Menu
▾
▴
Re: [Os-sim-support] OSSIM-agent and SNARE's XP event log monitoring
|
From: Dominique K. <dk...@os...> - 2007-06-27 15:27:11
|
Hi there Trevor, if you're using config.xml as agent config file I fear you're using =20 an older version. Could you please use the 0.9.9rc4 release, where =20 the config file format isn't written in xml anymore ? The Snare plugin can be a bit tricky to setup btw, snare's got a big =20 problem: log files are being written in the systems language and =20 there's no clear field separator, which makes parsing it's log files =20 a nightmare. If you use the new agent and have a look at the sample regular =20 expressions from snare.cfg you should be able to figure out the right =20= ones tho; if you could send the improved ones back we'd be most =20 grateful. If you are willing to try and updating please drop a few lines and =20 I'll try to help you out some more. Greetings, Dominique Am 27.06.2007 um 13:54 schrieb Trevor Kershaw: > [cross-posting this to a more active board] > I'm trying to make use of OSSIM's correlation engine relative to =20 > its SNARE > plugin that monitors Windows event logs. I was able to get the =20 > OSSIM agent to > connect to the 'SIM server (installed it on WinXP) with no problems =20= > as long as > plugins were disabled, ie commenting out all the plugins in =20 > config.xml. > However, as soon as I uncommented the SNARE plugin, Python started =20 > erroring > out. I installed SNARE version 2.4.0 because it can output logs to =20 > a .log > format, which is a requirement in order for the agent to report =20 > back to the > server, right? > > Here's my snarewindows.xml setup: > <?xml version=3D"1.0" encoding=3D'UTF-8' ?> > > <!-- > Snare Agent for Windows > http://www.intersectalliance.com/projects/SnareWindows/ > http://sourceforge.net/projects/snare/ > > NOTE: you need to enter regedit and change the delimiter attribute =20 > to one > or more spaces. > --> > <plugin id=3D"1518" process=3D"" type=3D"detector" start=3D"yes" = enable=3D"yes"> > <startup>C:\Program Files\Snare\SnareCore.exe</startup> > <shutdown></shutdown> > <source>syslog</source> > <interface>&interface;</interface> > <sensor>&sensor;</sensor> > <location>C:\WINDOWS\system32\LogFiles\Snare\20070625.log</location> > </plugin> > > SnareCore.exe is the service and the location field contains the .log > I've also uncommented the necessary line and added the location of the > snarewindows.xml in config.xml > > But whenever I run the `C:\Python23\python.exe C:\Python23\agent=20 > \ossim-agent - > f -c C:\Python23\agent\config.xml` command to connect the agent to =20 > the server, > I get this error: > > C:\Snort\bin>C:\Python23\python.exe C:\Python23\agent\ossim-agent -=20 > f -c > C:\Python23\agent\config.xml > > =E2=86=90[01;33m (->) =E2=86=90[00m pyossim.Ajent (2007-06-25 = 13:57:49): Waiting =20 > for server... > =E2=86=90[01;32m (<-) =E2=86=90[00m pyossim.Ajent (2007-06-25 = 13:57:49): Server =20 > connected > > Traceback (most recent call last): > File "C:\Python23\agent\ossim-agent", line 8, in ? > pyossim.agent.main() > File "C:\Python23\agent\pyossim\agent.py", line 74, in main > agent.append_plugins() > File "C:\Python23\agent\pyossim\Ajent.py", line 98, in append_plugins > self.conn.send(msg) > socket.error: (10054, 'Connection reset by peer') > ^C > > It seems that the plugin isn't initializing correctly. I guess what =20= > I'm asking > is, what do I need to do to get the SNARE plugin to load correctly =20 > and report > back the log for correlation at the server? Am I on the right track =20= > with > the .xml configs? > This site http://www.ossim.net/dokuwiki/doku.php?id=3Droadmap:plugins =20= > shows that > the event log viewer has been integrated into OSSIM, which I assume =20= > refers to > SNARE. Is that right? > > > ----------------------------------------------------------------------=20= > --- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support |