os-sim-devel — Developers

[Os-sim-devel] ossim ports for freebsd

[<il...@ti...>]

Hi,
I'm Massimo, an italian network managing and security student.

Actually I'm make a security stage in Pisa, Italy.
For this stage I'm following the ossim development and my tutor=20
proposes me to build two sensor, a bsd-based sensor and a linux-based=20
sensor, for compare packet loss by libpcap.
In this scenario I use a debian (or centos?) host with ossim-server=20
and ossim-framework, mysql, apache etc., a freebsd sensor with freebsd=20
and sniffing instruments, a linux clone sensor (gentoo???).

I find all instruments I need on freebsd but i want use the power of=20
ports: i'm writing the ossim-agent port but I need some  ossim patched=20
instruments like snort, ntop, arpwatch ,etc.
Freebsd users tell me me to ask at these ports mantainers to include=20
ossim patch for let the sysadmin to choose if he wants them or not at=20
build time (like this example http://blog.innerewut.de/files/images/ar.
png) but first i ask your opinion.=20

Bye.=20








Tiscali ADSL 4 Mega Flat=20

Naviga senza limiti a 19,95 Euro al mese con 4 Megabps di velocit=C3=A0. At=
tiva subito: hai 2 MESI di canone adsl GRATIS!

In pi=C3=B9, se sei raggiunto dalla rete Tiscali, telefoni senza pagare il =
canone Telecom.=20

Scopri subito come risparmiare!=20

http://abbonati.tiscali.it/prodotti/adsl/tc/4flat/

[Os-sim-devel] `error in framework

[Madhusudhan R. <mad...@gm...>]

Hello,
When i tried running the OSSIM framework ...
# ossim-framework -d

and attempting to access the framework [ http://yourhost/ossim/ ] , I get
the following error:

Warning: main(classes/Session.inc): failed to open stream: No such file or
directory in /usr/share/ossim/www/index.php on line 2

Fatal error: main(): Failed opening required 'classes/Session.inc'
(include_path=3D'.:/usr/share/pear') in /usr/share/ossim/www/index.php on l=
ine
2

I found the same error posted in the discussion.But could not find the
solution.Can u please help me in this

Thank you
Madhu




--
SUCCESS IS NOT DEFINED BY OBTAINING EVERYTHING YOU WANT, BUT BY
APPRECIATING EVERYTHING YOU HAVE

[Os-sim-devel] error when configuring OSSIM Server

[Madhusudhan R. <mad...@gm...>]

Hello
I get the following error when i run

Start OSSIM server:
# ossim-server -d -c /etc/ossim/server/config.xml

GNET-CRITICAL :file tcp.c :(gnet_tcp_socket_server _accept_assync):assertio=
n
'socket' failed
Can u please help me on this error.

Thank you
Madhu


--
SUCCESS IS NOT DEFINED BY OBTAINING EVERYTHING YOU WANT, BUT BY
APPRECIATING EVERYTHING YOU HAVE

Re: [Os-sim-devel] OSSIM autoinstall perl script for FC3 (v0.9)

[Arn V. <arn...@xs...>]

From: "Arn Vollebregt" <arn...@xs...>
> http://82.92.8.139/projects/OSSIM/ossim.autoinstall.pl

The md5 checksum for v0.9 is:
fa714f5a7af7286d31db6ced34681d98

Arn Vollebregt

-- 
"Wisdom lies not in obtaining knowledge, but in using it in the right way"
 - kroesjnov

[Os-sim-devel] OSSIM autoinstall perl script for FC3 (v0.9)

[Arn V. <arn...@xs...>]

I am currently writing an autoinstall script for OSSIM in perl.
Version 0.9 supports installing and configuring a server with a local sensor 
on Fedora Core 3. The next mayor release should support installation on 
other Linux distro's as well (see TODO list), as long as there is an apt-get 
repository available with OSSIM in it.

The reason this is not version 1.0 is a minor problem with the 
'create_basic_configuration' function, which means you have to manually add 
the detected sensor and a network to monitor. Other then that the 
installation and configuration runs okay, hence I classify this is a minor 
problem.

For those who wish to use/test this script, the latest version is available 
from
http://82.92.8.139/projects/OSSIM/ossim.autoinstall.pl
This is an open directory where you can also find all released versions.

Below I included parts of the header with some additional information.

################################################################################
# What does it do:
# A script to completely automate the installation and configuration of 
OSSIM
# (http://www.ossim.net) on a fresh install of Fedora Core 3. It installs a
# server with a local sensor running: snort, ntop (v3.2), p0f, arpwatch,
# nessus, tcptrack and pads. The next mayor release will also support other
# Linux versions.
#
# Features include:
# * Tracking finished functions in the file 'processed.functions'. On a 
second
#   run the succesfully finished functions will not be run again.
# * Rollback of half finished functions on errors.
# * Saving errors to 'saved.errors', consisting of function, linenumber and
#   system() error code. Old errors are overwritten.
# * Backups of all altered files saved to '$filename.backup'.
#
# Things to keep in mind:
# 1) You need to manually start the ossim components after the installation.
#    The start command is provided after a succesfull installation.
# 2) The 'create_basic_configuration' function does not work yet, for now
#    add the detected sensor by hand, and add the network(s) manually 
'policy
#    tab in web interface'. Without a sensor and a network most data will 
not
#    be logged! An alternative is to install, start OSSIM, enable this
#    function and run the script again. This works as far as I can tell.
# 3) This version of the script will setup a server with a local sensors.
# 4) This version of the script will most likely only work on Fedora Core 3 
at
#    the moment. A future version will contain variables to systempaths 
which
#    can be changed.
# 5) The following error is to be expected (see todo 'Future versions' item 
1);
#    find: /usr/share/ntop/rrd//interface/eth0/hosts: No such file or 
directory
#    This error will keep appearing in the shell you used to start the agent
#    component.
#
# TODO:
# Next mayor version (required functionality)
# 1) Include system path variables for portability to other Linux versions.
# 2) Find out why the function 'create_basic_configuration' fails (either I 
am
#    doing something wrong, or this can only be done after first run?).
# 3) Locate apt repository with newer nessus version (used: 2.2.6 current: 
3.0).
# 4) Include some sanity checks (required variables for selected functions,
#    internet connection, installed packages, etc).
# 5) Provide some default choices for installations (server only, sensor 
only,
#    etc).
#
# Future versions (optimizing code/functions/functionality)
# 1) Include the option to install NTOP 3.1 (check if sources need 
patching).
#    See http://sourceforge.net/mailarchive/message.php?msg_id=14231830
# 2) Tweak/secure the installed components (and OS?).
# 3) Configure snort/nessus to autoupdate rulesets.
# 4) Find out what (unprintable?) characters live at the end of the keys in 
the
#    associative array from prefsCache.db from ntop, so we can specify these
#    keys directly instead of using regex matching.
# 5) Find out why the /x option doesnt work as supposed to in the 
susbstitute
#    commands so that I can properly terminate those lines on 80 characters.
# 6) Pull more repeating code to their own functions.
# 7) Better error function/handeling.
# 8) Include status bar, hopefully without including external modules 
(threads?)
# 9) Also support subnetmasks in /xx form (and convert /xx to 
/xxx.xxx.xxx.xxx).
################################################################################

