Menu
▾
▴
os-sim-support — Support requests
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
(1) |
Oct
|
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
|
Feb
(2) |
Mar
(9) |
Apr
(54) |
May
(9) |
Jun
(17) |
Jul
(21) |
Aug
(12) |
Sep
(14) |
Oct
(11) |
Nov
(25) |
Dec
(2) |
| 2005 |
Jan
(1) |
Feb
(4) |
Mar
(1) |
Apr
(27) |
May
(15) |
Jun
(14) |
Jul
(5) |
Aug
(6) |
Sep
(8) |
Oct
(14) |
Nov
(11) |
Dec
(48) |
| 2006 |
Jan
(43) |
Feb
(5) |
Mar
(23) |
Apr
(6) |
May
(5) |
Jun
(39) |
Jul
(9) |
Aug
(5) |
Sep
(4) |
Oct
(4) |
Nov
(8) |
Dec
|
| 2007 |
Jan
(2) |
Feb
(34) |
Mar
(30) |
Apr
(8) |
May
(20) |
Jun
(63) |
Jul
(14) |
Aug
(69) |
Sep
(27) |
Oct
(33) |
Nov
(19) |
Dec
(16) |
| 2008 |
Jan
(45) |
Feb
(16) |
Mar
(26) |
Apr
(15) |
May
(23) |
Jun
(7) |
Jul
(3) |
Aug
(1) |
Sep
|
Oct
|
Nov
(3) |
Dec
|
| 2009 |
Jan
(9) |
Feb
|
Mar
(1) |
Apr
|
May
(3) |
Jun
(1) |
Jul
(2) |
Aug
(5) |
Sep
(29) |
Oct
(11) |
Nov
(4) |
Dec
|
| 2010 |
Jan
|
Feb
(1) |
Mar
(8) |
Apr
(14) |
May
|
Jun
(4) |
Jul
(4) |
Aug
(7) |
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2014 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(5) |
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Umarzuki M. <uma...@gm...> - 2009-11-19 12:04:42
|
last time i had to have at least 2 GiB RAM 2009/11/19 Gabriele Gabriele <d_g...@ho...> > > Hi to all, this is my first time in this mailing list, > I'd like install ossim on a linux server in my network, but I don't know > the minimum hardware requirement. > some body cal help me? > > _________________________________________________________________ > Fatti riconoscere con i biglietti da visita di Messenger > http://www.messenger.it/bigliettiVisita.aspx > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support > -- Regards, Umarzuki Mochlis http://gameornot.net |
|
From: Gabriele G. <d_g...@ho...> - 2009-11-19 11:57:09
|
Hi to all, this is my first time in this mailing list, I'd like install ossim on a linux server in my network, but I don't know the minimum hardware requirement. some body cal help me? _________________________________________________________________ Fatti riconoscere con i biglietti da visita di Messenger http://www.messenger.it/bigliettiVisita.aspx |
|
From: Kaushal S. <kau...@gm...> - 2009-11-11 15:32:16
|
Hi, Is there a way to configure snort in ossim ? Which option/tab i need to see snort configs on the frontend in OSSIM Interface ? Thanks, Kaushal |
|
From: Kaushal S. <kau...@gm...> - 2009-11-06 17:40:40
|
Hi Ritter, I have installed OSSIM on a host and able to access the web interface. I have gone through all the docs section too but could not proceed from there. The issue is I am stuck in configuring it,is there a step by step guide to configure ossim Please suggest/guide. Thanks and Regards, Kaushal |
|
From: David W. <dw...@ad...> - 2009-10-14 23:44:17
|
Dear OSSIM developers, When I open Events --> Vulnerabilities --> Threats Database, I get this: Not Found The requested URL /ossim/vulnmeter/threats-db.php was not found on this server. ________________________________ Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.0 Server at MY_IP Port 80 This is page : http://MY_IP/ossim/vulnmeter/threats-db.php?hmenu=Vulnerabilities&smenu= VulnThreats Regards, -David Wilson |
|
From: David W. <dw...@ad...> - 2009-10-14 23:15:22
|
Dear OSSIM Developers, When setting up a security apparatus it is considered good practice to reduce the vulnerability "cross-section" of the device. Many less skilled admins will take your disk and slap it on a machine, thinking that they have made their networks more secure ( bear in mind that strictly following the install directions will result in a non-functional device ( see my previous posts about this )). Most of them will not stop to consider that a security appliance could actually open their network up to attack. So as a distributor of a custom Debian disk, you have a special responsibility to the end user (or in this case "end admin") to provide a pre-hardened configuration. With this is mind, please see this list of listening ports: ossimids:~# netstat -anp | grep LISTEN | grep -v LISTENING tcp 0 0 0.0.0.0:40001 0.0.0.0:* LISTEN 4228/ossim-server tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 2883/rsyslogd tcp 0 0 127.0.0.1:40003 0.0.0.0:* LISTEN 3707/python tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 3040/mysqld tcp 0 0 0.0.0.0:43 0.0.0.0:* LISTEN 3206/inetd tcp 0 0 0.0.0.0:9390 0.0.0.0:* LISTEN 3604/openvasd: wait tcp 0 0 0.0.0.0:4949 0.0.0.0:* LISTEN 4075/munin-node tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2958/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3811/master tcp 0 0 0.0.0.0:2265 0.0.0.0:* LISTEN 3615/osirisd tcp 0 0 0.0.0.0:2266 0.0.0.0:* LISTEN 3618/osirismd tcp6 0 0 :::514 :::* LISTEN 2883/rsyslogd tcp6 0 0 127.0.0.1:8005 :::* LISTEN 3869/java tcp6 0 0 :::8009 :::* LISTEN 3869/java tcp6 0 0 :::8080 :::* LISTEN 3869/java tcp6 0 0 :::80 :::* LISTEN 4012/apache2 tcp6 0 0 :::22 :::* LISTEN 2958/sshd tcp6 0 0 :::3000 :::* LISTEN 4287/ntop Virtually every one of these services have in the past been used to (a) take over the entire machine or (b) provided an attacker with what ever information is available via that service. The exceptions to rule are the services that you wrote yourselves. How much do you wish to gamble that no exploit will ever be found for your own software? Lets look at a few of these concerns: 1) ipv6 - Most older firewalls will not filter ipv6 (mine doesn't) There is no reason for this machine to listen for ipv6 packets, ever. If I had ipv6 on my network it should be detected by the install script. There is not now and will never be an ipv6 internet <http://cr.yp.to/djbdns/ipv6mess.html> . 