os-sim-devel — Developers

Re: [Os-sim-devel] ossim forums

[Kaushal S. <kau...@gm...>]

On Mon, Apr 26, 2010 at 3:12 PM, Tony Carter <tc...@xt...> wrote:
> http://www.ossim.net/wiki/doku.php?id=user_manual:policy
>
> HTH,
> Tony

Thanks Tony. Is it ok to ask if i have questions ?

Thanks and Regards

Kaushal

[Os-sim-devel] ossim forums

[Kaushal S. <kau...@gm...>]

Hi,

Can some one point me to the exact URL in forums to understand about
policies in ossim ?

Thanks and Regards,

Kaushal

[Os-sim-devel] nessus vs openvas on ossim

[Kaushal S. <kau...@gm...>]

Hi,

Is there a step by step guide to configure openvas on ossim? is
openvas preferred over nessus. Please guide

I did post my query to the ossim forum as well as the ossim mailing
list too. Still have not got any answers from either of them.

https://www.alienvault.com/forum/index.php?t=msg&th=2309&start=0&S=41e00b6bf89e5ef4fa8dbe5077f8cd1f

Please suggest.

Thanks and Regards,

Kaushal

[Os-sim-devel] LDAP v2 vs v3

[Branson M. <br...@sa...>]

Hey all,

 I played with OSSIM at Shmoocon, and have installed it in my office and am starting to play with it. I found a small issue you might wanna resolve: the LDAP stuff won't bind to a v3 (OpenLDAP default or OpenDirectory ) server because the default ldap_bind uses v2.  This was simply solved thusly:

ro...@ja... # diff Session.inc Session.inc.orig 
285,288d284
< 
<       #-- handle LDAP v3 binds
<         ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);
< 

 I'd recommend adding a config var in the user-auth stuff to allow for v3 binds.  Also .. while stunnel is a way to handle a TLS binding .. might be worth putting the code in to handle ldaps:// vs ldap://. I'd be willing to write that if you'd like it.  If there's someone that handles this area of the codebase.. please ping me and I can write the diffs up for you.  Thanks.

-b 

Branson Matheson
br...@sa...
Office: 757-320-4230 x6010
Cell: 757 560 2647

[Os-sim-devel] Dealing with syslog rotation

[Brian L. <br...@br...>]

I was looking at the ParserLog.py code for the agent, and it currently
has no way of telling when the log file is rotated. I found a chunk of
code that stats the file, and would reopen it, but I think it will
suffer from a race condition if the log file is closed and then a bunch
of log data is written to it again, before it stats it again to realize
the log file was closed and then rotated again. Not to mention that it
reads a block, but I am sure one could split on newlines. Has anyone
else looked at this problem?

Snippet from ParserLog.py that reads log file.
ParserLog.py


        while 1:

            # is plugin enabled?
            if not self._plugin.getboolean("config", "enable"):

                # wait until plugin is enabled
                while not self._plugin.getboolean("config", "enable"):
                    time.sleep(1)

                # plugin is now enabled, skip events generated on
                # 'disable' state, so move to the end of file
                fd.seek(0, 2)

            self._thresholding()

            where = fd.tell()
            line = fd.readline()

            if not line: # EOF reached
                time.sleep(1)
                fd.seek(where)
            else:

                # this could make a lot of noise...
                # logger.debug('Line read: %s' % (line))

                for rule in self.rules:
#                    logger.info("Trying rule: [%s]" % (rule.name))
                    rule.feed(line)
                    if rule.match():
                        logger.debug("Matched rule: [%s]" % (rule.name))
                        event = rule.generate_event()
                        if event is not None:
                            self.send_message(event)

                            # one rule matched, no need to check more
                            break

        fd.close()

Code, that could detect closing of syslog file. Reads chunks too. 

#!/usr/bin/python

import os
import time
import sys

def process_next_part(part):
	print part

lastsize=os.path.getsize('/var/log/syslog')
f=open('/var/log/syslog')

while 1:
    size=os.path.getsize('/var/log/syslog')
    if size>lastsize:
        f.seek(lastsize)
        part = f.read(size-lastsize)  # reads chunks, not lines!
        process_next_part(part)
	lastsize = size
    elif size==lastsize:
        time.sleep(0.2) # seconds to wait
    elif size<lastsize:
        print >>sys.stderr, "/var/log/syslog got truncated"
        f.close()
	f=open('/var/log/syslog')
	f.seek(0)
	part = f.read(size)  # reads chunks, not lines!
        lastsize=size


-- 
Brian Lavender
http://www.brie.com/brian/

[Os-sim-devel] GSoC 2008

[Dominique K. <dk...@os...>]

I'm happy to announce that ossim has been chosen to take part in the  
Google Summer of Code program this year:

http://code.google.com/soc/2008/ossim/about.html

This is an interesting opportunity for both long time users as well as  
new ones (specially students) to get acquainted with ossim and be able  
to contribute something to the project (aaah, and get paid for it ;-) ).

