You can subscribe to this list here.
2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
(8) |
Oct
|
Nov
|
Dec
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
2004 |
Jan
|
Feb
|
Mar
|
Apr
(4) |
May
(7) |
Jun
|
Jul
(1) |
Aug
|
Sep
(1) |
Oct
(2) |
Nov
(2) |
Dec
(1) |
2005 |
Jan
|
Feb
(3) |
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
(3) |
Sep
(6) |
Oct
(8) |
Nov
|
Dec
|
2006 |
Jan
(4) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2007 |
Jan
(1) |
Feb
|
Mar
|
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
2008 |
Jan
(4) |
Feb
(2) |
Mar
(3) |
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2010 |
Jan
|
Feb
(1) |
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Kaushal S. <kau...@gm...> - 2010-04-26 23:10:06
|
On Mon, Apr 26, 2010 at 3:12 PM, Tony Carter <tc...@xt...> wrote: > http://www.ossim.net/wiki/doku.php?id=user_manual:policy > > HTH, > Tony Thanks Tony. Is it ok to ask if i have questions ? Thanks and Regards Kaushal |
From: Kaushal S. <kau...@gm...> - 2010-04-26 20:39:14
|
Hi, Can some one point me to the exact URL in forums to understand about policies in ossim ? Thanks and Regards, Kaushal |
From: Kaushal S. <kau...@gm...> - 2010-04-23 18:46:51
|
Hi, Is there a step by step guide to configure openvas on ossim? is openvas preferred over nessus. Please guide I did post my query to the ossim forum as well as the ossim mailing list too. Still have not got any answers from either of them. https://www.alienvault.com/forum/index.php?t=msg&th=2309&start=0&S=41e00b6bf89e5ef4fa8dbe5077f8cd1f Please suggest. Thanks and Regards, Kaushal |
From: Branson M. <br...@sa...> - 2010-02-24 15:42:10
|
Hey all, I played with OSSIM at Shmoocon, and have installed it in my office and am starting to play with it. I found a small issue you might wanna resolve: the LDAP stuff won't bind to a v3 (OpenLDAP default or OpenDirectory ) server because the default ldap_bind uses v2. This was simply solved thusly: ro...@ja... # diff Session.inc Session.inc.orig 285,288d284 < < #-- handle LDAP v3 binds < ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3); < I'd recommend adding a config var in the user-auth stuff to allow for v3 binds. Also .. while stunnel is a way to handle a TLS binding .. might be worth putting the code in to handle ldaps:// vs ldap://. I'd be willing to write that if you'd like it. If there's someone that handles this area of the codebase.. please ping me and I can write the diffs up for you. Thanks. -b Branson Matheson br...@sa... Office: 757-320-4230 x6010 Cell: 757 560 2647 |
From: Brian L. <br...@br...> - 2008-05-03 00:54:24
|
I was looking at the ParserLog.py code for the agent, and it currently has no way of telling when the log file is rotated. I found a chunk of code that stats the file, and would reopen it, but I think it will suffer from a race condition if the log file is closed and then a bunch of log data is written to it again, before it stats it again to realize the log file was closed and then rotated again. Not to mention that it reads a block, but I am sure one could split on newlines. Has anyone else looked at this problem? Snippet from ParserLog.py that reads log file. ParserLog.py while 1: # is plugin enabled? if not self._plugin.getboolean("config", "enable"): # wait until plugin is enabled while not self._plugin.getboolean("config", "enable"): time.sleep(1) # plugin is now enabled, skip events generated on # 'disable' state, so move to the end of file fd.seek(0, 2) self._thresholding() where = fd.tell() line = fd.readline() if not line: # EOF reached time.sleep(1) fd.seek(where) else: # this could make a lot of noise... # logger.debug('Line read: %s' % (line)) for rule in self.rules: # logger.info("Trying rule: [%s]" % (rule.name)) rule.feed(line) if rule.match(): logger.debug("Matched rule: [%s]" % (rule.name)) event = rule.generate_event() if event is not None: self.send_message(event) # one rule matched, no need to check more break fd.close() Code, that could detect closing of syslog file. Reads chunks too. #!