2) Openvasd - this is a service that launches exploits against remote machines. It listens on a port because in theory one could use the openvas client to connect to it and see graphs and charts on your desktop machine. I wanted a web interface to look at vulnerabilities not a gtk/qt client. It is a gaping security hole to permit remote programs to connect to my security device and attack remote machines. 3) Tomcat -- there are more that 79 tomcat vulnerability http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tomcat outstanding today. It look me about 5 seconds to find one that worked http://MY_IP:8080/manager/html This link is live and using the default password listed on the web site permits you to run arbitrary tomcat webapps. This exploit is live and in the wild right now. I'm talking to the coworkers and they are telling me I'm all wet about this, but I insist that the kind of people that will install OSSIM are not talented admins and will not check under the hood to make sure that everything is secure. What services should be listening? 22 and 443 . Nothing else. These measures do not guarantee a secure machine, but not having them guarantees a rooted machine. Regards, -Dave |
|
From: Juan M. L. <ju...@os...> - 2009-10-14 21:52:27
|
You should use the 64bits on a bigmem box, replacing the 32 bit kernel wont replace all the binaries that will still be 32bit, so with those specs you should always use the 64bit not the 32 one. On Wed, Oct 14, 2009 at 11:48 PM, David Wilson <dw...@ad...>wrote: > I am about to try the 64 bit version, but I have tried the 32 bit > version. And updated it with apt. That process will not replace the single > proc kernel with a multiproc kernel. > > > > Why should I use a 32 bit version on a bigmem box? > > > > Regards, > > -Dave > > > ------------------------------ > > *From:* jua...@gm... [mailto:jua...@gm...] *On Behalf Of *Juan > Manuel Lorenzo > *Sent:* Wednesday, October 14, 2009 2:26 PM > *To:* David Wilson > *Cc:* os-...@li... > > *Subject:* Re: [Os-sim-support] OSSIM-server not listening on port 40001 > > > > Hi David > > Which installer are you using? 32 bits? 64 bits? With that processor and > amount of memory you should be using the 32bits one. After installing make > sure you update your box with apt-get update; apt-get dist-upgrade > > On Wed, Oct 14, 2009 at 11:17 PM, David Wilson <dw...@ad...> > wrote: > > Dear OSSIM Developers, > > > > We have installed OSSIM on a machine with 8 cores in 2 sockets, with 16GB > ram and although the problem is greatly alleviated, it is still going on. I > think I have tracked down the issue to the kernel that is installed by > default on a new Debian machine. This kernel: > > > > vmlinuz-2.6.26-2-486 > > > > is not SMP capable and will not recognize large amounts of ram. > > > > I have replaced the kernel with: > > vmlinuz-2.6.26-2-686-bigmem > > which looks to be resolving the ossim-server issue. > > > > I am seeing numerous other problems with the box, but those will be > addressed in separate posts. > > > > Regards, > > -Dave > > > > > ------------------------------ > > *From:* David Wilson > *Sent:* Thursday, October 08, 2009 3:38 PM > *To:* 'Juan Manuel Lorenzo' > > > *Cc:* fo...@al...; os-...@li... > > *Subject:* RE: [Os-sim-support] OSSIM-server not listening on port 40001 > > > > Thank you for figuring out what the problem was. I will replace the box > ASAP. It is wonderful to have a responsive mailing list with knowledge > people to help out. This is a terrific piece of software and the developers > are terrific. > > > > Perhaps this should be an FAQ? There is no hardware requirement listed on > the download page, the FAQ, or the install guide. > > > > Regards, > > -Dave > > > > > ------------------------------ > > *From:* jua...@gm... [mailto:jua...@gm...] *On Behalf Of *Juan > Manuel Lorenzo > *Sent:* Thursday, October 08, 2009 1:48 PM > *To:* David Wilson > *Cc:* fo...@al...; os-...@li... > *Subject:* Re: [Os-sim-support] OSSIM-server not listening on port 40001 > > > > The problem in your case may be more related to hardware than to > configuration, the server may take 10 minutes to start in systems with an > slow processor or just a few RAM memory, notice that for an all-in-one > profile you will need at least 2gb of RAM memory. Check that your system is > not using swap memory. > > Also take a look to monit, monit is checking that the ossim server is > running every 300 seconds, if monit can not open the port 40001 in localhost > it will start the ossim server again, that's why your server never starts, > because it takes so long to open the port maybe because of the hardware you > are running and then it starts the server again. So you could stop monit or > modify monit config so it waits more time before doing all the checks. But > just as a recommendation to anyone, 1gb is never going to be enough for an > all-in-one profile. Mysql, Snort, Apache, Ntop,... you will be running lots > of programs in the same box, so I would say use at least 2gb in your > all-in-one profile. > > And in the ossim_setup.conf file you only have to define in the interfaces > file those interfaces that are going to be sniffing all the traffic so you > should only write there eth1 not eth0, if you write both you will be running > a lot of programs in the interface eth0 when those programs are never going > to see any traffic in that interface. > > And just another thing, the interface with the port mirroring should never > have an ip adress. > > > Juanma > > On Thu, Oct 8, 2009 at 8:12 PM, David Wilson <dw...@ad...