I haven't read the entire faq yet and will post updates and guidelines  
somewhere visible, but I know studend applications start on Monday  
March 24 2008 and mentors can allready apply under:

http://code.google.com/soc/mentor_step1.html

Anyway, please don't hesitate to contact me should you have questions  
regarding this, or event better, join us at #ossim on irc.freenode.org  
and we'll chat about this a bit more.

Greetings,

Dominique

Re: [Os-sim-devel] OSSEC Integration questions

[Dominique K. <dk...@os...>]

Found the problem, it was due to a recent change in the Agent's code  
that's not yet supported on the server, regarding multi-line logs.

We didn't notice this before releasing the latest installer / updater  
but fixed this yesterday.

Please copy the attached file over /usr/share/ossim-agent/ossim_agent/  
and restart the agent, from there on ossec should work again.

Greetings and sorry for the late reply,

Dominique

PS: Just finished http://www.ossim.net/bugs/ for these sort of issues,  
will announce it tomorrow on forums and ossim.net news :-)

Re: [Os-sim-devel] [Os-sim-support] #OSSIM jumpstart - IRC

[Dominique K. <dk...@os...>]

Good idea, been neglecting that too long, I'll be joining now on a  
more regular basis :-)

Greetings,

Dominique

Am 31.01.2008 um 13:39 schrieb Stephan Buys:

> Hi all,
>
> I wanted to do a shout out to the mailing lists and encourage other
> OSSIM users (and perhaps even the gents at ossim.com) to join the
> #OSSIM channel on irc.freenode.net
>
> Perhaps it would be a good place to share knowledge and get an active
> community going?
>
> Kind regards,
> Stephan Buys
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Os-sim-support mailing list
> Os-...@li...
> https://lists.sourceforge.net/lists/listinfo/os-sim-support

Re: [Os-sim-devel] OSSEC Integration questions

[Alberto R. L. <al...@os...>]

Hello Stephan,

Please, could you post here or send to me the (almost) complete server.log 
file? I'll try to reproduce the problem but I would need the exact event as 
it arrives to server.

Thanks!
Alberto.


El Jueves, 28 de Febrero de 2008 07:34, Stephan Buys escribió:
> Hello,
>
> I have added an agent to OSSEC on a brand net OSSIM-1.0.4 installer
> image.
> The agent shows online and available (it is a Windows 2000 machine).
>
> When I look at /var/ossec/logs/alert/alerts.log I get:
>
> ** Alert 1204179624.57051: - windows,authentication_success,
> 2008 Feb 27 22:20:24 (Win2000test) 192.168.1.10->WinEvtLog
> Rule: 18107 (level 3) -> 'Windows Logon Success.'
> Src IP: (none)
> User: Administrator
> WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator:
> TESTWIN2000: TESTWIN2000: Successful Logon:           User Name:
> Administrator        Domain:TESTWIN2000      Logon ID:
> (0x0,0x2EB97)           Logon Type: 2          Logon Process:
> User32            Authentication Package: Negotiate       Workstation
> Name: TESTWIN2000
>
> So all seems good.
>
> I then enabled the ossec plugin on the agent by adding the ossec.cfg
> line into config.cfg and restarting the agent.
>
> Now when I look at the /var/log/ossim/agent.log I get:
>
> 2008 Feb 27 11:46:42 (Win2000test) 172.16.95.40->WinEvtLog
> Rule: 18119 (level 3) -> First time this user logged in this system.
> Src IP: (none)
> User: Administrator
> WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator:
> TESTWIN2000: T
> ESTWIN2000: Successful Logon:           User Name:
> Administrator        Domain:
>          TESTWIN2000     Logon ID:       (0x0,0xEBC3)            Logon
> Type: 2
>          Logon Process: User32           Authentication Package:
> Negotiate
> Workstation Name: TESTWIN2000"
> 2008-02-27 11:46:43,746 Conn [ERROR]: Error receiving data from
> server: (104, 'C
> onnection reset by peer')
> 2008-02-27 11:46:53,138 Output [INFO]: plugin-process-unknown
> plugin_id="1503"
> 2008-02-27 11:46:53,140 Conn [ERROR]: (32, 'Broken pipe')
> 2008-02-27 11:46:53,140 Conn [INFO]: Closing server connection..
>
> And on the server.log:
>
> 2008-02-27 22:04:12 OSSIM-Message: Session Sensor : REMOVED
> 2008-02-27 22:04:12 OSSIM-Message:               Removed IP:
> 172.16.95.21
> 2008-02-27 22:04:12 OSSIM-Message: Session Removed
>
> I suspect that there is an issue with the agent passing the message to
> the server but so far I have not been able to fix it.
>
> Any ideas?
>
> Kind regards,
> Stephan Buys
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Os-sim-devel mailing list
> Os-...@li...
> https://lists.sourceforge.net/lists/listinfo/os-sim-devel