/usr/bin/python import os import time import sys def process_next_part(part): print part lastsize=os.path.getsize('/var/log/syslog') f=open('/var/log/syslog') while 1: size=os.path.getsize('/var/log/syslog') if size>lastsize: f.seek(lastsize) part = f.read(size-lastsize) # reads chunks, not lines! process_next_part(part) lastsize = size elif size==lastsize: time.sleep(0.2) # seconds to wait elif size<lastsize: print >>sys.stderr, "/var/log/syslog got truncated" f.close() f=open('/var/log/syslog') f.seek(0) part = f.read(size) # reads chunks, not lines! lastsize=size -- Brian Lavender http://www.brie.com/brian/ |
From: Dominique K. <dk...@os...> - 2008-03-18 08:36:58
|
I'm happy to announce that ossim has been chosen to take part in the Google Summer of Code program this year: http://code.google.com/soc/2008/ossim/about.html This is an interesting opportunity for both long time users as well as new ones (specially students) to get acquainted with ossim and be able to contribute something to the project (aaah, and get paid for it ;-) ). I haven't read the entire faq yet and will post updates and guidelines somewhere visible, but I know studend applications start on Monday March 24 2008 and mentors can allready apply under: http://code.google.com/soc/mentor_step1.html Anyway, please don't hesitate to contact me should you have questions regarding this, or event better, join us at #ossim on irc.freenode.org and we'll chat about this a bit more. Greetings, Dominique |
From: Dominique K. <dk...@os...> - 2008-03-05 21:36:40
|
Found the problem, it was due to a recent change in the Agent's code that's not yet supported on the server, regarding multi-line logs. We didn't notice this before releasing the latest installer / updater but fixed this yesterday. Please copy the attached file over /usr/share/ossim-agent/ossim_agent/ and restart the agent, from there on ossec should work again. Greetings and sorry for the late reply, Dominique PS: Just finished http://www.ossim.net/bugs/ for these sort of issues, will announce it tomorrow on forums and ossim.net news :-) |
From: Dominique K. <dk...@os...> - 2008-03-04 14:45:39
|
Good idea, been neglecting that too long, I'll be joining now on a more regular basis :-) Greetings, Dominique Am 31.01.2008 um 13:39 schrieb Stephan Buys: > Hi all, > > I wanted to do a shout out to the mailing lists and encourage other > OSSIM users (and perhaps even the gents at ossim.com) to join the > #OSSIM channel on irc.freenode.net > > Perhaps it would be a good place to share knowledge and get an active > community going? > > Kind regards, > Stephan Buys > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support |
From: Alberto R. L. <al...@os...> - 2008-02-28 09:36:49
|
Hello Stephan, Please, could you post here or send to me the (almost) complete server.log file? I'll try to reproduce the problem but I would need the exact event as it arrives to server. Thanks! Alberto. El Jueves, 28 de Febrero de 2008 07:34, Stephan Buys escribió: > Hello, > > I have added an agent to OSSEC on a brand net OSSIM-1.0.4 installer > image. > The agent shows online and available (it is a Windows 2000 machine). > > When I look at /var/ossec/logs/alert/alerts.log I get: > > ** Alert 1204179624.57051: - windows,authentication_success, > 2008 Feb 27 22:20:24 (Win2000test) 192.168.1.10->WinEvtLog > Rule: 18107 (level 3) -> 'Windows Logon Success.' > Src IP: (none) > User: Administrator > WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator: > TESTWIN2000: TESTWIN2000: Successful Logon: User Name: > Administrator Domain:TESTWIN2000 Logon ID: > (0x0,0x2EB97) Logon Type: 2 Logon Process: > User32 Authentication Package: Negotiate Workstation > Name: TESTWIN2000 > > So all seems good. > > I then enabled the ossec plugin on the agent by adding the ossec.cfg > line into config.cfg and restarting the agent. > > Now