> > wrote: > > This is what I have learned so far: > > With a fresh install and the following ossim_setup.conf : > idsmanager:~# cat /etc/ossim/ossim_setup.conf > interface=eth0 > language=en > profile=all-in-one > version=2.1 > > [database] > acl_db=ossim_acl > db_ip= > db_port=3306 > event_db=snort > ocs_db=ocsweb > ossim_db=ossim > osvdb_db=osvdb > pass=PASSWORD_REDACTED > type=mysql > user=root > > [expert] > profile=server > > [sensor] > detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, > pam_unix, rrd, sudo, iptables, nagios > interfaces=eth0 > ip= > monitors=nmap-monitor, ntop-monitor, ossim-monitor > name=ossim > priority=5 > > [server] > server_ip= > server_plugins=osiris, pam_unix, ssh, snare, sudo > server_port=40001 > > *) The server will eventually start listening on port 40001 after about > 10 minutes. > > *) if I attempt to blacklist ipv6 in the modprobe.d the server will > never listen > > *) if I change the sensor interface to eth1 the server will never listen > > *) if I change the sensor interface and subsequently change it back I > can get the server to listen with a reboot, but ossim-reconfig doesn't > seem to do the job. > > So my questions are: (a) how can I disable ipv6? And (b) how do I get > ossim-server to listen on port 40001? > > I have two nics, with one management interface and one "sniffer" > interface attached to a SPAN port on a switch. The sniffer interface > doesn't have an IP. Does OSSIM require me to put an IP on that > interface so that ossim-server will listen? Can ossim sniff on one > interface and server web pages on another? How do I set this up? > > > Many Thanks, > -Dave > > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > |
|
From: David W. <dw...@ad...> - 2009-10-14 21:48:48
|
I am about to try the 64 bit version, but I have tried the 32 bit version. And updated it with apt. That process will not replace the single proc kernel with a multiproc kernel. Why should I use a 32 bit version on a bigmem box? Regards, -Dave ________________________________ From: jua...@gm... [mailto:jua...@gm...] On Behalf Of Juan Manuel Lorenzo Sent: Wednesday, October 14, 2009 2:26 PM To: David Wilson Cc: os-...@li... Subject: Re: [Os-sim-support] OSSIM-server not listening on port 40001 Hi David Which installer are you using? 32 bits? 64 bits? With that processor and amount of memory you should be using the 32bits one. After installing make sure you update your box with apt-get update; apt-get dist-upgrade On Wed, Oct 14, 2009 at 11:17 PM, David Wilson <dw...@ad...> wrote: Dear OSSIM Developers, We have installed OSSIM on a machine with 8 cores in 2 sockets, with 16GB ram and although the problem is greatly alleviated, it is still going on. I think I have tracked down the issue to the kernel that is installed by default on a new Debian machine. This kernel: vmlinuz-2.6.26-2-486 is not SMP capable and will not recognize large amounts of ram. I have replaced the kernel with: vmlinuz-2.6.26-2-686-bigmem which looks to be resolving the ossim-server issue. I am seeing numerous other problems with the box, but those will be addressed in separate posts. Regards, -Dave ________________________________ From: David Wilson Sent: Thursday, October 08, 2009 3:38 PM To: 'Juan Manuel Lorenzo' Cc: fo...@al...; os-...@li... Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001 Thank you for figuring out what the problem was. I will replace the box ASAP. It is wonderful to have a responsive mailing list with knowledge people to help out. This is a terrific piece of software and the developers are terrific. Perhaps this should be an FAQ? There is no hardware requirement listed on the download page, the FAQ, or the install guide. Regards, -Dave ________________________________ From: jua...@gm... [mailto:jua...@gm...] On Behalf Of Juan Manuel Lorenzo Sent: Thursday, October 08, 2009 1:48 PM To: David Wilson Cc: fo...@al...; os-...@li... Subject: Re: [Os-sim-support] OSSIM-server not listening on port 40001 The problem in your case may be more related to hardware than to configuration, the server may take 10 minutes to start in systems with an slow processor or just a few RAM memory, notice that for an all-in-one profile you will need at least 2gb of RAM memory. Check that your system is not using swap memory. Also take a look to monit, monit is checking that the ossim server is running every 300 seconds, if monit can not open the port 40001 in localhost it will start the ossim server again, that's why your server never starts, because it takes so long to open the port maybe because of the hardware you are running and then it starts the server again. So you could stop monit or modify monit config so it waits more time before doing all the checks. But just as a recommendation to anyone, 1gb is never going to be enough for an all-in-one profile. Mysql, Snort, Apache, Ntop,... you will be running lots of programs in the same box, so I would say use at least 2gb in your all-in-one profile. And in the ossim_setup.conf file you only have to define in the interfaces file those interfaces that are going to be sniffing all the traffic so you should only write there eth1 not eth0, if you write both you will be running a lot of programs in the interface eth0 when those programs are never going to see any traffic in that interface. And just another thing, the interface with the port mirroring should never have an ip adress. Juanma On Thu, Oct 8, 2009 at 8:12 PM, David Wilson <dw...@ad...