[Os-sim-devel] OSSEC Integration questions

[Stephan B. <mai...@st...>]

Hello,

I have added an agent to OSSEC on a brand net OSSIM-1.0.4 installer  
image.
The agent shows online and available (it is a Windows 2000 machine).

When I look at /var/ossec/logs/alert/alerts.log I get:

** Alert 1204179624.57051: - windows,authentication_success,
2008 Feb 27 22:20:24 (Win2000test) 192.168.1.10->WinEvtLog
Rule: 18107 (level 3) -> 'Windows Logon Success.'
Src IP: (none)
User: Administrator
WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator:  
TESTWIN2000: TESTWIN2000: Successful Logon:           User Name:  
Administrator        Domain:TESTWIN2000      Logon ID:        
(0x0,0x2EB97)           Logon Type: 2          Logon Process:  
User32            Authentication Package: Negotiate       Workstation  
Name: TESTWIN2000

So all seems good.

I then enabled the ossec plugin on the agent by adding the ossec.cfg  
line into config.cfg and restarting the agent.

Now when I look at the /var/log/ossim/agent.log I get:

2008 Feb 27 11:46:42 (Win2000test) 172.16.95.40->WinEvtLog
Rule: 18119 (level 3) -> First time this user logged in this system.
Src IP: (none)
User: Administrator
WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator:  
TESTWIN2000: T
ESTWIN2000: Successful Logon:           User Name:  
Administrator        Domain:
         TESTWIN2000     Logon ID:       (0x0,0xEBC3)            Logon  
Type: 2
         Logon Process: User32           Authentication Package:  
Negotiate
Workstation Name: TESTWIN2000"
2008-02-27 11:46:43,746 Conn [ERROR]: Error receiving data from  
server: (104, 'C
onnection reset by peer')
2008-02-27 11:46:53,138 Output [INFO]: plugin-process-unknown  
plugin_id="1503"
2008-02-27 11:46:53,140 Conn [ERROR]: (32, 'Broken pipe')
2008-02-27 11:46:53,140 Conn [INFO]: Closing server connection..

And on the server.log:

2008-02-27 22:04:12 OSSIM-Message: Session Sensor : REMOVED
2008-02-27 22:04:12 OSSIM-Message:               Removed IP:  
172.16.95.21
2008-02-27 22:04:12 OSSIM-Message: Session Removed

I suspect that there is an issue with the agent passing the message to  
the server but so far I have not been able to fix it.

Any ideas?

Kind regards,
Stephan Buys

[Os-sim-devel] #OSSIM jumpstart - IRC

[Stephan B. <mai...@st...>]

Hi all,

I wanted to do a shout out to the mailing lists and encourage other  
OSSIM users (and perhaps even the gents at ossim.com) to join the  
#OSSIM channel on irc.freenode.net

Perhaps it would be a good place to share knowledge and get an active  
community going?

Kind regards,
Stephan Buys

Re: [Os-sim-devel] Ossim-server debug error

[Alberto R. L. <al...@os...>]

Hello,

The ossim-server that is included in the ISO hasn't got the fix to solve th=
at,=20
its not the last one available. In the next ossim iso release we will updat=
e=20
it. And you're right, the buffer was a bit small to handle certain events.

You can download it from CVS, and simply substitute the /usr/bin/ossim-serv=
er=20
binary.

Anyway, in the meantime, for those of you that has problems with CVS, I've =
put=20
an  ossim-server binary  that fixes that issue (and others) in:=20
http://www.ossim.net/ar/ossim-server.bz2

Regards,
Alberto.