I am currently in the last month of a project, so chances are I have less 
time to maintain this script at the moment. I will however do my best to fix 
and update this script when required.

Comments and/or ideas are always welcome.

Arn Vollebregt

-- 
"Wisdom lies not in obtaining knowledge, but in using it in the right way"
 - kroesjnov 

[Os-sim-devel] OSSIM and ONMS integration

[Jon S. <jsc...@po...>]

Hi all,

   I sent a message to the development lists before but got no response
so I am trying the support lists as well.  I am wanting to use OSSIM on
my network and I've got it installed and I am wondering what the
progress is on the OpenNMS integration.  I am also wondering if OSSIM
will be able to use all the hosts that OpenNMS finds and adds it into
OSSIM as a host.  That would be nice. 
Can someone please let me know what the status is for OpenNMS integration.

Thanks in advance,

Jon Scottorn
Systems Administrator
Possibility Forge
435.635.0591 x.1004



Jon Scottorn wrote:

>Hi,
>
>   I am interested in setting up an OSSIM server and I am wondering how
>close you guys are at integrating OpenNMS into OSSIM.  I use OpenNMS for
>my network notifications and alerts for services and such and I really
>like the OSSIM framework. 
>
>Thanks,
>
>Jon
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by:
>Power Architecture Resource Center: Free content, downloads, discussions,
>and more. http://solutions.newsforge.com/ibmarch.tmpl
>_______________________________________________
>Os-sim-devel mailing list
>Os-...@li...
>https://lists.sourceforge.net/lists/listinfo/os-sim-devel
>
>  
>

[Os-sim-devel] OSSIM and ONMS integration

[Jon S. <jsc...@po...>]

Hi,

   I am interested in setting up an OSSIM server and I am wondering how
close you guys are at integrating OpenNMS into OSSIM.  I use OpenNMS for
my network notifications and alerts for services and such and I really
like the OSSIM framework. 

Thanks,

Jon

[Os-sim-devel] Ossim Debian packages

[David G. <dg...@os...>]

Hello,

At this moment, we're working to include OSSIM into Debian Unstable.
You can see the ITP sended to the Debian bug tracking system here:

284107 ITP: ossim -- security information manager
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D284107


Also, we're working on packages that ossim depends on. You can see
some of them here:

Debian oficial packages:
  http://qa.debian.org/developer.php?login=3D...@te...

Packages being worked on (be careful)
  http://www.ossim.net/~dgil/debian/
  deb http://www.ossim.net/~dgil/ debian/


Please, be patient, this will take some time. It's possible that the Ossim
repository will be in a bad state in the next months.

Sorry in advance.


Greetings,
David.

[Os-sim-devel] Re: [Os-sim-support] Source for OSSIM RPM packages requested

[Michael B. <mic...@gm...>]

On 10/7/05, Juanma <ju...@os...> wrote:
> Hi Michael
>
> The ossim rpms we do publish in the web have been created using the
> command rpmbuild, and using the spec provided in the web. Please tell me
> about the python modules installed in a different place than expected in
> the .spec file.

#%{_libdir}/python2.3/site-packages/pyossim/
%{_datadir}/ossim-agent/pyossim/

#%{_libdir}/python2.3/site-packages/ossimframework/
%{_datadir}/ossim-framework/ossimframework/

> About the 3rd party rpms, they have been created using the src.rpm of
> the packages and applying patches you can find in the contrib folder in
> our source. No other file is required. Anyway we do not have any
> disadvantage in  publish in the web all the src.rpm, so everybody can
> easily compile their own rpm files.

For an example: the BASE spec file you refer to does pick up the
source from what-ever you currently have installed. arpwatch refers to
an tarball that is no longer available from their website etc... It's
things like that I would like to avoid when I am building the next
version of SIM CD...

Also, could you please post your CVS commit messages in english so I,
and the rest of the world, more easily follow the development process?
As I don't know Spanish I can't follow the CVS development very well -
which means that there is at least one less contributor to the code.

Best regards
 Michael Boman

--
IT Security Researcher & Developer
http://proxy.11a.nu | http://www.boseco.com

[Os-sim-devel] Re: [Os-sim-support] Source for OSSIM RPM packages requested

[Juanma <ju...@os...>]

Hi Michael

The ossim rpms we do publish in the web have been created using the
command rpmbuild, and using the spec provided in the web. Please tell me
about the python modules installed in a different place than expected in
the .spec file.