> wrote: This is what I have learned so far: With a fresh install and the following ossim_setup.conf : idsmanager:~# cat /etc/ossim/ossim_setup.conf interface=eth0 language=en profile=all-in-one version=2.1 [database] acl_db=ossim_acl db_ip= db_port=3306 event_db=snort ocs_db=ocsweb ossim_db=ossim osvdb_db=osvdb pass=PASSWORD_REDACTED type=mysql user=root [expert] profile=server [sensor] detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, pam_unix, rrd, sudo, iptables, nagios interfaces=eth0 ip= monitors=nmap-monitor, ntop-monitor, ossim-monitor name=ossim priority=5 [server] server_ip= server_plugins=osiris, pam_unix, ssh, snare, sudo server_port=40001 *) The server will eventually start listening on port 40001 after about 10 minutes. *) if I attempt to blacklist ipv6 in the modprobe.d the server will never listen *) if I change the sensor interface to eth1 the server will never listen *) if I change the sensor interface and subsequently change it back I can get the server to listen with a reboot, but ossim-reconfig doesn't seem to do the job. So my questions are: (a) how can I disable ipv6? And (b) how do I get ossim-server to listen on port 40001? I have two nics, with one management interface and one "sniffer" interface attached to a SPAN port on a switch. The sniffer interface doesn't have an IP. Does OSSIM require me to put an IP on that interface so that ossim-server will listen? Can ossim sniff on one interface and server web pages on another? How do I set this up? Many Thanks, -Dave ------------------------------------------------------------------------ ------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Os-sim-support mailing list Os-...@li... https://lists.sourceforge.net/lists/listinfo/os-sim-support ------------------------------------------------------------------------ ------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Os-sim-support mailing list Os-...@li... https://lists.sourceforge.net/lists/listinfo/os-sim-support |
|
From: Juan M. L. <ju...@os...> - 2009-10-14 21:25:47
|
Hi David Which installer are you using? 32 bits? 64 bits? With that processor and amount of memory you should be using the 32bits one. After installing make sure you update your box with apt-get update; apt-get dist-upgrade On Wed, Oct 14, 2009 at 11:17 PM, David Wilson <dw...@ad...>wrote: > Dear OSSIM Developers, > > > > We have installed OSSIM on a machine with 8 cores in 2 sockets, with 16GB > ram and although the problem is greatly alleviated, it is still going on. I > think I have tracked down the issue to the kernel that is installed by > default on a new Debian machine. This kernel: > > > > vmlinuz-2.6.26-2-486 > > > > is not SMP capable and will not recognize large amounts of ram. > > > > I have replaced the kernel with: > > vmlinuz-2.6.26-2-686-bigmem > > which looks to be resolving the ossim-server issue. > > > > I am seeing numerous other problems with the box, but those will be > addressed in separate posts. > > > > Regards, > > -Dave > > > > > ------------------------------ > > *From:* David Wilson > *Sent:* Thursday, October 08, 2009 3:38 PM > *To:* 'Juan Manuel Lorenzo' > *Cc:* fo...@al...; os-...@li... > *Subject:* RE: [Os-sim-support] OSSIM-server not listening on port 40001 > > > > Thank you for figuring out what the problem was. I will replace the box > ASAP. It is wonderful to have a responsive mailing list with knowledge > people to help out. This is a terrific piece of software and the developers > are terrific. > > > > Perhaps this should be an FAQ? There is no hardware requirement listed on > the download page, the FAQ, or the install guide. > > > > Regards, > > -Dave > > > > > ------------------------------ > > *From:* jua...@gm... [mailto:jua...@gm...] *On Behalf Of *Juan > Manuel Lorenzo > *Sent:* Thursday, October 08, 2009 1:48 PM > *To:* David Wilson > *Cc:* fo...@al...; os-...@li... > *Subject:* Re: [Os-sim-support] OSSIM-server not listening on port 40001 > > > > The problem in your case may be more related to hardware than to > configuration, the server may take 10 minutes to start in systems with an > slow processor or just a few RAM memory, notice that for an all-in-one > profile you will need at least 2gb of RAM memory. Check that your system is > not using swap memory. > > Also take a look to monit, monit is checking that the ossim server is > running every 300 seconds, if monit can not open the port 40001 in localhost > it will start the ossim server again, that's why your server never starts, > because it takes so long to open the port maybe because of the hardware you > are running and then it starts the server again. So you could stop monit or > modify monit config so it waits more time before doing all the checks. But > just as a recommendation to anyone, 1gb is never going to be enough for an > all-in-one profile. Mysql, Snort, Apache, Ntop,... you will be running lots > of programs in the same box, so I would say use at least 2gb in your > all-in-one profile. > > And in the ossim_setup.conf file you only have to define in the interfaces > file those interfaces that are going to be sniffing all the traffic so you > should only write there eth1 not eth0, if you write both you will be running > a lot of programs in the interface eth0 when those programs are never going > to see any traffic in that interface. > > And just another thing, the interface with the port mirroring should never > have an ip adress. > > > Juanma > > On Thu, Oct 8, 2009 at 8:12 PM, David Wilson <dw...@ad...> > wrote: > > This is what I have learned so far: > > With a fresh install and the following ossim_setup.conf : > idsmanager:~# cat /etc/ossim/ossim_setup.conf > interface=eth0 > language=en > profile=all-in-one > version=2.1 > > [database] > acl_db=ossim_acl > db_ip= > db_port=3306 > event_db=snort > ocs_db=ocsweb > ossim_db=ossim > osvdb_db=osvdb > pass=PASSWORD_REDACTED > type=mysql > user=root > > [expert] > profile=server > > [sensor] > detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, > pam_unix, rrd, sudo, iptables, nagios > interfaces=eth0 > ip= > monitors=nmap-monitor, ntop-monitor, ossim-monitor > name=ossim > priority=5 > > [server] > server_ip= > server_plugins=osiris, pam_unix, ssh, snare, sudo > server_port=40001 > > *) The server will eventually start listening on port 40001 after about > 10 minutes. > > *) if I attempt to blacklist ipv6 in the modprobe.d the server will > never listen > > *) if I change the sensor interface to eth1 the server will never listen > > *) if I change the sensor interface and subsequently change it back I > can get the server to listen with a reboot, but ossim-reconfig doesn't > seem to do the job. > > So my questions are: (a) how can I disable ipv6? And (b) how do I get > ossim-server to listen on port 40001? > > I have two nics, with one management interface and one "sniffer" > interface attached to a SPAN port on a switch. The sniffer interface > doesn't have an IP. Does OSSIM require me to put an IP on that > interface so that ossim-server will listen? Can ossim sniff on one > interface and server web pages on another? How do I set this up? > > > Many Thanks, > -Dave > > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support > > |