El Mi=E9rcoles, 30 de Enero de 2008 19:33, Jon Uriona escribi=F3:
> Hi all,
>
>  From time to time, snortunified events reset the socket between server
> and sensor... Seems that the event sent is bigger than it should (more
> than the reserved buffer??)...
>
> Here is the debug log:
>
> ******
> 2008-01-30 19:19:33 OSSIM-Debug: sim_session_read: Buffer: snort-event
> sensor=3D"172.22.17.60" interface=3D"eth1"
> gzipdata=3D"789cd556db6edb3810fd15c3ef0d28cef0a205fc2d812c525963b3b12bab2=
df2f
>77bce507612d71b14dda7adab581ccee5cc19ced0cbeba9eeb6a52e755c8ef3765386056be=
f5
>cfee2ba2fe2365dff07fefbb8dd9c5f8ef3f2f87428bb6dd7f597f5d9d6d7edb97ec7f2b21=
a9
>f87f3f9301dc661391c5f765b77d938cd87e37c585e775bd96e36a761fcab2e8f8b61399cb=
69
>bc3e9f17b9d775bb5d73fcbfc5c611d6cb51ccfe608af26edd4b7158178ed53b6d5719ace7=
52
>134c9cdcdb23cefb6b1bd9fe6e372c4ca16e3f9dbdfdc91d8dbfa3c8fb04bfec1fb07e91f7=
27
>358cef4d62ba4fa10e383079ccd3242fd848c9048e8029c53529a24bb8b46fd8a7d1f33684=
dc
>4472172864a08d16bccabe115b4cfabe9f43c3c9d1bc14df0e3f0528e3f404656d78c1a7cd=
f6
>b5e3d7f9b9f4ecb6c2435afa7e5852af2b61e8fa55a9dd6b531e9aecbd3f0fa7c1cc0e77fb=
7c
>81f2df2cf162ea6ba1fcaa06e98465ffdeae1ba1f9c4e4102caeca7d8c5118f44942769ecf=
c9
>45cf23140d2c7c957c80592ec9de6a0f8c0463a5fc5b9e206a5a5c4000d95c13bd814784b3=
1c
>073c22afaf1a3149e4acad1c71ed1204dee56230ec9217efac9d27dd88125562334885d893=
6d
>6d5bfc48c95c47d4ad88bb02e31324fee7c6a1d638d8aace103360148915d1c7fdd061a13a=
20
>6b0
> 8937e8d4a49f59d30afa1338373d3ff8c90fe436b00a919ef818bb39293e4ea88328fc87b=
87
>d340df81bf04d240148ee5496ace00df998c6b5b6b795f4456959634aa1b16fd161639a42e=
4e
>687b995a0a9675d4ca7c0626476c9b5b8881a2dbb023ed532ef640f4de0856e35994fbd60f=
f7
>73e923066324601f088442f9d00a620a8f83b793122f1937fe46798531a88d7aaa4c6f9683=
88
>3550159935dd81a13cc99565a801f76d01dc9ad287b02f5cbe6bf58fe6ab501dbcc584b10e=
d3
>578a0a32e6521190ee59941459c5676a504ec1b4be8d2d8de7cd5aa81bb2a3a060f2d76211=
f1
>5112fdef7962f6b2c0de3e727e45e2d51f76075c704a5077806b7d219139c0be4001d69bc5=
5c
>c87c2f315d96fe1ea6f8a7b445ccf0cb4bac601ea545a2e7165d2664c270594e3dbb091034=
30
>ad6e1c5b483cd00300d7bac911d4849ec30c6be48d773cdd34664164b2400bf0343d468738=
db
>106dbef21373cdae91e0f2a8ccb4e2d4b6f78ba569b0beef77ac4aa37795cb36b1938e00cd=
67
>bf0a0b848756a5e50d56b3d0326317d256913019ec113fb14b3a743e6cc21589f46ceb214b=
96
>60ce1744a5c49583baa757cb599c5988a1cad7e121561dea2e324069a111370f48a6dec748=
a5
>b816f385205e74c90ab2a0061f0773a6295748fdba3070f28382ca9c1ccaa0e765ea780ae6=
e9
>3d df8e844ad02ac4358
> 2008-01-30 19:19:33 OSSIM-Message: Received error. Inconsistent data
> entry, closing socket. Received:2048 Buffer lenght: 2047: 0: Success
> 2008-01-30 19:19:33 OSSIM-Message: Session Sensor : REMOVED
> 2008-01-30 19:19:33 OSSIM-Message:               Removed IP: 172.22.17.60
> 2008-01-30 19:19:33 OSSIM-Message: Session Removed
> ******
>
> Thanx,
>
> Jon
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Os-sim-devel mailing list
> Os-...@li...
> https://lists.sourceforge.net/lists/listinfo/os-sim-devel

[Os-sim-devel] Ossim-server debug error

[Jon U. <jur...@ya...>]

Hi all,

 From time to time, snortunified events reset the socket between server=20
and sensor... Seems that the event sent is bigger than it should (more=20
than the reserved buffer??)...