About the 3rd party rpms, they have been created using the src.rpm of
the packages and applying patches you can find in the contrib folder in
our source. No other file is required. Anyway we do not have any
disadvantage in  publish in the web all the src.rpm, so everybody can
easily compile their own rpm files.


Best regards.

Juanma



El vie, 07-10-2005 a las 03:10 +0800, Michael Boman escribi=F3:
> On 10/7/05, Juanma <ju...@os...> wrote:
> > Hi Michael, you can find the source of the rpms in the source of ossi=
m,
> > the rpms of ossim are created using the os-sim.spec file wich is
> > included in the source. No other file apart from the ones you can fin=
d
> > in the source is included in the os-sim rpms.
> >
> > You can get the tar.gz file from our project in sourceforge and the
> > latest version in cvs repository.
> >
> > Just for your information ossim is released with the BSD licence, as =
you
> > can see in the LICENSE file that you can also find within the source.
> >
> > Please feel free to write us if any other problem or help request wit=
h
> > the rpm files.
>=20
> I have managed to build the OSSIM RPMs with some modifications of the
> provided .spec files (interesting enough, I have no idea how you
> managed to create the OSSIM RPMs with the included spec file as it
> places the python modules in a different place then expected by the
> .spec file).
>=20
> I am mainly interested in the 3rd party RPMs which you have modified
> to have features required by OSSIM, and many of those 3rd party
> software is released under the GPL license.
>=20
> Best regards
>  Michael Boman
>=20
> --
> IT Security Researcher & Developer
> http://proxy.11a.nu | http://www.boseco.com
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussion=
s,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Os-sim-support mailing list
> Os-...@li...
> https://lists.sourceforge.net/lists/listinfo/os-sim-support
>=20


--=20
Este mensaje ha sido analizado por ITDeustoProtect
en busca de virus y otros contenidos peligrosos,
y se considera que est=E1 limpio.
--

[Os-sim-devel] Re: [Os-sim-support] Source for OSSIM RPM packages requested

[Michael B. <mic...@gm...>]

On 10/7/05, Juanma <ju...@os...> wrote:
> Hi Michael, you can find the source of the rpms in the source of ossim,
> the rpms of ossim are created using the os-sim.spec file wich is
> included in the source. No other file apart from the ones you can find
> in the source is included in the os-sim rpms.
>
> You can get the tar.gz file from our project in sourceforge and the
> latest version in cvs repository.
>
> Just for your information ossim is released with the BSD licence, as you
> can see in the LICENSE file that you can also find within the source.
>
> Please feel free to write us if any other problem or help request with
> the rpm files.

I have managed to build the OSSIM RPMs with some modifications of the
provided .spec files (interesting enough, I have no idea how you
managed to create the OSSIM RPMs with the included spec file as it
places the python modules in a different place then expected by the
.spec file).

I am mainly interested in the 3rd party RPMs which you have modified
to have features required by OSSIM, and many of those 3rd party
software is released under the GPL license.

Best regards
 Michael Boman

--
IT Security Researcher & Developer
http://proxy.11a.nu | http://www.boseco.com

[Os-sim-devel] Re: [Os-sim-support] Source for OSSIM RPM packages requested

[Juanma <ju...@os...>]

Hi Michael, you can find the source of the rpms in the source of ossim,
the rpms of ossim are created using the os-sim.spec file wich is
included in the source. No other file apart from the ones you can find
in the source is included in the os-sim rpms.=20

You can get the tar.gz file from our project in sourceforge and the
latest version in cvs repository.

Just for your information ossim is released with the BSD licence, as you
can see in the LICENSE file that you can also find within the source.

Please feel free to write us if any other problem or help request with
the rpm files.

Thanks

Juanma

Juanma at ossim dot net



El vie, 07-10-2005 a las 00:19 +0800, Michael Boman escribi=F3:
> I hereby requests for the actual source code for the binary RPM
> packages that I have downloaded from
> http://www.ossim.net/download/fedora/RPMS.fc3/, in accordence to the
> GPL license version 2,  Section 3:
>=20
> TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
> [...]
> 3. You may copy and distribute the Program (or a work based on it,
> under Section 2) in object code or executable form under the terms of
> Sections 1 and 2 above provided that you also do one of the following:
>=20
>     a) Accompany it with the complete corresponding machine-readable
> source code, which must be distributed under the terms of Sections 1
> and 2 above on a medium customarily used for software interchange; or,
>=20
>     b) Accompany it with a written offer, valid for at least three
> years, to give any third party, for a charge no more than your cost of
> physically performing source distribution, a complete machine-readable
> copy of the corresponding source code, to be distributed under the
> terms of Sections 1 and 2 above on a medium customarily used for
> software interchange; or,
>=20
>     c) Accompany it with the information you received as to the offer
> to distribute corresponding source code. (This alternative is allowed
> only for noncommercial distribution and only if you received the
> program in object code or executable form with such an offer, in
> accord with Subsection b above.)
>=20
> Best regards
>  Michael Boman
>=20
> --
> IT Security Researcher & Developer
> http://proxy.11a.nu | http://www.boseco.com
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussion=
s,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Os-sim-support mailing list
> Os-...@li...
> https://lists.sourceforge.net/lists/listinfo/os-sim-support
>=20


--=20
Este mensaje ha sido analizado por ITDeustoProtect
en busca de virus y otros contenidos peligrosos,
y se considera que est=E1 limpio.
--

[Os-sim-devel] Source for OSSIM RPM packages requested

[Michael B. <mic...@gm...>]

I hereby requests for the actual source code for the binary RPM
packages that I have downloaded from
http://www.ossim.net/download/fedora/RPMS.fc3/, in accordence to the
GPL license version 2,  Section 3:

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
[...]
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:

    a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections 1
and 2 above on a medium customarily used for software interchange; or,

    b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your cost of
physically performing source distribution, a complete machine-readable
copy of the corresponding source code, to be distributed under the
terms of Sections 1 and 2 above on a medium customarily used for
software interchange; or,

    c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is allowed
only for noncommercial distribution and only if you received the
program in object code or executable form with such an offer, in
accord with Subsection b above.)

