this into the > > OSSEC agent on the Windows 2003 server. Funny thing is, the agent won't > > start. I just started digging into this. Anyone have any pointers with > > OSSEC? > > > > brian > > -- > > Brian Lavender > > http://www.brie.com/brian/ > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > > Don't miss this year's exciting event. There's still time to save $100. > > Use priority code J8TL2D2. > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > > _______________________________________________ > > Os-sim-support mailing list > > Os-...@li... > > https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > > > > -- > Saludos > Pablo -- Brian Lavender http://www.brie.com/brian/ |
