Menu
▾
▴
[Os-sim-devel] OSSEC and OSSIM integration.
|
From: Dominique K. <dk...@os...> - 2007-11-19 19:16:15
|
Hello Everybody, sorry for the crosspost but I thought the subject could be interesting on both lists. Some months ago Daniel (from ossec project lead) and me (ossim project lead) exchanged a couple of mails about both systems, but we didn't get any further in conversations due to, well, guess mainly lack of time. Now I've got some more time and started poking around with ossec and I must say I'm very pleased. Everything looks solid and well designed and it was very easy for me to extract all the needed information in order to start working on a plugin. The results so far can be seen here: http://www.ossim.com/dk/ossec/. I've got a working plugin for each main input file and some identifiers to work with them. My next issues/steps/comments are as follows: - ossim needs to know 'what' has generated 'which' events. We call the event generators the "plugins", while individual events are the "plugin_sid"s. It was quite easy to extract the sids from the rule files but I'm not so sure about the generators. And I haven't found them either in the log output. - Is there any way ossec determines the "priority" or importance of an attack ? the "level" parameter maybe ? - Is everything being logged into /var/ossec/logs/alerts/alerts.log by default ? or is some information thrown into other files and not into that one ? - Could the sensor's ip address be logged instead only the name ? (I guess not always, syslog restrictions) - Could we add a md5sum to the original log files, for compliance and regulatory stuff ? And: - Would it be possible to incorporate a source patch for an 'ossim' output module into 1.5 so the missing information could be made present ? I'll continue to work on this tomorrow, getting some specific graphs done for ossec. Soon I'll release another version of the installer CD we recently started providing at http://www.ossim.com/home.php?id=download (announcement can be found at http://www.ossim.net) which will include an already pre-configured ossec and windows agents configured to connect easily with the server. Any type of help (comments, code, documentation) is welcome, I think making ossec and ossim talk together is something from which both projects can benefit greatly :-) Greetings, Dominique |