Best regards
 Michael Boman

--
IT Security Researcher & Developer
http://proxy.11a.nu | http://www.boseco.com

Re: [Os-sim-devel] apt-get upgrade is retaing ossim-server

[David G. <dg...@os...>]

Hello Sebastian,

Yes, you are right, I'm building the packages in a testing environment.

The reasons:
 * Debian just adds security support for testing.
 * I'm trying to upload ossim packages to the official debian repository
(sid).

If you are interesting in having sarge packages, please, download the
latest cvs version and use dpkg-buildpackage.

I will compile backports for ossim, but not at this moment, sorry.

Greetings,
David.

El mi=E9, 28-09-2005 a las 22:15 -0300, sebastian serrano escribi=F3:
> Hi to all
>  I'm running ossim in a debian sarge and apt-get upgrade is retaining
> ossim-server.
> It is some output:
> $ apt-get upgrade
> The following packages have been kept back:
>   librrds-perl ossim-server rrdtool
> $ apt-get install ossim-server
> The following packages have unmet dependencies:
>   ossim-server: Depends: libc6 (>=3D 2.3.5-1) but 2.3.2.ds1-22 is to be i=
nstalled
>                 Depends: libglib2.0-0 (>=3D 2.8.0) but 2.6.4-1 is to be i=
nstalled
>                 Depends: libxml2 (>=3D 2.6.21) but 2.6.16-7 is to be inst=
alled
>                 Depends: libxslt1.1 (>=3D 1.1.14) but 1.1.12-8 is to be i=
nstalled
>=20
> =BFOssim repository is now build againts the testing repository? =BFThere
> is another for sarge?
>=20
> Thanks in advance.
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Os-sim-devel mailing list
> Os-...@li...
> https://lists.sourceforge.net/lists/listinfo/os-sim-devel

[Os-sim-devel] apt-get upgrade is retaing ossim-server

[sebastian s. <seb...@gm...>]

Hi to all
 I'm running ossim in a debian sarge and apt-get upgrade is retaining
ossim-server.
It is some output:
$ apt-get upgrade
The following packages have been kept back:
  librrds-perl ossim-server rrdtool
$ apt-get install ossim-server
The following packages have unmet dependencies:
  ossim-server: Depends: libc6 (>=3D 2.3.5-1) but 2.3.2.ds1-22 is to be ins=
talled
                Depends: libglib2.0-0 (>=3D 2.8.0) but 2.6.4-1 is to be ins=
talled
                Depends: libxml2 (>=3D 2.6.21) but 2.6.16-7 is to be instal=
led
                Depends: libxslt1.1 (>=3D 1.1.14) but 1.1.12-8 is to be ins=
talled

=BFOssim repository is now build againts the testing repository? =BFThere
is another for sarge?

Thanks in advance.

[Os-sim-devel] tcptrack problem

[W. <joe...@ei...>]

Hi all,

I found something strange in tcptrack data processing. In a directive, i
use a tcptrack rule like this:

<rule type=3D"monitor" name=3D"More than 30 sec. persistence"
reliability=3D"+5" from=3D"2:DST_IP" to=3D"2:SRC_IP" port_from=3D"2:DST_POR=
T"
port_to=3D"2:SRC_PORT"
  plugin_id=3D"2006" plugin_sid=3D"3" condition=3D"ge" value=3D"30"
interval=3D"60" time_out=3D"70" absolute=3D"true"/>=20

When this rule get processed by the server, it send the tcptrack
processing request to the agent. Then the agent does some polling
request to tcptrack software using it's loopback... On the agent debug
output you can see this type of info:

 (**)  pyossim.Scheduler (2005-09-26 14:57:36): MonitorList : processing
element (2/5)...
 (<-)  pyossim.Monitor (2005-09-26 14:57:36):   Processing watch-rule
(id=3D2006 sid=3D3)
 (<-)  pyossim.Monitor (2005-09-26 14:57:36):   Timeout at 42 seconds
 (=3D>)  pyossim.MonitorTcptrack (2005-09-26 14:57:36):
10.192.73.206:49989 10.192.73.169:9999
 (=3D>)  pyossim.MonitorTcptrack (2005-09-26 14:57:36):   209 5 5

 (**)  pyossim.Scheduler (2005-09-26 14:57:38): MonitorList : processing
element (2/5)...
 (<-)  pyossim.Monitor (2005-09-26 14:57:38):   Processing watch-rule
(id=3D2006 sid=3D3)
 (<-)  pyossim.Monitor (2005-09-26 14:57:38):   Timeout at 40 seconds
 (=3D>)  pyossim.MonitorTcptrack (2005-09-26 14:57:38):
10.192.73.206:49989 10.192.73.169:9999
 (=3D>)  pyossim.MonitorTcptrack (2005-09-26 14:57:38):   209 5 7

 (**)  pyossim.Scheduler (2005-09-26 14:57:40): MonitorList : processing
element (2/5)...
 (<-)  pyossim.Monitor (2005-09-26 14:57:40):   Processing watch-rule
(id=3D2006 sid=3D3)
 (<-)  pyossim.Monitor (2005-09-26 14:57:40):   Timeout at 38 seconds
 (=3D>)  pyossim.MonitorTcptrack (2005-09-26 14:57:40):
10.192.73.206:49989 10.192.73.169:9999
 (=3D>)  pyossim.MonitorTcptrack (2005-09-26 14:57:40):   209 5 9

 here the agent send queries to tcptrack ((=3D>)  pyossim.MonitorTcptrack
(2005-09-26 14:57:40):   10.192.73.206:49989 10.192.73.169:9999) and get
informations back like this: (=3D>)  pyossim.MonitorTcptrack (2005-09-26
14:57:40):   209 5 9

