[Os-sim-devel] OSSEC and OSSIM integration.

[Dominique K. <dk...@os...>]

Hello Everybody,

sorry for the crosspost but I thought the subject could be interesting  
on both lists.

Some months ago Daniel (from ossec project lead) and me (ossim project  
lead) exchanged a couple of mails about both systems, but we didn't  
get any further in conversations due to, well, guess mainly lack of  
time.

Now I've got some more time and started poking around with ossec and I  
must say I'm very pleased. Everything looks solid and well designed  
and it was very easy for me to extract all the needed information in  
order to start working on a plugin.

The results so far can be seen here: http://www.ossim.com/dk/ossec/.

I've got a working plugin for each main input file and some  
identifiers to work with them.

My next issues/steps/comments are as follows:

- ossim needs to know 'what' has generated 'which' events. We call the  
event generators the "plugins", while individual events are the  
"plugin_sid"s. It was quite easy to extract the sids from the rule  
files but I'm not so sure about the generators. And I haven't found  
them either in the log output.
- Is there any way ossec determines the "priority" or importance of an  
attack ? the "level" parameter maybe ?
- Is everything being logged into /var/ossec/logs/alerts/alerts.log by  
default ? or is some information thrown into other files and not into  
that one ?
- Could the sensor's ip address be logged instead only the name ? (I  
guess not always, syslog restrictions)
- Could we add a md5sum to the original log files, for compliance and  
regulatory stuff ?

And:

- Would it be possible to incorporate a source patch for an 'ossim'  
output module into 1.5 so the missing information could be made  
present ?

I'll continue to work on this tomorrow, getting some specific graphs  
done for ossec. Soon I'll release another version of the installer CD  
we recently started providing at http://www.ossim.com/home.php?id=download 
  (announcement can be found at http://www.ossim.net) which will  
include an already pre-configured ossec and windows agents configured  
to connect easily with the server.

Any type of help (comments, code, documentation) is welcome, I think  
making ossec and ossim talk together is something from which both  
projects can benefit greatly :-)

Greetings,

Dominique