|
From: David W. <dw...@ad...> - 2009-10-14 21:18:02
|
Dear OSSIM Developers, We have installed OSSIM on a machine with 8 cores in 2 sockets, with 16GB ram and although the problem is greatly alleviated, it is still going on. I think I have tracked down the issue to the kernel that is installed by default on a new Debian machine. This kernel: vmlinuz-2.6.26-2-486 is not SMP capable and will not recognize large amounts of ram. I have replaced the kernel with: vmlinuz-2.6.26-2-686-bigmem which looks to be resolving the ossim-server issue. I am seeing numerous other problems with the box, but those will be addressed in separate posts. Regards, -Dave ________________________________ From: David Wilson Sent: Thursday, October 08, 2009 3:38 PM To: 'Juan Manuel Lorenzo' Cc: fo...@al...; os-...@li... Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001 Thank you for figuring out what the problem was. I will replace the box ASAP. It is wonderful to have a responsive mailing list with knowledge people to help out. This is a terrific piece of software and the developers are terrific. Perhaps this should be an FAQ? There is no hardware requirement listed on the download page, the FAQ, or the install guide. Regards, -Dave ________________________________ From: jua...@gm... [mailto:jua...@gm...] On Behalf Of Juan Manuel Lorenzo Sent: Thursday, October 08, 2009 1:48 PM To: David Wilson Cc: fo...@al...; os-...@li... Subject: Re: [Os-sim-support] OSSIM-server not listening on port 40001 The problem in your case may be more related to hardware than to configuration, the server may take 10 minutes to start in systems with an slow processor or just a few RAM memory, notice that for an all-in-one profile you will need at least 2gb of RAM memory. Check that your system is not using swap memory. Also take a look to monit, monit is checking that the ossim server is running every 300 seconds, if monit can not open the port 40001 in localhost it will start the ossim server again, that's why your server never starts, because it takes so long to open the port maybe because of the hardware you are running and then it starts the server again. So you could stop monit or modify monit config so it waits more time before doing all the checks. But just as a recommendation to anyone, 1gb is never going to be enough for an all-in-one profile. Mysql, Snort, Apache, Ntop,... you will be running lots of programs in the same box, so I would say use at least 2gb in your all-in-one profile. And in the ossim_setup.conf file you only have to define in the interfaces file those interfaces that are going to be sniffing all the traffic so you should only write there eth1 not eth0, if you write both you will be running a lot of programs in the interface eth0 when those programs are never going to see any traffic in that interface. And just another thing, the interface with the port mirroring should never have an ip adress. Juanma On Thu, Oct 8, 2009 at 8:12 PM, David Wilson <dw...@ad...> wrote: This is what I have learned so far: With a fresh install and the following ossim_setup.conf : idsmanager:~# cat /etc/ossim/ossim_setup.conf interface=eth0 language=en profile=all-in-one version=2.1 [database] acl_db=ossim_acl db_ip= db_port=3306 event_db=snort ocs_db=ocsweb ossim_db=ossim osvdb_db=osvdb pass=PASSWORD_REDACTED type=mysql user=root [expert] profile=server [sensor] detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, pam_unix, rrd, sudo, iptables, nagios interfaces=eth0 ip= monitors=nmap-monitor, ntop-monitor, ossim-monitor name=ossim priority=5 [server] server_ip= server_plugins=osiris, pam_unix, ssh, snare, sudo server_port=40001 *) The server will eventually start listening on port 40001 after about 10 minutes. *) if I attempt to blacklist ipv6 in the modprobe.d the server will never listen *) if I change the sensor interface to eth1 the server will never listen *) if I change the sensor interface and subsequently change it back I can get the server to listen with a reboot, but ossim-reconfig doesn't seem to do the job. So my questions are: (a) how can I disable ipv6? And (b) how do I get ossim-server to listen on port 40001? I have two nics, with one management interface and one "sniffer" interface attached to a SPAN port on a switch. The sniffer interface doesn't have an IP. Does OSSIM require me to put an IP on that interface so that ossim-server will listen? Can ossim sniff on one interface and server web pages on another? How do I set this up? Many Thanks, -Dave ------------------------------------------------------------------------ ------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Os-sim-support mailing list Os-...@li... https://lists.sourceforge.net/lists/listinfo/os-sim-support |
|
From: David W. <dw...@ad...> - 2009-10-08 22:38:48
|