My problem is coming from the tcptrack sid=3D3 rule (Session Duration).
Indeed, this value look like the third one (the first one increase when
you send some data through the monitored tcp connection)... and
MonitorTcptrack.py comments look like this:

# obtain tcptrack sid from array index
            # 1: Data Sent
            # 2: Data Recv
            # 3: Session Duration
            #

This third value is always increasing even if the tcp connection is
closed (i'm checking tcp status with # netstat -alp --inet) !! The only
way to stop increasing this value is to send data through the tcp
connection and the value get reset to 0 and start again to increase
until you send again some datas... Then i looked to Monitor.py and
everything (values check) look ok ! so i maybe think that the problem
comes from changes made in tcptrack ...=20
With this strange behaviour and the rule describe on top of this mail,
the rule is always matched if i don't send data through the monitored
tcp connection (which reset the value) !!

I will be really happy to have some informations about it cause this
plugin is really useful to set up good correlation directive !!

Thanks for you help,

Jo=EBl.W

Re: [Os-sim-devel] Problems at Alarm_Console from last update

[David G. <dg...@os...>]

Mysql 4.1 does not complain about it, so I think you're using mysql 4.0.
Anyway, now is fixed, thanks!


El mi=E9, 21-09-2005 a las 01:49 -0300, sebastian serrano escribi=F3:
> Hi
>  I'm running ossim on a debian box. From the last update at the
> alarm_console i get an error:
>=20
> You have an error in your SQL syntax. Check the manual that
> corresponds to your MySQL server version for the right syntax to use
> near '+0 AS timestamp, inet_ntoa(src_ip), inet_nto
>=20
> I get ride of it changing a line at classes/Alarm.inc (at least dont
> get the error and see some output), this is a diff output:
>=20
> --- Alarm.inc.orig      2005-09-21 04:18:07.000000000 +0000
> +++ Alarm.inc   2005-09-21 04:18:20.000000000 +0000
> @@ -228,7 +228,7 @@
>          /* number of alerts per page */
>          $nalerts =3D $sup - $inf;
>=20
> -        $query =3D "SELECT *, timestamp+0 AS timestamp,
> +        $query =3D "SELECT *, timestamp + 0 AS timestamp,
>                    inet_ntoa(src_ip), inet_ntoa(dst_ip)
>              FROM alarm $where $order LIMIT $nalerts OFFSET $inf";
>=20
>=20
> Sorry my poor english. Thanks in advance and continue with your great wor=
k.
>=20
> Sebastian Serrano
>=20
>=20
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server.=20
> Download it for free - -and be entered to win a 42" plasma tv or your very
> own Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Os-sim-devel mailing list
> Os-...@li...
> https://lists.sourceforge.net/lists/listinfo/os-sim-devel

[Os-sim-devel] Problems at Alarm_Console from last update

[sebastian s. <seb...@gm...>]

Hi
 I'm running ossim on a debian box. From the last update at the
alarm_console i get an error:

You have an error in your SQL syntax. Check the manual that
corresponds to your MySQL server version for the right syntax to use
near '+0 AS timestamp, inet_ntoa(src_ip), inet_nto

I get ride of it changing a line at classes/Alarm.inc (at least dont
get the error and see some output), this is a diff output:

--- Alarm.inc.orig      2005-09-21 04:18:07.000000000 +0000
+++ Alarm.inc   2005-09-21 04:18:20.000000000 +0000
@@ -228,7 +228,7 @@
         /* number of alerts per page */
         $nalerts =3D $sup - $inf;

-        $query =3D "SELECT *, timestamp+0 AS timestamp,
+        $query =3D "SELECT *, timestamp + 0 AS timestamp,
                   inet_ntoa(src_ip), inet_ntoa(dst_ip)
             FROM alarm $where $order LIMIT $nalerts OFFSET $inf";


Sorry my poor english. Thanks in advance and continue with your great work.

Sebastian Serrano

[Os-sim-devel] HIDS rules...

[W. <joe...@ei...>]

Hi,

I have a little request about how to write HIDS rules on OSSIM. I used
Prelude before with prelude-lml... HIDS here doesn't mean to check files
integrity but finding patterns in sepecific log files (as you do with
Snare and Syslog). I saw that you were using python software to listen
to log files and for catching specific informations (patterns). The
problem is that rules are hard coded in Python files or are directly
located on ossim-server. A good think would be to add hids configuration
files on agents and let people do their own rules. The agent would then
be able to send rules title (sid) and plugin title (id) to the server.
Like this, it would appear in CONFIGURATION =3D> PLUGIN on the framework
and the server woul be able to use them in correlation directive...

When i was using Prelude, i did rules (based on regex) to get specific
informations about Dansguardian Proxy (modified to act as
reverse-proxy). Here is an exemple of a rule ...


#####################################################################
# To get When a requested URL is bloqued (comming from the
# Bannedregexpurllist file of dansguardian configuration)
#####################################################################
#LOG exemple:
#2004.10.27 15:42:51 - 10.192.72.83 http://10.192.72.95/iissamples/
*DENIED* Banned Regular Expression URL: .*/iissamples/ GET 0
regex=3D([\d+\.]+) http://(.*)\s\*DENIED\*\sBanned Regular Expression
URL:(.*)\s(GET|POST).*; \
class.name=3DDansguardian Reverse-proxy: DENIED request to Web server; \
impact.severity=3Dhigh; \
impact.completion=3Dfailed; \
impact.type=3Dother; \
impact.description=3DUrl: $2 requested by $1 had dangerous content defined
by this regular expression: $3; \
#attention, obligatoire pour un bon fonctionnement
source.node.address; \
source.node.address.address=3D$1; \
source.node.address.category=3Dipv4-addr; \
source.service.port=3D80; \
source.service.protocol=3Dhttp; \
target.node.address; \
target.node.address.category=3Dunknown; \
target.node.address.address=3D$2; \
target.service.port=3D80; \
target.service.protocol=3Dhttp;


Let me know what do you think about this ! I would be pleased to help
you (even to help you to write a bit of code)...