Here is the debug log:

******
2008-01-30 19:19:33 OSSIM-Debug: sim_session_read: Buffer: snort-event=20
sensor=3D"172.22.17.60" interface=3D"eth1"=20
gzipdata=3D"789cd556db6edb3810fd15c3ef0d28cef0a205fc2d812c525963b3b12bab2=
df2f77bce507612d71b14dda7adab581ccee5cc19ced0cbeba9eeb6a52e755c8ef3765386=
056bef5cfee2ba2fe2365dff07fefbb8dd9c5f8ef3f2f87428bb6dd7f597f5d9d6d7edb97=
ec7f2b21a9f87f3f9301dc661391c5f765b77d938cd87e37c585e775bd96e36a761fcab2e=
8f8b61399cb69bc3e9f17b9d775bb5d73fcbfc5c611d6cb51ccfe608af26edd4b7158178e=
d53b6d5719ace752134c9cdcdb23cefb6b1bd9fe6e372c4ca16e3f9dbdfdc91d8dbfa3c8f=
b04bfec1fb07e91f727358cef4d62ba4fa10e383079ccd3242fd848c9048e8029c53529a2=
4bb8b46fd8a7d1f33684dc4472172864a08d16bccabe115b4cfabe9f43c3c9d1bc14df0e3=
f0528e3f404656d78c1a7cdf6b5e3d7f9b9f4ecb6c2435afa7e5852af2b61e8fa55a9dd6b=
531e9aecbd3f0fa7c1cc0e77fb7c81f2df2cf162ea6ba1fcaa06e98465ffdeae1ba1f9c4e=
4102caeca7d8c5118f44942769ecfc945cf23140d2c7c957c80592ec9de6a0f8c0463a5fc=
5b9e206a5a5c4000d95c13bd814784b31c073c22afaf1a3149e4acad1c71ed1204dee5623=
0ec9217efac9d27dd88125562334885d8936d6d5bfc48c95c47d4ad88bb02e31324fee7c6=
a1d638d8aace103360148915d1c7fdd061a13a206b08937e8d4a49f59d30afa1338373d3f=
f8c90fe436b00a919ef818bb39293e4ea88328fc87b87d340df81bf04d240148ee5496ace=
00df998c6b5b6b795f4456959634aa1b16fd161639a42e4e687b995a0a9675d4ca7c06264=
76c9b5b8881a2dbb023ed532ef640f4de0856e35994fbd60ff773e923066324601f088442=
f9d00a620a8f83b793122f1937fe46798531a88d7aaa4c6f9683883550159935dd81a13cc=
99565a801f76d01dc9ad287b02f5cbe6bf58fe6ab501dbcc584b10ed3578a0a32e6521190=
ee59941459c5676a504ec1b4be8d2d8de7cd5aa81bb2a3a060f2d76211f15112fdef7962f=
6b2c0de3e727e45e2d51f76075c704a5077806b7d219139c0be4001d69bc55cc87c2f315d=
96fe1ea6f8a7b445ccf0cb4bac601ea545a2e7165d2664c270594e3dbb09103430ad6e1c5=
b483cd00300d7bac911d4849ec30c6be48d773cdd34664164b2400bf0343d468738db106d=
bef21373cdae91e0f2a8ccb4e2d4b6f78ba569b0beef77ac4aa37795cb36b1938e00cd67b=
f0a0b848756a5e50d56b3d0326317d256913019ec113fb14b3a743e6cc21589f46ceb214b=
9660ce1744a5c49583baa757cb599c5988a1cad7e121561dea2e324069a111370f48a6dec=
748a5b816f385205e74c90ab2a0061f0773a6295748fdba3070f28382ca9c1ccaa0e765ea=
780ae6e93ddf8e844ad02ac4358
2008-01-30 19:19:33 OSSIM-Message: Received error. Inconsistent data=20
entry, closing socket. Received:2048 Buffer lenght: 2047: 0: Success
2008-01-30 19:19:33 OSSIM-Message: Session Sensor : REMOVED
2008-01-30 19:19:33 OSSIM-Message:               Removed IP: 172.22.17.60=

2008-01-30 19:19:33 OSSIM-Message: Session Removed
******

Thanx,

Jon

[Os-sim-devel] OSSIM Installer Snort Configuration bug

[Stephan B. <mai...@st...>]

Hello,

Just wanted to bring it to the developers attention that the  
DEBIAN_SNORT_HOME_NET variable in /etc/snort/snort.debian.conf does  
not get set properly resulting in some Snort rules not firing. In my  
case the network I was testing on was 172.16.x.x/24 but the variable  
was set to 192.168.0.0/16.