Thank you for figuring out what the problem was. I will replace the box ASAP. It is wonderful to have a responsive mailing list with knowledge people to help out. This is a terrific piece of software and the developers are terrific. Perhaps this should be an FAQ? There is no hardware requirement listed on the download page, the FAQ, or the install guide. Regards, -Dave ________________________________ From: jua...@gm... [mailto:jua...@gm...] On Behalf Of Juan Manuel Lorenzo Sent: Thursday, October 08, 2009 1:48 PM To: David Wilson Cc: fo...@al...; os-...@li... Subject: Re: [Os-sim-support] OSSIM-server not listening on port 40001 The problem in your case may be more related to hardware than to configuration, the server may take 10 minutes to start in systems with an slow processor or just a few RAM memory, notice that for an all-in-one profile you will need at least 2gb of RAM memory. Check that your system is not using swap memory. Also take a look to monit, monit is checking that the ossim server is running every 300 seconds, if monit can not open the port 40001 in localhost it will start the ossim server again, that's why your server never starts, because it takes so long to open the port maybe because of the hardware you are running and then it starts the server again. So you could stop monit or modify monit config so it waits more time before doing all the checks. But just as a recommendation to anyone, 1gb is never going to be enough for an all-in-one profile. Mysql, Snort, Apache, Ntop,... you will be running lots of programs in the same box, so I would say use at least 2gb in your all-in-one profile. And in the ossim_setup.conf file you only have to define in the interfaces file those interfaces that are going to be sniffing all the traffic so you should only write there eth1 not eth0, if you write both you will be running a lot of programs in the interface eth0 when those programs are never going to see any traffic in that interface. And just another thing, the interface with the port mirroring should never have an ip adress. Juanma On Thu, Oct 8, 2009 at 8:12 PM, David Wilson <dw...@ad...> wrote: This is what I have learned so far: With a fresh install and the following ossim_setup.conf : idsmanager:~# cat /etc/ossim/ossim_setup.conf interface=eth0 language=en profile=all-in-one version=2.1 [database] acl_db=ossim_acl db_ip= db_port=3306 event_db=snort ocs_db=ocsweb ossim_db=ossim osvdb_db=osvdb pass=PASSWORD_REDACTED type=mysql user=root [expert] profile=server [sensor] detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, pam_unix, rrd, sudo, iptables, nagios interfaces=eth0 ip= monitors=nmap-monitor, ntop-monitor, ossim-monitor name=ossim priority=5 [server] server_ip= server_plugins=osiris, pam_unix, ssh, snare, sudo server_port=40001 *) The server will eventually start listening on port 40001 after about 10 minutes. *) if I attempt to blacklist ipv6 in the modprobe.d the server will never listen *) if I change the sensor interface to eth1 the server will never listen *) if I change the sensor interface and subsequently change it back I can get the server to listen with a reboot, but ossim-reconfig doesn't seem to do the job. So my questions are: (a) how can I disable ipv6? And (b) how do I get ossim-server to listen on port 40001? I have two nics, with one management interface and one "sniffer" interface attached to a SPAN port on a switch. The sniffer interface doesn't have an IP. Does OSSIM require me to put an IP on that interface so that ossim-server will listen? Can ossim sniff on one interface and server web pages on another? How do I set this up? Many Thanks, -Dave ------------------------------------------------------------------------ ------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Os-sim-support mailing list Os-...@li... https://lists.sourceforge.net/lists/listinfo/os-sim-support |
|
From: Juan M. L. <ju...@os...> - 2009-10-08 20:48:24
|
The problem in your case may be more related to hardware than to configuration, the server may take 10 minutes to start in systems with an slow processor or just a few RAM memory, notice that for an all-in-one profile you will need at least 2gb of RAM memory. Check that your system is not using swap memory. Also take a look to monit, monit is checking that the ossim server is running every 300 seconds, if monit can not open the port 40001 in localhost it will start the ossim server again, that's why your server never starts, because it takes so long to open the port maybe because of the hardware you are running and then it starts the server again. So you could stop monit or modify monit config so it waits more time before doing all the checks. But just as a recommendation to anyone, 1gb is never going to be enough for an all-in-one profile. Mysql, Snort, Apache, Ntop,... you will be running lots of programs in the same box, so I would say use at least 2gb in your all-in-one profile. And in the ossim_setup.conf file you only have to define in the interfaces file those interfaces that are going to be sniffing all the traffic so you should only write there eth1 not eth0, if you write both you will be running a lot of programs in the interface eth0 when those programs are never going to see any traffic in that interface. And just another thing, the interface with the port mirroring should never have an ip adress. Juanma On Thu, Oct 8, 2009 at 8:12 PM, David Wilson <dw...@ad...