when I look at the /var/log/ossim/agent.log I get: > > 2008 Feb 27 11:46:42 (Win2000test) 172.16.95.40->WinEvtLog > Rule: 18119 (level 3) -> First time this user logged in this system. > Src IP: (none) > User: Administrator > WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator: > TESTWIN2000: T > ESTWIN2000: Successful Logon: User Name: > Administrator Domain: > TESTWIN2000 Logon ID: (0x0,0xEBC3) Logon > Type: 2 > Logon Process: User32 Authentication Package: > Negotiate > Workstation Name: TESTWIN2000" > 2008-02-27 11:46:43,746 Conn [ERROR]: Error receiving data from > server: (104, 'C > onnection reset by peer') > 2008-02-27 11:46:53,138 Output [INFO]: plugin-process-unknown > plugin_id="1503" > 2008-02-27 11:46:53,140 Conn [ERROR]: (32, 'Broken pipe') > 2008-02-27 11:46:53,140 Conn [INFO]: Closing server connection.. > > And on the server.log: > > 2008-02-27 22:04:12 OSSIM-Message: Session Sensor : REMOVED > 2008-02-27 22:04:12 OSSIM-Message: Removed IP: > 172.16.95.21 > 2008-02-27 22:04:12 OSSIM-Message: Session Removed > > I suspect that there is an issue with the agent passing the message to > the server but so far I have not been able to fix it. > > Any ideas? > > Kind regards, > Stephan Buys > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Os-sim-devel mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-devel |
From: Stephan B. <mai...@st...> - 2008-02-28 06:35:22
|
Hello, I have added an agent to OSSEC on a brand net OSSIM-1.0.4 installer image. The agent shows online and available (it is a Windows 2000 machine). When I look at /var/ossec/logs/alert/alerts.log I get: ** Alert 1204179624.57051: - windows,authentication_success, 2008 Feb 27 22:20:24 (Win2000test) 192.168.1.10->WinEvtLog Rule: 18107 (level 3) -> 'Windows Logon Success.' Src IP: (none) User: Administrator WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator: TESTWIN2000: TESTWIN2000: Successful Logon: User Name: Administrator Domain:TESTWIN2000 Logon ID: (0x0,0x2EB97) Logon Type: 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name: TESTWIN2000 So all seems good. I then enabled the ossec plugin on the agent by adding the ossec.cfg line into config.cfg and restarting the agent. Now when I look at the /var/log/ossim/agent.log I get: 2008 Feb 27 11:46:42 (Win2000test) 172.16.95.40->WinEvtLog Rule: 18119 (level 3) -> First time this user logged in this system. Src IP: (none) User: Administrator WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator: TESTWIN2000: T ESTWIN2000: Successful Logon: User Name: Administrator Domain: TESTWIN2000 Logon ID: (0x0,0xEBC3) Logon Type: 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name: TESTWIN2000" 2008-02-27 11:46:43,746 Conn [ERROR]: Error receiving data from server: (104, 'C onnection reset by peer') 2008-02-27 11:46:53,138 Output [INFO]: plugin-process-unknown plugin_id="1503" 2008-02-27 11:46:53,140 Conn [ERROR]: (32, 'Broken pipe') 2008-02-27 11:46:53,140 Conn [INFO]: Closing server connection.. And on the server.log: 2008-02-27 22:04:12 OSSIM-Message: Session Sensor : REMOVED 2008-02-27 22:04:12 OSSIM-Message: Removed IP: 172.16.95.21 2008-02-27 22:04:12 OSSIM-Message: Session Removed I suspect that there is an issue with the agent passing the message to the server but so far I have not been able to fix it. Any ideas? Kind regards, Stephan Buys |
From: Stephan B. <mai...@st...> - 2008-01-31 12:39:04
|
Hi all, I wanted to do a shout out to the mailing lists and encourage other OSSIM users (and perhaps even the gents at ossim.com) to join the #OSSIM channel on irc.freenode.net Perhaps it would be a good place to share knowledge and get an active community going? Kind regards, Stephan Buys |
From: Alberto R. L. <al...@os...> - 2008-01-31 09:37:25
|