Kind regards,
Stephan Buys

Re: [Os-sim-devel] [ossec-dev] OSSEC and OSSIM integration.

[Daniel C. <dc...@os...>]

Hi Dominique,

First, I have to say that I am very happy to see OSSEC+OSSIM together and
your plug in seems to be working quite well. Rest inline...



On 11/19/07, Dominique Karg <dk...@os...> wrote:
>
> - ossim needs to know 'what' has generated 'which' events. We call the
> event generators the "plugins", while individual events are the
> "plugin_sid"s. It was quite easy to extract the sids from the rule
> files but I'm not so sure about the generators. And I haven't found
> them either in the log output.

The way we track who generated the alert is based on the location where it
came from. It can be "/var/log/messages" for a local log message or
"agent_name->/var/log/http/error_log" for a message from one agent or
even
"1.2.3.4" for a log received remotely via syslog... I don't know if
that's what you
are looking for, but it is at the header of the alert:

** Alert 1194921832.980: - syslog,errors,
2007 Nov 12 22:43:52 copacabana->/var/log/messages
Rule: 1006 (level 5) -> 'Syslogd restarted.'
..




> - Is there any way ossec determines the "priority" or importance of an
> attack ? the "level" parameter maybe ?

Yes, level is how we determine the severity of the alert. It is
user-defined from 0 to 255, but on our official rules we only use from
0 to 15 (0 is lowest and 15 highest).



> - Is everything being logged into /var/ossec/logs/alerts/alerts.log by
> default ? or is some information thrown into other files and not into
> that one ?

Everything is logged at /var/ossec/logs/alerts/Year/Month/ossec-alerts-day.log
For today's log it would be:

/var/ossec/logs/alerts/2007/Nov/ossec-alerts-12.log

The file alerts.log is just a link to the latest alert file (for easy
tailing/catting).

Also, we have a ossec.log file for ossec's info/error messages and the
active-response.log for the active response stuff... However, I think
you only need
to care about the alerts one.


> - Could the sensor's ip address be logged instead only the name ? (I
> guess not always, syslog restrictions)

It depends from where you are getting the log from... If you are reading from
a local log file, it will use whatever is in the log (generally the
hostname from
syslog). However, if you are using the server/agent architecture, the ip address
will be in the alerts header (agent name, ip address and location):

** Alert 1195551157.1622: mail  - windows,time_changed,
2007 Nov 20 05:32:37 (winhome) 192.168.2.190->WinEvtLog
Rule: 18140 (level 7) -> 'System time changed.'



> - Could we add a md5sum to the original log files, for compliance and
> regulatory stuff ?

We do that already (chained md5 + sha1 of the logs):
http://www.ossec.net/dcid/?p=74



> And:
>
> - Would it be possible to incorporate a source patch for an 'ossim'
> output module into 1.5 so the missing information could be made
> present ?

For sure :)



> I'll continue to work on this tomorrow, getting some specific graphs
> done for ossec. Soon I'll release another version of the installer CD
> we recently started providing at http://www.ossim.com/home.php?id=download
>   (announcement can be found at http://www.ossim.net) which will
> include an already pre-configured ossec and windows agents configured
> to connect easily with the server.


That's great. I added you already to my MSN/Gtalk so we can talk in real time
if necessary...



> Any type of help (comments, code, documentation) is welcome, I think
> making ossec and ossim talk together is something from which both
> projects can benefit greatly :-)

Yes, I agree 100%.  Hopefully I was able to answer your initial questions...


> Greetings,
>
> Dominique
>


Thanks,


Daniel

[Os-sim-devel] OSSEC and OSSIM integration.

[Dominique K. <dk...@os...>]

Hello Everybody,

sorry for the crosspost but I thought the subject could be interesting  
on both lists.

Some months ago Daniel (from ossec project lead) and me (ossim project  
lead) exchanged a couple of mails about both systems, but we didn't  
get any further in conversations due to, well, guess mainly lack of  
time.

Now I've got some more time and started poking around with ossec and I  
must say I'm very pleased. Everything looks solid and well designed  
and it was very easy for me to extract all the needed information in  
order to start working on a plugin.

The results so far can be seen here: http://www.ossim.com/dk/ossec/.

I've got a working plugin for each main input file and some  
identifiers to work with them.