Read you soon ...

Jo=EBl Winteregg

[Os-sim-devel] Re:global score problem

[sebastian s. <seb...@gm...>]

Hola
  No entiendo bien cual es el problema, pero a m=ED en un primer momento
tambi=E9n me aparec=EDan c_sec_level y a_sec_level en cero, encontr=E9 un
error en el user:pass para la db del framework, si a vos te sucede lo
mismo deber=EDas ver un error de conexion a la base de datos en
/var/log/ossim/frameworkd_error.log

Saludos

Sebastian Serrano
iWinds, Buenos Aires, Argentina

From: Nicolas Macia <nmacia@ce...>
global score problem  =20
2005-03-23 16:04
  Hola, queria saber si era a mi solamente que el score global que se ve en=
 el
  riskmeter que esta en el panel de control -> Metricas.
=20
 estuve mirando y encuentro que el archivo
  /usr/share/ossim/www/control_panel/global_score.php
 determina en la linea 188 el nivel de seguridad con el siguiente calculo:
  $sec_level =3D ($rs_global->fields["c_sec_level"] +
                $rs_global->fields["a_sec_level"]) / 2;
=20
  actualmente mis niveles de c_sec_level y a_sec_level estan en cero, lo qu=
e es
 mas que bueno!!!
=20
=20
 saludos
  nico
=20
 ----------------------------------------------------------------
  Ce.S.P.I. - UNLP

[Os-sim-devel] rrd_plugin.pl + one more strange thing...

[W. <joe...@ei...>]

Hi,

i'm looking to Holt-Winter algorithm with RRD (HWPREDICT). I noticed in
rrd_plugin.pl that you never fetch alpha and beta values in the
framework config table. Configured in CONFIGURATION -> RRD CONFIG...
Quite strange !! So it mean those values are never used by the
algorithm ...

Holt-Winter RRDtool function call:
RRA:HWPREDICT:<array length>:<alpha>:<beta>:<period>

Your HWPREDICT call look like this:
my $result =3D `$rrd_bin fetch $file HWPREDICT -s $stime -e $etime | grep
$etime`;

We can see you never use alpha, beta and period (only a data range "-s"
and "-e")!! You should also put a period configuration in  CONFIGURATION
-> RRD CONFIG because when i did an excel sheet to check parameters
effect with holt-winter, i found that period (m param) was really
important for prediction !!
When www.fullsecurity DNS entry will be set, you will be able to
download this excel an OpenOffice file here:
http://www.fullsecurity.ch/security/sims/download/download.jsp

Informations about RRDtool can be found here:
http://cricket.sourceforge.net/aberrant/rrd_hw.htm#_Toc491746735

Let me know what do you think !! Thanks a lot and read you soon...


Jo=EBl Winteregg

[Os-sim-devel] global score problem

[Nicolas M. <nm...@ce...>]

Hola, queria saber si era a mi solamente que el score global que se ve en el
riskmeter que esta en el panel de control -> Metricas.

estuve mirando y encuentro que el archivo
/usr/share/ossim/www/control_panel/global_score.php
determina en la linea 188 el nivel de seguridad con el siguiente calculo:
 $sec_level = ($rs_global->fields["c_sec_level"] +
               $rs_global->fields["a_sec_level"]) / 2;

actualmente mis niveles de c_sec_level y a_sec_level estan en cero, lo que es
mas que bueno!!!


saludos
nico

----------------------------------------------------------------
Ce.S.P.I. - UNLP

[Os-sim-devel] server segfaults

[fab <fa...@gn...>]

Sorry, but I havn't dbg symbols...
I did nothing in peculiar and when I wanted to restart ossim (I use the
latest debian package) I got a segfault as soon as a program connects to
it (I tried with netcat too):

(gdb) r -D -c /etc/ossim/server/config.xml
...
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1212226592 (LWP 12410)]
0xb7def06d in gnet_inetaddr_noport_equal () from
/usr/lib/libgnet-2.0.so.0
(gdb) bt
#0  0xb7def06d in gnet_inetaddr_noport_equal () from
/usr/lib/libgnet-2.0.so.0
#1  0x08062bc6 in ?? ()
#2  0x00000000 in ?? ()
#3  0x08436690 in ?? ()
#4  0xbffff6b8 in ?? ()
#5  0x080b3ae0 in ?? ()
#6  0x08436690 in ?? ()
#7  0x082c0ce0 in ?? ()
#8  0xbffff6b8 in ?? ()
#9  0x0806345b in ?? ()
#10 0x080b3ae0 in ?? ()
#11 0x08436690 in ?? ()
#12 0x00000000 in ?? ()
#13 0xb7e00600 in ?? () from /usr/lib/libgnet-2.0.so.0
#14 0x08436690 in ?? ()
#15 0x083ef428 in ?? ()
#16 0xbffff6f8 in ?? ()
#17 0x0807c062 in ?? ()
#18 0x080b3ae0 in ?? ()
#19 0x08436690 in ?? ()
#20 0x00000103 in ?? ()
#21 0xb7df0b0a in gnet_tcp_socket_ref () from /usr/lib/libgnet-2.0.so.0