Hello, The ossim-server that is included in the ISO hasn't got the fix to solve th= at,=20 its not the last one available. In the next ossim iso release we will updat= e=20 it. And you're right, the buffer was a bit small to handle certain events. You can download it from CVS, and simply substitute the /usr/bin/ossim-serv= er=20 binary. Anyway, in the meantime, for those of you that has problems with CVS, I've = put=20 an ossim-server binary that fixes that issue (and others) in:=20 http://www.ossim.net/ar/ossim-server.bz2 Regards, Alberto. El Mi=E9rcoles, 30 de Enero de 2008 19:33, Jon Uriona escribi=F3: > Hi all, > > From time to time, snortunified events reset the socket between server > and sensor... Seems that the event sent is bigger than it should (more > than the reserved buffer??)... > > Here is the debug log: > > ****** > 2008-01-30 19:19:33 OSSIM-Debug: sim_session_read: Buffer: snort-event > sensor=3D"172.22.17.60" interface=3D"eth1" > gzipdata=3D"789cd556db6edb3810fd15c3ef0d28cef0a205fc2d812c525963b3b12bab2= df2f >77bce507612d71b14dda7adab581ccee5cc19ced0cbeba9eeb6a52e755c8ef3765386056be= f5 >cfee2ba2fe2365dff07fefbb8dd9c5f8ef3f2f87428bb6dd7f597f5d9d6d7edb97ec7f2b21= a9 >f87f3f9301dc661391c5f765b77d938cd87e37c585e775bd96e36a761fcab2e8f8b61399cb= 69 >bc3e9f17b9d775bb5d73fcbfc5c611d6cb51ccfe608af26edd4b7158178ed53b6d5719ace7= 52 >134c9cdcdb23cefb6b1bd9fe6e372c4ca16e3f9dbdfdc91d8dbfa3c8fb04bfec1fb07e91f7= 27 >358cef4d62ba4fa10e383079ccd3242fd848c9048e8029c53529a24bb8b46fd8a7d1f33684= dc >4472172864a08d16bccabe115b4cfabe9f43c3c9d1bc14df0e3f0528e3f404656d78c1a7cd= f6 >b5e3d7f9b9f4ecb6c2435afa7e5852af2b61e8fa55a9dd6b531e9aecbd3f0fa7c1cc0e77fb= 7c >81f2df2cf162ea6ba1fcaa06e98465ffdeae1ba1f9c4e4102caeca7d8c5118f44942769ecf= c9 >45cf23140d2c7c957c80592ec9de6a0f8c0463a5fc5b9e206a5a5c4000d95c13bd814784b3= 1c >073c22afaf1a3149e4acad1c71ed1204dee56230ec9217efac9d27dd88125562334885d893= 6d >6d5bfc48c95c47d4ad88bb02e31324fee7c6a1d638d8aace103360148915d1c7fdd061a13a= 20 >6b0 > 8937e8d4a49f59d30afa1338373d3ff8c90fe436b00a919ef818bb39293e4ea88328fc87b= 87 >d340df81bf04d240148ee5496ace00df998c6b5b6b795f4456959634aa1b16fd161639a42e= 4e >687b995a0a9675d4ca7c0626476c9b5b8881a2dbb023ed532ef640f4de0856e35994fbd60f= f7 >73e923066324601f088442f9d00a620a8f83b793122f1937fe46798531a88d7aaa4c6f9683= 88 >3550159935dd81a13cc99565a801f76d01dc9ad287b02f5cbe6bf58fe6ab501dbcc584b10e= d3 >578a0a32e6521190ee59941459c5676a504ec1b4be8d2d8de7cd5aa81bb2a3a060f2d76211= f1 >5112fdef7962f6b2c0de3e727e45e2d51f76075c704a5077806b7d219139c0be4001d69bc5= 5c >c87c2f315d96fe1ea6f8a7b445ccf0cb4bac601ea545a2e7165d2664c270594e3dbb091034= 30 >ad6e1c5b483cd00300d7bac911d4849ec30c6be48d773cdd34664164b2400bf0343d468738= db >106dbef21373cdae91e0f2a8ccb4e2d4b6f78ba569b0beef77ac4aa37795cb36b1938e00cd= 67 >bf0a0b848756a5e50d56b3d0326317d256913019ec113fb14b3a743e6cc21589f46ceb214b= 96 >60ce1744a5c49583baa757cb599c5988a1cad7e121561dea2e324069a111370f48a6dec748= a5 >b816f385205e74c90ab2a0061f0773a6295748fdba3070f28382ca9c1ccaa0e765ea780ae6= e9 >3d df8e844ad02ac4358 > 2008-01-30 19:19:33 OSSIM-Message: Received error. Inconsistent data > entry, closing socket. Received:2048 Buffer lenght: 2047: 0: Success > 2008-01-30 19:19:33 OSSIM-Message: Session Sensor : REMOVED > 2008-01-30 19:19:33 OSSIM-Message: Removed IP: 172.22.17.60 > 2008-01-30 19:19:33 OSSIM-Message: Session Removed > ****** > > Thanx, > > Jon > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Os-sim-devel mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-devel |
From: Jon U. <jur...@ya...> - 2008-01-30 21:37:20
|