My next issues/steps/comments are as follows:

- ossim needs to know 'what' has generated 'which' events. We call the  
event generators the "plugins", while individual events are the  
"plugin_sid"s. It was quite easy to extract the sids from the rule  
files but I'm not so sure about the generators. And I haven't found  
them either in the log output.
- Is there any way ossec determines the "priority" or importance of an  
attack ? the "level" parameter maybe ?
- Is everything being logged into /var/ossec/logs/alerts/alerts.log by  
default ? or is some information thrown into other files and not into  
that one ?
- Could the sensor's ip address be logged instead only the name ? (I  
guess not always, syslog restrictions)
- Could we add a md5sum to the original log files, for compliance and  
regulatory stuff ?

And:

- Would it be possible to incorporate a source patch for an 'ossim'  
output module into 1.5 so the missing information could be made  
present ?

I'll continue to work on this tomorrow, getting some specific graphs  
done for ossec. Soon I'll release another version of the installer CD  
we recently started providing at http://www.ossim.com/home.php?id=download 
  (announcement can be found at http://www.ossim.net) which will  
include an already pre-configured ossec and windows agents configured  
to connect easily with the server.

Any type of help (comments, code, documentation) is welcome, I think  
making ossec and ossim talk together is something from which both  
projects can benefit greatly :-)

Greetings,

Dominique

Re: [Os-sim-devel] Integration

[Dominique K. <dk...@os...>]

Hey there,

what exactly do you want to do ?

I couldn't see any files on your project in order to check what you  
could mean, do you want to integrate OpenFWTK as a plugin in order to  
feed the resulting events to the collection, correlation, reporting,  
etc... functionalities ?

What exactly is OpenFWTK going to do ?

If what you want is getting the output of your logs into ossim, then  
it's quite easy, I shall give you some guidelines and references.

Greetings,

Dominique

Am 17.08.2007 um 15:56 schrieb ArkanoiD:

> Hi,
>
> I am project admin of OpenFWTK, application proxy firewall
> (http://sourceforge.net/projects/openfwtk/)
>
> Our development team was very excited by OSSIM features and look and
> we'd like to integrate out reporting and monitoring system (which is
> quite ebbryonic atm) with it. Could you please give us some guidelines
> and suggestions?
>
>
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a  
> browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Os-sim-devel mailing list
> Os-...@li...
> https://lists.sourceforge.net/lists/listinfo/os-sim-devel

Re: [Os-sim-devel] Integration

[ArkanoiD <ar...@el...>]

..it's our legacy silly reporting tool:

http://openfwtk.cvs.sourceforge.net/openfwtk/fwtk/reports/

Re: [Os-sim-devel] Integration

[ArkanoiD <ar...@el...>]

We haven't released yet. All code is just in CVS, you may checkout or browse.
Not all man pages are ready, but there are some and some README's.

Do you remember TIS fwtk? It's just like that, application proxy suite for
numerous protocols, but with new API, content
inspection and stuff. Yes, we'd like to feed logs for reporting, collection
and corellation. Maybe using logs is not realtime enough, so we may deploy
some event API if you have one.

On Fri, Aug 17, 2007 at 04:06:22PM +0200, Dominique Karg wrote:
> Hey there,
> 
> what exactly do you want to do ?
> 
> I couldn't see any files on your project in order to check what you  
> could mean, do you want to integrate OpenFWTK as a plugin in order to  
> feed the resulting events to the collection, correlation, reporting,  
> etc... functionalities ?
> 
> What exactly is OpenFWTK going to do ?
> 
> If what you want is getting the output of your logs into ossim, then  
> it's quite easy, I shall give you some guidelines and references.
> 
> Greetings,
> 
> Dominique
> 
> Am 17.08.2007 um 15:56 schrieb ArkanoiD:
> 
> >Hi,
> >
> >I am project admin of OpenFWTK, application proxy firewall
> >(http://sourceforge.net/projects/openfwtk/)
> >
> >Our development team was very excited by OSSIM features and look and
> >we'd like to integrate out reporting and monitoring system (which is
> >quite ebbryonic atm) with it. Could you please give us some guidelines
> >and suggestions?
> >
> >
> >---------------------------------------------------------------------- 
> >---
> >This SF.net email is sponsored by: Splunk Inc.
> >Still grepping through log files to find problems?  Stop.
> >Now Search log events and configuration files using AJAX and a  
> >browser.
> >Download your FREE copy of Splunk now >>  http://get.splunk.com/
> >_______________________________________________
> >Os-sim-devel mailing list
> >Os-...@li...
> >https://lists.sourceforge.net/lists/listinfo/os-sim-devel
> 
> 
> email protected and scanned by AdvascanTM - keeping email useful - 
> www.advascan.com 
> 

[Os-sim-devel] Integration

[ArkanoiD <ar...@el...>]

Hi,

I am project admin of OpenFWTK, application proxy firewall
(http://sourceforge.net/projects/openfwtk/)

Our development team was very excited by OSSIM features and look and
we'd like to integrate out reporting and monitoring system (which is
quite ebbryonic atm) with it. Could you please give us some guidelines
and suggestions?