>wrote: > This is what I have learned so far: > > With a fresh install and the following ossim_setup.conf : > idsmanager:~# cat /etc/ossim/ossim_setup.conf > interface=eth0 > language=en > profile=all-in-one > version=2.1 > > [database] > acl_db=ossim_acl > db_ip= > db_port=3306 > event_db=snort > ocs_db=ocsweb > ossim_db=ossim > osvdb_db=osvdb > pass=PASSWORD_REDACTED > type=mysql > user=root > > [expert] > profile=server > > [sensor] > detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, > pam_unix, rrd, sudo, iptables, nagios > interfaces=eth0 > ip= > monitors=nmap-monitor, ntop-monitor, ossim-monitor > name=ossim > priority=5 > > [server] > server_ip= > server_plugins=osiris, pam_unix, ssh, snare, sudo > server_port=40001 > > *) The server will eventually start listening on port 40001 after about > 10 minutes. > > *) if I attempt to blacklist ipv6 in the modprobe.d the server will > never listen > > *) if I change the sensor interface to eth1 the server will never listen > > *) if I change the sensor interface and subsequently change it back I > can get the server to listen with a reboot, but ossim-reconfig doesn't > seem to do the job. > > So my questions are: (a) how can I disable ipv6? And (b) how do I get > ossim-server to listen on port 40001? > > I have two nics, with one management interface and one "sniffer" > interface attached to a SPAN port on a switch. The sniffer interface > doesn't have an IP. Does OSSIM require me to put an IP on that > interface so that ossim-server will listen? Can ossim sniff on one > interface and server web pages on another? How do I set this up? > > > Many Thanks, > -Dave > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support > |
|
From: Christopher <c....@gm...> - 2009-10-08 18:37:39
|
Well, I can't answer your questions specifically, but this may provide some insight... I'm not sure why changing the sensor interface stops the server portion from listening on 40001, but I know that in distrubted enviornments, the sensor portion is set up so that it can be on a seperate phyical box so it does need at least one interface with an IP address assigned to it to be able to communicate with the server. When using the all-in-one profile, this gets a little confusing. On my test system I have the same setup as you (one management and one sniffer interface with no IP address) and while I never got it configured exactly as I'd like, I just specified BOTH interfaces (comma seperated) of my system in the sensor interface part of ossim_setup.conf. Not an elegant solution at all, but it works. I think alot of these types of configuration problems are specific to the all-in-one profile that the alienvault installer uses. Hope that helps. On Thu, Oct 8, 2009 at 1:12 PM, David Wilson <dw...@ad...>wrote: > This is what I have learned so far: > > With a fresh install and the following ossim_setup.conf : > idsmanager:~# cat /etc/ossim/ossim_setup.conf > interface=eth0 > language=en > profile=all-in-one > version=2.1 > > [database] > acl_db=ossim_acl > db_ip= > db_port=3306 > event_db=snort > ocs_db=ocsweb > ossim_db=ossim > osvdb_db=osvdb > pass=PASSWORD_REDACTED > type=mysql > user=root > > [expert] > profile=server > > [sensor] > detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, > pam_unix, rrd, sudo, iptables, nagios > interfaces=eth0 > ip= > monitors=nmap-monitor, ntop-monitor, ossim-monitor > name=ossim > priority=5 > > [server] > server_ip= > server_plugins=osiris, pam_unix, ssh, snare, sudo > server_port=40001 > > *) The server will eventually start listening on port 40001 after about > 10 minutes. > > *) if I attempt to blacklist ipv6 in the modprobe.d the server will > never listen > > *) if I change the sensor interface to eth1 the server will never listen > > *) if I change the sensor interface and subsequently change it back I > can get the server to listen with a reboot, but ossim-reconfig doesn't > seem to do the job. > > So my questions are: (a) how can I disable ipv6? And (b) how do I get > ossim-server to listen on port 40001? > > I have two nics, with one management interface and one "sniffer" > interface attached to a SPAN port on a switch. The sniffer interface > doesn't have an IP. Does OSSIM require me to put an IP on that > interface so that ossim-server will listen? Can ossim sniff on one > interface and server web pages on another? How do I set this up? > > > Many Thanks, > -Dave > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support > |
|
From: David W. <dw...@ad...> - 2009-10-08 18:12:42
|
This is what I have learned so far: With a fresh install and the following ossim_setup.conf : idsmanager:~# cat /etc/ossim/ossim_setup.conf interface=eth0 language=en profile=all-in-one version=2.1 [database] acl_db=ossim_acl db_ip= db_port=3306 event_db=snort ocs_db=ocsweb ossim_db=ossim osvdb_db=osvdb pass=PASSWORD_REDACTED type=mysql user=root [expert] profile=server [sensor] detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, pam_unix, rrd, sudo, iptables, nagios interfaces=eth0 ip= monitors=nmap-monitor, ntop-monitor, ossim-monitor name=ossim priority=5 [server] server_ip= server_plugins=osiris, pam_unix, ssh, snare, sudo server_port=40001 *) The server will eventually start listening on port 40001 after about 10 minutes. *) if I attempt to blacklist ipv6 in the modprobe.d the server will never listen *) if I change the sensor interface to eth1 the server will never listen *) if I change the sensor interface and subsequently change it back I can get the server to listen with a reboot, but ossim-reconfig doesn't seem to do the job. So my questions are: (a) how can I disable ipv6? And (b) how do I get ossim-server to listen on port 40001? I have two nics, with one management interface and one "sniffer" interface attached to a SPAN port on a switch. The sniffer interface doesn't have an IP. Does OSSIM require me to put an IP on that interface so that ossim-server will listen? Can ossim sniff on one interface and server web pages on another? How do I set this up? Many Thanks, -Dave |
|
From: David W. <dw...@ad...> - 2009-10-07 22:41:13
|
So I'm doing so more trouble shooting on the box. I decide to reinstall
and follow the directions to the letter. I have tried lots of debugging
steps so I though the machine might not be setup right.