Hi all, From time to time, snortunified events reset the socket between server=20 and sensor... Seems that the event sent is bigger than it should (more=20 than the reserved buffer??)... Here is the debug log: ****** 2008-01-30 19:19:33 OSSIM-Debug: sim_session_read: Buffer: snort-event=20 sensor=3D"172.22.17.60" interface=3D"eth1"=20 gzipdata=3D"789cd556db6edb3810fd15c3ef0d28cef0a205fc2d812c525963b3b12bab2= df2f77bce507612d71b14dda7adab581ccee5cc19ced0cbeba9eeb6a52e755c8ef3765386= 056bef5cfee2ba2fe2365dff07fefbb8dd9c5f8ef3f2f87428bb6dd7f597f5d9d6d7edb97= ec7f2b21a9f87f3f9301dc661391c5f765b77d938cd87e37c585e775bd96e36a761fcab2e= 8f8b61399cb69bc3e9f17b9d775bb5d73fcbfc5c611d6cb51ccfe608af26edd4b7158178e= d53b6d5719ace752134c9cdcdb23cefb6b1bd9fe6e372c4ca16e3f9dbdfdc91d8dbfa3c8f= b04bfec1fb07e91f727358cef4d62ba4fa10e383079ccd3242fd848c9048e8029c53529a2= 4bb8b46fd8a7d1f33684dc4472172864a08d16bccabe115b4cfabe9f43c3c9d1bc14df0e3= f0528e3f404656d78c1a7cdf6b5e3d7f9b9f4ecb6c2435afa7e5852af2b61e8fa55a9dd6b= 531e9aecbd3f0fa7c1cc0e77fb7c81f2df2cf162ea6ba1fcaa06e98465ffdeae1ba1f9c4e= 4102caeca7d8c5118f44942769ecfc945cf23140d2c7c957c80592ec9de6a0f8c0463a5fc= 5b9e206a5a5c4000d95c13bd814784b31c073c22afaf1a3149e4acad1c71ed1204dee5623= 0ec9217efac9d27dd88125562334885d8936d6d5bfc48c95c47d4ad88bb02e31324fee7c6= a1d638d8aace103360148915d1c7fdd061a13a206b08937e8d4a49f59d30afa1338373d3f= f8c90fe436b00a919ef818bb39293e4ea88328fc87b87d340df81bf04d240148ee5496ace= 00df998c6b5b6b795f4456959634aa1b16fd161639a42e4e687b995a0a9675d4ca7c06264= 76c9b5b8881a2dbb023ed532ef640f4de0856e35994fbd60ff773e923066324601f088442= f9d00a620a8f83b793122f1937fe46798531a88d7aaa4c6f9683883550159935dd81a13cc= 99565a801f76d01dc9ad287b02f5cbe6bf58fe6ab501dbcc584b10ed3578a0a32e6521190= ee59941459c5676a504ec1b4be8d2d8de7cd5aa81bb2a3a060f2d76211f15112fdef7962f= 6b2c0de3e727e45e2d51f76075c704a5077806b7d219139c0be4001d69bc55cc87c2f315d= 96fe1ea6f8a7b445ccf0cb4bac601ea545a2e7165d2664c270594e3dbb09103430ad6e1c5= b483cd00300d7bac911d4849ec30c6be48d773cdd34664164b2400bf0343d468738db106d= bef21373cdae91e0f2a8ccb4e2d4b6f78ba569b0beef77ac4aa37795cb36b1938e00cd67b= f0a0b848756a5e50d56b3d0326317d256913019ec113fb14b3a743e6cc21589f46ceb214b= 9660ce1744a5c49583baa757cb599c5988a1cad7e121561dea2e324069a111370f48a6dec= 748a5b816f385205e74c90ab2a0061f0773a6295748fdba3070f28382ca9c1ccaa0e765ea= 780ae6e93ddf8e844ad02ac4358 2008-01-30 19:19:33 OSSIM-Message: Received error. Inconsistent data=20 entry, closing socket. Received:2048 Buffer lenght: 2047: 0: Success 2008-01-30 19:19:33 OSSIM-Message: Session Sensor : REMOVED 2008-01-30 19:19:33 OSSIM-Message: Removed IP: 172.22.17.60= 2008-01-30 19:19:33 OSSIM-Message: Session Removed ****** Thanx, Jon |
From: Stephan B. <mai...@st...> - 2008-01-25 05:57:25
|
Hello, Just wanted to bring it to the developers attention that the DEBIAN_SNORT_HOME_NET variable in /etc/snort/snort.debian.conf does not get set properly resulting in some Snort rules not firing. In my case the network I was testing on was 172.16.x.x/24 but the variable was set to 192.168.0.0/16. Kind regards, Stephan Buys |
From: Daniel C. <dc...@os...> - 2007-11-20 23:03:12
|
Hi Dominique, First, I have to say that I am very happy to see OSSEC+OSSIM together and your plug in seems to be working quite well. Rest inline... On 11/19/07, Dominique Karg <dk...@os...> wrote: > > - ossim needs to know 'what' has generated 'which' events. We call the > event generators the "plugins", while individual events are the > "plugin_sid"s. It was quite easy to extract the sids from the rule > files but I'm not so sure about the generators. And I haven't found > them either in the log output. The way we track who generated the alert is based on the location where it came from. It can be "/var/log/messages" for a local log message or "agent_name->/var/log/http/error_log" for a message from one agent or even "1.2.3.4" for a log received remotely via syslog... I don't know if that's what you are looking for, but it is at the header of the alert: ** Alert 1194921832.980: - syslog,errors, 2007 Nov 12 22:43:52 copacabana->/var/log/messages Rule: 1006 (level 5) -> 'Syslogd restarted.' .. > - Is there any way ossec determines the "priority" or importance of an > attack ? the "level" parameter maybe ? Yes, level is how we determine the severity of the alert. It is user-defined from 0 to 255, but on our official rules we only use from 0 to 15 (0 is lowest and 15 highest). > - Is everything being logged into /var/ossec/logs/alerts/alerts.log by > default ? or is some information thrown into other files and not into > that one ? Everything is logged at /var/ossec/logs/alerts/Year/Month/ossec-alerts-day.log For today's log it would be: /var/ossec/logs/alerts/2007/Nov/ossec-alerts-12.log The file alerts.log is just a link to the latest alert file (for easy tailing/catting). Also, we have a ossec.log file for ossec's info/error messages and the active-response.log for the active response stuff... However, I think you only need to care about the alerts one. > - Could the sensor's ip address be logged instead only the name ? (I > guess not always, syslog restrictions) It depends from where you are getting the log from... If you are reading from a local log file, it will use whatever is in the log (generally the hostname from syslog). However, if you are using the server/agent architecture, the ip address will be in the alerts header (agent name, ip address and location): ** Alert 1195551157.1622: mail - windows,time_changed, 2007 Nov 20 05:32:37 (winhome) 192.168.2.190->WinEvtLog Rule: 18140 (level 7) -> 'System time changed.' > - Could we add a md5sum to the original log files, for compliance and > regulatory stuff ? We do that already (chained md5 + sha1 of the logs): http://www.ossec.net/dcid/?p=74 > And: > > - Would it be possible to incorporate a source patch for an 'ossim' > output module into 1.5 so the missing information could be made > present ? For sure :) > I'll continue to work on this tomorrow, getting some specific graphs > done for ossec. Soon I'll release another version of the installer CD > we recently started providing at http://www.ossim.com/home.php?id=download > (announcement can be found at http://www.ossim.net) which will > include an already pre-configured ossec and windows agents configured > to connect easily with the server. That's great. I added you already to my MSN/Gtalk so we can talk in real time if necessary... > Any type of help (comments, code, documentation) is welcome, I think > making ossec and ossim talk together is something from which both > projects can benefit greatly :-) Yes, I agree 100%. Hopefully I was able to answer your initial questions... > Greetings, > > Dominique > Thanks, Daniel |
From: Dominique K. <dk...@os...> - 2007-11-19 19:16:15
|
Hello Everybody, sorry for the crosspost but I thought the subject could be interesting on both lists. Some months ago Daniel (from ossec project lead) and me (ossim project lead) exchanged a couple of mails about both systems, but we didn't get any further in conversations due to, well, guess mainly lack of time. Now I've got some more time and started poking around with ossec and I must say I'm very pleased. Everything looks solid and well designed and it was very easy for me to extract all the needed information in order to start working on a plugin. The results so far can be seen here: http://www.ossim.com/dk/ossec/. I've got a working plugin for each main input file and some identifiers to work with them. My next issues/steps/comments are as follows: - ossim needs to know 'what' has generated 'which' events. We call the event generators the "plugins", while individual events are the "plugin_sid"s. It was quite easy to extract the sids from the rule files but I'm not so sure about the generators. And I haven't found them either in the log output. - Is there any way ossec determines the "priority" or importance of an attack ? the "level" parameter maybe ? - Is everything being logged into /var/ossec/logs/alerts/alerts.log by default ? or is some information thrown into other files and not into that one ? - Could the sensor's ip address be logged instead only the name ? (I guess not always, syslog restrictions) - Could we add a md5sum to the original log files, for compliance and regulatory stuff ? And: - Would it be possible to incorporate a source patch for an 'ossim' output module into 1.5 so the missing information could be made present ? I'll continue to work on this tomorrow, getting some specific graphs done for ossec. Soon I'll release another version of the installer CD we recently started providing at http://www.ossim.com/home.php?id=download (announcement can be found at http://www.ossim.net) which will include an already pre-configured ossec and windows agents configured to connect easily with the server. Any type of help (comments, code, documentation) is welcome, I think making ossec and ossim talk together is something from which both projects can benefit greatly :-) Greetings, Dominique |
