Menu
▾
▴
Re: [Os-sim-devel] [ossec-dev] OSSEC and OSSIM integration.
|
From: Daniel C. <dc...@os...> - 2007-11-20 23:03:12
|
Hi Dominique, First, I have to say that I am very happy to see OSSEC+OSSIM together and your plug in seems to be working quite well. Rest inline... On 11/19/07, Dominique Karg <dk...@os...> wrote: > > - ossim needs to know 'what' has generated 'which' events. We call the > event generators the "plugins", while individual events are the > "plugin_sid"s. It was quite easy to extract the sids from the rule > files but I'm not so sure about the generators. And I haven't found > them either in the log output. The way we track who generated the alert is based on the location where it came from. It can be "/var/log/messages" for a local log message or "agent_name->/var/log/http/error_log" for a message from one agent or even "1.2.3.4" for a log received remotely via syslog... I don't know if that's what you are looking for, but it is at the header of the alert: ** Alert 1194921832.980: - syslog,errors, 2007 Nov 12 22:43:52 copacabana->/var/log/messages Rule: 1006 (level 5) -> 'Syslogd restarted.' .. > - Is there any way ossec determines the "priority" or importance of an > attack ? the "level" parameter maybe ? Yes, level is how we determine the severity of the alert. It is user-defined from 0 to 255, but on our official rules we only use from 0 to 15 (0 is lowest and 15 highest). > - Is everything being logged into /var/ossec/logs/alerts/alerts.log by > default ? or is some information thrown into other files and not into > that one ? Everything is logged at /var/ossec/logs/alerts/Year/Month/ossec-alerts-day.log For today's log it would be: /var/ossec/logs/alerts/2007/Nov/ossec-alerts-12.log The file alerts.log is just a link to the latest alert file (for easy tailing/catting). Also, we have a ossec.log file for ossec's info/error messages and the active-response.log for the active response stuff... However, I think you only need to care about the alerts one. > - Could the sensor's ip address be logged instead only the name ? (I > guess not always, syslog restrictions) It depends from where you are getting the log from... If you are reading from a local log file, it will use whatever is in the log (generally the hostname from syslog). However, if you are using the server/agent architecture, the ip address will be in the alerts header (agent name, ip address and location): ** Alert 1195551157.1622: mail - windows,time_changed, 2007 Nov 20 05:32:37 (winhome) 192.168.2.190->WinEvtLog Rule: 18140 (level 7) -> 'System time changed.' > - Could we add a md5sum to the original log files, for compliance and > regulatory stuff ? We do that already (chained md5 + sha1 of the logs): http://www.ossec.net/dcid/?p=74 > And: > > - Would it be possible to incorporate a source patch for an 'ossim' > output module into 1.5 so the missing information could be made > present ? For sure :) > I'll continue to work on this tomorrow, getting some specific graphs > done for ossec. Soon I'll release another version of the installer CD > we recently started providing at http://www.ossim.com/home.php?id=download > (announcement can be found at http://www.ossim.net) which will > include an already pre-configured ossec and windows agents configured > to connect easily with the server. That's great. I added you already to my MSN/Gtalk so we can talk in real time if necessary... > Any type of help (comments, code, documentation) is welcome, I think > making ossec and ossim talk together is something from which both > projects can benefit greatly :-) Yes, I agree 100%. Hopefully I was able to answer your initial questions... > Greetings, > > Dominique > Thanks, Daniel |