and at this address:
0xb7def06d <gnet_inetaddr_noport_equal+32>:     movzwl 0x8(%edx),%eax
0xb7def071 <gnet_inetaddr_noport_equal+36>:     cmp    0x8(%ecx),%ax
0xb7def075 <gnet_inetaddr_noport_equal+40>:     je     0xb7def086 <gnet_inetaddr_noport_equal+57>
0xb7def077 <gnet_inetaddr_noport_equal+42>:     xor    %eax,%eax
0xb7def079 <gnet_inetaddr_noport_equal+44>:     mov 0xfffffff4(%ebp),%ebx
0xb7def07c <gnet_inetaddr_noport_equal+47>:     mov 0xfffffff8(%ebp),%esi
0xb7def07f <gnet_inetaddr_noport_equal+50>:     mov 0xfffffffc(%ebp),%edi
0xb7def082 <gnet_inetaddr_noport_equal+53>:     mov    %ebp,%esp
0xb7def084 <gnet_inetaddr_noport_equal+55>:     pop    %ebp
0xb7def085 <gnet_inetaddr_noport_equal+56>:     ret    
0xb7def086 <gnet_inetaddr_noport_equal+57>:     cmp    $0x2,%ax
0xb7def08a <gnet_inetaddr_noport_equal+61>:     je     0xb7def155 <gnet_inetaddr_noport_equal+264>
0xb7def090 <gnet_inetaddr_noport_equal+67>:     cmp    $0xa,%ax
0xb7def094 <gnet_inetaddr_noport_equal+71>:     je     0xb7def0d4 <gnet_inetaddr_noport_equal+135>
0xb7def096 <gnet_inetaddr_noport_equal+73>:     lea 0xffffd0e1(%ebx),%eax

I hope this helps...

Re: [Os-sim-devel] Re: Comments on Installing OSSIM

[Jan-Oliver W. <ja...@in...>]

On Fri, Feb 18, 2005 at 12:57:23PM +0100, David Gil wrote:
> El jue, 17-02-2005 a las 15:31 +0100, Jan-Oliver Wagner escribió:
> > > > - while doing "apt-get install ossim-mysql" I am asked:
> > > > 
> > > > | Create the database structure now, using the following commands: 
> > > > | cd /usr/share/doc/ossim-mysql/contrib/   
> > > > | zcat create_mysql.sql.gz ossim_*.sql.gz | mysql ossim -p 
> > > > | zcat create_snort_tbls_mysql.sql.gz \  
> > > > | create_acid_tbls_mysql.sql.gz  | mysql snort -p  
> > > > | Use -u and -h mysql options if you need to specify a non-default user
> > > > | and host. 
> > > > | After you created the database structure, press 'ok' to continue. 
> > > > 
> > > > Unfortunately, /usr/share/doc/ossim-mysql/contrib/ does not exist!
> > > > (nor does /usr/share/doc/ossim-mysql).
> > > 
> > > Mmmm, it's seems that /usr/share/doc/ossim-mysql is created after
> > > debconf execute... I need to change de debconf template.
> > 
> > the problem is still there.
> 
> What do you suggest me to put in the debconf template? Change after for
> before? ;)

well, it seems to work when you execute it after the deb config routine.
So why not add it to it?

Best

	Jan
-- 
Jan-Oliver Wagner               http://intevation.de/~jan/

Intevation GmbH                      http://intevation.de/

Re: [Os-sim-devel] Re: Comments on Installing OSSIM

[David G. <dg...@ip...>]

El jue, 17-02-2005 a las 15:31 +0100, Jan-Oliver Wagner escribi=F3:
> Hi David,
>=20
> [ I am sending this to the devel list now since I=20
> do not want to bother you alone with my reports ]
>=20
> only today I found the time to give OSSIM a new try.
>=20
> [14:05] I am stating with a fresh and clean Debian Sarge as of today.
>=20
> On Tue, Feb 01, 2005 at 05:31:38PM +0100, David Gil wrote:
> > El mi=E9, 26-01-2005 a las 12:49 +0100, Jan-Oliver Wagner escribi=F3:
> > > On Tue, Jan 25, 2005 at 03:30:24PM +0100, David Gil wrote:
> > > > Please, don't use that manual, it's deprecated. Please use this
> > > > (http://www.ossim.net/docs/INSTALL.Debian.quick.txt) instead.
> > >=20
> > > hm. Would be good to take the other stuff offline then.
> >=20
> > Yes, we pretend to update the doc, but in the meantime may be better to
> > notice that...
> >=20
> > > > With this manual I hope you can install OSSIM in less than 1 hour.
> > >=20
> > > OK, lets see [12:00] ... ;-)
> > >=20
> > > - here also is missing "apt-get update"
> >=20
> > I think it's obvious..
>=20
> Well, people not used to use Debian stumble across this. I observed
> this multiple times.

Ok, I've just added an "apt-get update" to the manual.

> I am leaving out the Performance section.
>=20
> > > - while doing "apt-get install ossim-mysql" I am asked:
> > >=20
> > > | Create the database structure now, using the following commands:=20
> > > | cd /usr/share/doc/ossim-mysql/contrib/  =20
> > > | zcat create_mysql.sql.gz ossim_*.sql.gz | mysql ossim -p=20
> > > | zcat create_snort_tbls_mysql.sql.gz \ =20
> > > | create_acid_tbls_mysql.sql.gz  | mysql snort -p =20
> > > | Use -u and -h mysql options if you need to specify a non-default us=
er
> > > | and host.=20
> > > | After you created the database structure, press 'ok' to continue.=20
> > >=20
> > > Unfortunately, /usr/share/doc/ossim-mysql/contrib/ does not exist!
> > > (nor does /usr/share/doc/ossim-mysql).
> >=20
> > Mmmm, it's seems that /usr/share/doc/ossim-mysql is created after
> > debconf execute... I need to change de debconf template.
>=20
> the problem is still there.