Re: [Os-sim-devel] installation on SPARC

[Dominique K. <dk...@os...>]

Hi Austin,

have done it years ago (solaris 7 iirc) and yes it worked, but it was =20=

a real pain to setup. Got most of the deps from sunfreeware.

If you're going to setup some sort of linux or similar tho it might =20
be easier. No architecture problems that we're aware of.

Greetings,

Dominique

Am 01.04.2007 um 20:56 schrieb Austin G. Smith:

> Have you tested OSSIM on a sparc platform?  I haven=92t installed any =20=

> OS on the machine yet and would like to know if you have done any =20
> testing on this arch yet.
>
>
>
> Please let me know.
>
> Thanks!
>
>
>
> Austin G. Smith, A+, MCP
>
> Digital Son, I.T. Services
>
> www.digitalson.com
>
> 678.213.0550 x:101 Office
>
> 678.213.0535 Fax
>
> Need reliable hosting?
>
> www.digitalsonhosting.com
>
>
>
>
>
>
>
> ----------------------------------------------------------------------=20=

> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to =20
> share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?=20
> page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV____________________________=
____=20
> _______________
> Os-sim-devel mailing list
> Os-...@li...
> https://lists.sourceforge.net/lists/listinfo/os-sim-devel

[Os-sim-devel] installation on SPARC

[Austin G. S. <Au...@di...>]

Have you tested OSSIM on a sparc platform?  I haven't installed any OS
on the machine yet and would like to know if you have done any testing
on this arch yet.

=20

Please let me know.

Thanks!

=20

Austin G. Smith, A+, MCP

Digital Son, I.T. Services

www.digitalson.com <http://www.digitalson.com/>=20

678.213.0550 x:101 Office

678.213.0535 Fax

=09
=09
Need reliable hosting?

www.digitalsonhosting.com <http://www.digitalsonhosting.com/> =20

=20

=20

=20

[Os-sim-devel] snare +ossim

[sanjoy <san...@gm...>]

could somebody tell me how to use snare with ossim.. how do i configure ossim to
pull logs from snare

regards 
Sanjoy

Re: [Os-sim-devel] ossim ports for freebsd

[<il...@ti...>]

any answers?








Tiscali ADSL 4 Mega Flat=20

Naviga senza limiti a 19,95 Euro al mese con 4 Megabps di velocit=C3=A0. At=
tiva subito: hai 2 MESI di canone adsl GRATIS!

In pi=C3=B9, se sei raggiunto dalla rete Tiscali, telefoni senza pagare il =
canone Telecom.=20

Scopri subito come risparmiare!=20

http://abbonati.tiscali.it/prodotti/adsl/tc/4flat/

[Os-sim-devel] ossim ports for freebsd

[<il...@ti...>]

Hi,
I'm Massimo, an italian network managing and security student.

Actually I'm make a security stage in Pisa, Italy.
For this stage I'm following the ossim development and my tutor=20
proposes me to build two sensor, a bsd-based sensor and a linux-based=20
sensor, for compare packet loss by libpcap.
In this scenario I use a debian (or centos?) host with ossim-server=20
and ossim-framework, mysql, apache etc., a freebsd sensor with freebsd=20
and sniffing instruments, a linux clone sensor (gentoo???).

I find all instruments I need on freebsd but i want use the power of=20
ports: i'm writing the ossim-agent port but I need some  ossim patched=20
instruments like snort, ntop, arpwatch ,etc.
Freebsd users tell me me to ask at these ports mantainers to include=20
ossim patch for let the sysadmin to choose if he wants them or not at=20
build time (like this example http://blog.innerewut.de/files/images/ar.
png) but first i ask your opinion.=20

Bye.=20








Tiscali ADSL 4 Mega Flat=20

Naviga senza limiti a 19,95 Euro al mese con 4 Megabps di velocit=C3=A0. At=
tiva subito: hai 2 MESI di canone adsl GRATIS!

In pi=C3=B9, se sei raggiunto dalla rete Tiscali, telefoni senza pagare il =
canone Telecom.=20

Scopri subito come risparmiare!=20

http://abbonati.tiscali.it/prodotti/adsl/tc/4flat/