From: Dominique K. <dk...@os...> - 2007-08-17 15:21:51
|
Hey there, what exactly do you want to do ? I couldn't see any files on your project in order to check what you could mean, do you want to integrate OpenFWTK as a plugin in order to feed the resulting events to the collection, correlation, reporting, etc... functionalities ? What exactly is OpenFWTK going to do ? If what you want is getting the output of your logs into ossim, then it's quite easy, I shall give you some guidelines and references. Greetings, Dominique Am 17.08.2007 um 15:56 schrieb ArkanoiD: > Hi, > > I am project admin of OpenFWTK, application proxy firewall > (http://sourceforge.net/projects/openfwtk/) > > Our development team was very excited by OSSIM features and look and > we'd like to integrate out reporting and monitoring system (which is > quite ebbryonic atm) with it. Could you please give us some guidelines > and suggestions? > > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a > browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Os-sim-devel mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-devel |
From: ArkanoiD <ar...@el...> - 2007-08-17 14:36:53
|
..it's our legacy silly reporting tool: http://openfwtk.cvs.sourceforge.net/openfwtk/fwtk/reports/ |
From: ArkanoiD <ar...@el...> - 2007-08-17 14:22:54
|
We haven't released yet. All code is just in CVS, you may checkout or browse. Not all man pages are ready, but there are some and some README's. Do you remember TIS fwtk? It's just like that, application proxy suite for numerous protocols, but with new API, content inspection and stuff. Yes, we'd like to feed logs for reporting, collection and corellation. Maybe using logs is not realtime enough, so we may deploy some event API if you have one. On Fri, Aug 17, 2007 at 04:06:22PM +0200, Dominique Karg wrote: > Hey there, > > what exactly do you want to do ? > > I couldn't see any files on your project in order to check what you > could mean, do you want to integrate OpenFWTK as a plugin in order to > feed the resulting events to the collection, correlation, reporting, > etc... functionalities ? > > What exactly is OpenFWTK going to do ? > > If what you want is getting the output of your logs into ossim, then > it's quite easy, I shall give you some guidelines and references. > > Greetings, > > Dominique > > Am 17.08.2007 um 15:56 schrieb ArkanoiD: > > >Hi, > > > >I am project admin of OpenFWTK, application proxy firewall > >(http://sourceforge.net/projects/openfwtk/) > > > >Our development team was very excited by OSSIM features and look and > >we'd like to integrate out reporting and monitoring system (which is > >quite ebbryonic atm) with it. Could you please give us some guidelines > >and suggestions? > > > > > >---------------------------------------------------------------------- > >--- > >This SF.net email is sponsored by: Splunk Inc. > >Still grepping through log files to find problems? Stop. > >Now Search log events and configuration files using AJAX and a > >browser. > >Download your FREE copy of Splunk now >> http://get.splunk.com/ > >_______________________________________________ > >Os-sim-devel mailing list > >Os-...@li... > >https://lists.sourceforge.net/lists/listinfo/os-sim-devel > > > email protected and scanned by AdvascanTM - keeping email useful - > www.advascan.com > |
From: ArkanoiD <ar...@el...> - 2007-08-17 13:56:29
|
