os-sim-devel

[Os-sim-devel] OSSEC and OSSIM integration.

[Dominique K. <dk...@os...>]

Hello Everybody,

sorry for the crosspost but I thought the subject could be interesting  
on both lists.

Some months ago Daniel (from ossec project lead) and me (ossim project  
lead) exchanged a couple of mails about both systems, but we didn't  
get any further in conversations due to, well, guess mainly lack of  
time.

Now I've got some more time and started poking around with ossec and I  
must say I'm very pleased. Everything looks solid and well designed  
and it was very easy for me to extract all the needed information in  
order to start working on a plugin.

The results so far can be seen here: http://www.ossim.com/dk/ossec/.

I've got a working plugin for each main input file and some  
identifiers to work with them.

My next issues/steps/comments are as follows:

- ossim needs to know 'what' has generated 'which' events. We call the  
event generators the "plugins", while individual events are the  
"plugin_sid"s. It was quite easy to extract the sids from the rule  
files but I'm not so sure about the generators. And I haven't found  
them either in the log output.
- Is there any way ossec determines the "priority" or importance of an  
attack ? the "level" parameter maybe ?
- Is everything being logged into /var/ossec/logs/alerts/alerts.log by  
default ? or is some information thrown into other files and not into  
that one ?
- Could the sensor's ip address be logged instead only the name ? (I  
guess not always, syslog restrictions)
- Could we add a md5sum to the original log files, for compliance and  
regulatory stuff ?

And:

- Would it be possible to incorporate a source patch for an 'ossim'  
output module into 1.5 so the missing information could be made  
present ?

I'll continue to work on this tomorrow, getting some specific graphs  
done for ossec. Soon I'll release another version of the installer CD  
we recently started providing at http://www.ossim.com/home.php?id=download 
  (announcement can be found at http://www.ossim.net) which will  
include an already pre-configured ossec and windows agents configured  
to connect easily with the server.

Any type of help (comments, code, documentation) is welcome, I think  
making ossec and ossim talk together is something from which both  
projects can benefit greatly :-)

Greetings,

Dominique

Re: [Os-sim-devel] [ossec-dev] OSSEC and OSSIM integration.

[Daniel C. <dc...@os...>]

Hi Dominique,

First, I have to say that I am very happy to see OSSEC+OSSIM together and
your plug in seems to be working quite well. Rest inline...



On 11/19/07, Dominique Karg <dk...@os...> wrote:
>
> - ossim needs to know 'what' has generated 'which' events. We call the
> event generators the "plugins", while individual events are the
> "plugin_sid"s. It was quite easy to extract the sids from the rule
> files but I'm not so sure about the generators. And I haven't found
> them either in the log output.

The way we track who generated the alert is based on the location where it
came from. It can be "/var/log/messages" for a local log message or
"agent_name->/var/log/http/error_log" for a message from one agent or
even
"1.2.3.4" for a log received remotely via syslog... I don't know if
that's what you
are looking for, but it is at the header of the alert:

** Alert 1194921832.980: - syslog,errors,
2007 Nov 12 22:43:52 copacabana->/var/log/messages
Rule: 1006 (level 5) -> 'Syslogd restarted.'
..




> - Is there any way ossec determines the "priority" or importance of an
> attack ? the "level" parameter maybe ?

Yes, level is how we determine the severity of the alert. It is
user-defined from 0 to 255, but on our official rules we only use from
0 to 15 (0 is lowest and 15 highest).



> - Is everything being logged into /var/ossec/logs/alerts/alerts.log by
> default ? or is some information thrown into other files and not into
> that one ?

Everything is logged at /var/ossec/logs/alerts/Year/Month/ossec-alerts-day.log
For today's log it would be:

/var/ossec/logs/alerts/2007/Nov/ossec-alerts-12.log

The file alerts.log is just a link to the latest alert file (for easy
tailing/catting).

Also, we have a ossec.log file for ossec's info/error messages and the
active-response.log for the active response stuff... However, I think
you only need
to care about the alerts one.


> - Could the sensor's ip address be logged instead only the name ? (I
> guess not always, syslog restrictions)

It depends from where you are getting the log from... If you are reading from
a local log file, it will use whatever is in the log (generally the
hostname from
syslog). However, if you are using the server/agent architecture, the ip address
will be in the alerts header (agent name, ip address and location):

** Alert 1195551157.1622: mail  - windows,time_changed,
2007 Nov 20 05:32:37 (winhome) 192.168.2.190->WinEvtLog
Rule: 18140 (level 7) -> 'System time changed.'



> - Could we add a md5sum to the original log files, for compliance and
> regulatory stuff ?

We do that already (chained md5 + sha1 of the logs):
http://www.ossec.net/dcid/?p=74



> And:
>
> - Would it be possible to incorporate a source patch for an 'ossim'
> output module into 1.5 so the missing information could be made
> present ?

For sure :)



> I'll continue to work on this tomorrow, getting some specific graphs
> done for ossec. Soon I'll release another version of the installer CD
> we recently started providing at http://www.ossim.com/home.php?id=download
>   (announcement can be found at http://www.ossim.net) which will
> include an already pre-configured ossec and windows agents configured
> to connect easily with the server.


That's great. I added you already to my MSN/Gtalk so we can talk in real time
if necessary...



> Any type of help (comments, code, documentation) is welcome, I think
> making ossec and ossim talk together is something from which both
> projects can benefit greatly :-)

Yes, I agree 100%.  Hopefully I was able to answer your initial questions...


> Greetings,
>
> Dominique
>


Thanks,


Daniel