What do you suggest me to put in the debconf template? Change after for
before? ;)

> > Type:
> > dpkg -L ossim-mysql
>=20
> polynoe:~# dpkg -L ossim-mysql
> /.
> /usr
> /usr/share
> /usr/share/doc
> /usr/share/doc/ossim-mysql
> /usr/share/doc/ossim-mysql/contrib
> /usr/share/doc/ossim-mysql/contrib/create_mysql.sql.gz
> /usr/share/doc/ossim-mysql/contrib/create_pgsql.sql.gz
> /usr/share/doc/ossim-mysql/contrib/ossim_config.sql.gz
> /usr/share/doc/ossim-mysql/contrib/ossim_data.sql.gz
> /usr/share/doc/ossim-mysql/contrib/realsecure.sql.gz
> /usr/share/doc/ossim-mysql/contrib/snort_nessus.sql.gz
> /usr/share/doc/ossim-mysql/contrib/create_snort_tbls_mysql.sql.gz
> /usr/share/doc/ossim-mysql/contrib/096-to-097.sql.gz
> /usr/share/doc/ossim-mysql/contrib/097-to-098.sql.gz
> /usr/share/doc/ossim-mysql/contrib/create_acid_tbls_mysql.sql.gz
> /usr/share/doc/ossim-mysql/changelog.gz
> /usr/share/doc/ossim-mysql/INSTALL.gz
> /usr/share/doc/ossim-mysql/copyright
> /usr/share/doc/ossim-mysql/changelog.Debian.gz
>=20
>=20
> I do not understand the item
> "Edit /etc/mysql/my.cnf and modify the "bind-address" entry if you want
> MySQL will listen on port TCP-3306 after restart."
> so I did not change the file.

You need to modify this atribute if you want other hosts can connect to
your mysql server (only 127.0.0.1 by default).

>=20
> apt-get install ossim-server
> 	There is still the wrong text in one dialog
> 	which says "enter database"
> 	but actually a username must be entered.

I read: Please enter the name of the database *user* you want to use.
Am I wrong?

> apt-get install ossim-agent
> 	prompting 127.0.0.1 and simply saying not to use it
> 	is a bit vague.
> 	Better make proposals or explain the situation in
> 	more detail.

Ok, i've just changed it to:
What's your OSSIM Agent ip? (Don't use 127.0.0.1 if you want to
monitoring this sensor from framework)


> apt-get install ossim-framework
> 	There is a dialog saying:
>=20
> 	NOTE: Manual configuration required
> 	You will need to go to http://localhost/acidlab first to force the
> 	database
> 	modifications for ACIDlab. It is also advised that you run this
> 	either over HTTPS or
> 	with some form of access control on the webserver. We do not
> 	attempt to install using
> 	either technique.
>=20
> 	Your installation description should say whether this is important
> 	for ossim or not.

Acid stuff, not OSSIM stuff. I pretend that the manual was as short as
possible..

> 	However, the command
> 	lynx  http://localhost/acidlab
> 	does not work anyway. There seems to be no server listening at
> 	this point of time.
>=20
> 	oops, and again a dialog asks for database but should for a
> 	username.

database *user*? like ossim configuration? are you sure?

> the guide says
> "- Edit the phpgacl configuration by hand at
> /etc/ossim/framework/ossim.conf.
>    Debconf management is incoming.."
>=20
> but to my opinion the file is configured correctly already.

Cause you have default settings (locahost, root, ossim, etc). If you
have to change the database password..

>=20
> > > OK, again I will start ignoring ... :-(
> > >=20
> > > - while doing "apt-get install ossim-framework":
> > >=20
> > > |...
> > > | Creating config file /etc/apache/modules.conf with new version
> > > |=20
> > > | Setting up ossim-framework (0.9.7+cvs20050125-1) ...
> > > | Package `apache' is not installed and no info is available.
> > > | Use dpkg --info (=3D dpkg-deb --info) to examine archive files,
> > > | and dpkg --contents (=3D dpkg-deb --contents) to list their content=
s.
> > > |=20
> > > | Setting up fontconfig (2.2.3-4) ...
> > > |...
> >=20
> > It's fixed in 0.9.8rc1.
>=20
> confirmed.

:)

> > > sounds strange, but I will ignore.
> > >=20
> > > time is [12:22]
> > >=20
> > > - "Go to http://yourhost/phpgacl/setup.php to insert the tables in th=
e
> > >       database."
> > >=20
> > > well:
> > >  telnet localhost 80
> > >  Trying 127.0.0.1...
> > >  telnet: Unable to connect to remote host: Connection refused
> > >=20
> > > oh, it is https ...
> > >=20
> >=20
> > > - doing the "lets get started" (I guess thats what I should do?):
> >=20
> > Once phpgacl is configured, go to http://yourhost/ossim/. You do not
> > need to enter to phpgacl admin page..
>=20
> OK.
> Time is now 14:38. Have to stop for some minutes.
> 15:02 - proceeding.
>=20
> I entered http://yourhost/ossim/
> and first was asked to do something about phpGACL.
> I did so and it seemed to be success.
> However, the resulting web page says
> "*IMPORTANT*
>=20
> Please make sure you create the <phpGACL root>/admin/templates_c
> directory, and give it write permissions for the user your web server
> runs as."

phpgacl debian package does the job for you

> But that is already OK, so the hint is superfluous.

Yes, you are right..

> > > 	Warning: file(../CREDITS): failed to open stream: No such file or
> > > 	directory in /usr/share/phpgacl/admin/about.php on line 73
> > >=20
> > > 	Warning: implode(): Bad arguments. in
> > > 	/usr/share/phpgacl/admin/about.php on line 73
> > > 	phpGACL
> >=20
> >=20
> > New phpgacl improvements have been introduced today, can you test with
> > the new phpgacl-3.3.4 package?
>=20
> confirmed to not appear any more.

Perfect.

> [15:15] Great, I have now a management interface in my browser running.
> Some error messages here and there, but I will look into this later.
>=20
> > Sorry my poor english.
>=20
> You english is very good. Thanks for your answers.

Hago lo que puedo jejejeje

> Best
>=20
> 	Jan

Thank you very much for your report. Reports like this are very usefull
for us :)

David.