Hi, I am project admin of OpenFWTK, application proxy firewall (http://sourceforge.net/projects/openfwtk/) Our development team was very excited by OSSIM features and look and we'd like to integrate out reporting and monitoring system (which is quite ebbryonic atm) with it. Could you please give us some guidelines and suggestions? |
From: Dominique K. <dk...@os...> - 2007-04-01 20:33:00
|
Hi Austin, have done it years ago (solaris 7 iirc) and yes it worked, but it was =20= a real pain to setup. Got most of the deps from sunfreeware. If you're going to setup some sort of linux or similar tho it might =20 be easier. No architecture problems that we're aware of. Greetings, Dominique Am 01.04.2007 um 20:56 schrieb Austin G. Smith: > Have you tested OSSIM on a sparc platform? I haven=92t installed any =20= > OS on the machine yet and would like to know if you have done any =20 > testing on this arch yet. > > > > Please let me know. > > Thanks! > > > > Austin G. Smith, A+, MCP > > Digital Son, I.T. Services > > www.digitalson.com > > 678.213.0550 x:101 Office > > 678.213.0535 Fax > > Need reliable hosting? > > www.digitalsonhosting.com > > > > > > > > ----------------------------------------------------------------------=20= > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to =20 > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?=20 > page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV____________________________= ____=20 > _______________ > Os-sim-devel mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-devel |
From: Austin G. S. <Au...@di...> - 2007-04-01 18:57:00
|
Have you tested OSSIM on a sparc platform? I haven't installed any OS on the machine yet and would like to know if you have done any testing on this arch yet. =20 Please let me know. Thanks! =20 Austin G. Smith, A+, MCP Digital Son, I.T. Services www.digitalson.com <http://www.digitalson.com/>=20 678.213.0550 x:101 Office 678.213.0535 Fax =09 =09 Need reliable hosting? www.digitalsonhosting.com <http://www.digitalsonhosting.com/> =20 =20 =20 =20 |
From: sanjoy <san...@gm...> - 2007-01-12 10:25:14
|
could somebody tell me how to use snare with ossim.. how do i configure ossim to pull logs from snare regards Sanjoy |
From: <il...@ti...> - 2006-07-21 10:21:33
|
any answers? Tiscali ADSL 4 Mega Flat=20 Naviga senza limiti a 19,95 Euro al mese con 4 Megabps di velocit=C3=A0. At= tiva subito: hai 2 MESI di canone adsl GRATIS! In pi=C3=B9, se sei raggiunto dalla rete Tiscali, telefoni senza pagare il = canone Telecom.=20 Scopri subito come risparmiare!=20 http://abbonati.tiscali.it/prodotti/adsl/tc/4flat/ |
From: <il...@ti...> - 2006-07-18 16:39:13
|
Hi, I'm Massimo, an italian network managing and security student. Actually I'm make a security stage in Pisa, Italy. For this stage I'm following the ossim development and my tutor=20 proposes me to build two sensor, a bsd-based sensor and a linux-based=20 sensor, for compare packet loss by libpcap. In this scenario I use a debian (or centos?) host with ossim-server=20 and ossim-framework, mysql, apache etc., a freebsd sensor with freebsd=20 and sniffing instruments, a linux clone sensor (gentoo???). I find all instruments I need on freebsd but i want use the power of=20 ports: i'm writing the ossim-agent port but I need some ossim patched=20 instruments like snort, ntop, arpwatch ,etc. Freebsd users tell me me to ask at these ports mantainers to include=20 ossim patch for let the sysadmin to choose if he wants them or not at=20 build time (like this example http://blog.innerewut.de/files/images/ar. png) but first i ask your opinion.=20 Bye.=20 Tiscali ADSL 4 Mega Flat=20 Naviga senza limiti a 19,95 Euro al mese con 4 Megabps di velocit=C3=A0. At= tiva subito: hai 2 MESI di canone adsl GRATIS! In pi=C3=B9, se sei raggiunto dalla rete Tiscali, telefoni senza pagare il = canone Telecom.=20 Scopri subito come risparmiare!=20 http://abbonati.tiscali.it/prodotti/adsl/tc/4flat/ |