The instructions state:
<QUOTE>
1. Update system. Keep it up-to-date.
Keeping your system up-to-date is an important step. If you enable
'Update Notifications' (suggested), you'll get notified through the
interface whenever important changes happend. The system will connect
once a day to AlienVault servers and download update notifications.
After this you should log into your system using ssh (you defined your
root password during installation) and execute:
apt-get update
# Important: the upgrade procedure might ask questions
# Have a look at them, they usually introduce important
# new changes to configuration files.
# If in doubt hit "I" or "Y"
apt-get dist-upgrade
</QUOTE>
If you do this it will wipe out your mysql password. This will
effectively destroy your ossim box.
Reinstalling requires a 200 mile round trip drive for me. You guys
should be thankful that I am willing to stick with this thing. How many
hundreds or perhaps thousands of people have tried to follow your
directions, discovered that the box doesn't work and tossed your disk in
the trash? Just to prove to you that this is a bug in your software or
docs; this is my whole history file:
idsmanager:~# history
1 netstat -anp | grep 4000
2 apt-get update
3 apt-get dist-upgrade
4 ossim-reconfig -v
5 netstat -anp | grep LISTEN
6 history
This is what happens if you follow the directions:
idsmanager:~# ossim-reconfig -v
Sensor ip blank, using main ip
Server ip blank, using main ip
#########################################
####### Reconfiguring System ############
#########################################
(please run with '-v' for verbose output)
-----------------------------------------
Disabling highmem my.cnf
Stopping MySQL database server: mysqld.
Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..
DBI connect('dbname=ossim;host=localhost;port=3306','root',...) failed:
Access denied for user 'root'@'localhost' (using password: NO) at
/usr/lib/perl5/ossim_conf.pm line 38
Checking DB
Connection succeeded, moving on
Setting networks to "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
Starting MySQL process
Inserting 10.0.4.55 and ossim into sensor and host tables
Ignore errors start ----------------------------
Ignore errors end ----------------------------
Updating snare config
Updating OCS server ip
Ignore errors start ----------------------------
mv: `10.0.4.55.exe' and `10.0.4.55.exe' are the same file
Ignore errors end ----------------------------
Updating Ossim-agent windows installer server ip
Ignore errors start ----------------------------
ossim-install.exe: adjusting offsets for a preamble of 67072 bytes
updating: etc/ossim/agent/config.cfg (deflated 45%)
Ignore errors end ----------------------------
Ignore errors start ----------------------------
Stopping OSSIM Agent: ossim-agent.
Ignore errors end ----------------------------
Updating agent config
Updating ntop link
Updating plugin configuration
Updating executive panels config
20 strings replaced in /etc/ossim/framework/panel/configs/
Updating executive panels interfaces config
6 strings replaced in /etc/ossim/framework/panel/configs/
Updating executive panels Jasperserver config
Jasper data for panels: j_password= j_username=
11 strings replaced in /etc/ossim/framework/panel/configs/admin_10_1
11 strings replaced in /etc/ossim/framework/panel/configs/admin_10_1
0 strings replaced in /etc/ossim/framework/panel/configs/admin_10_1
11 strings replaced in /etc/ossim/framework/panel/configs/admin_10_1
update-rc.d: warning: /etc/init.d/ossim-server missing LSB information
update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
update-rc.d: warning: /etc/init.d/ossim-framework missing LSB
information
update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
update-rc.d: warning: /etc/init.d/tomcat missing LSB information
update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
update-rc.d: /etc/init.d/nessusd: file does not exist
Updating snort config with: 10.0.0.0\/8,172.16.0.0\/12,192.168.0.0\/16.
Updating ntop
Updating snortunified
Setting linklayer to ethernet
Updating pads
Updating p0f
Updating arpwatch
Ignore errors start ----------------------------
Stopping web server: apache2apache2: Could not reliably determine the
server's fully qualified domain name, using 10.0.4.55 for ServerName
[Wed Oct 07 15:19:49 2009] [warn] NameVirtualHost *:80 has no
VirtualHosts
... waiting .
Stopping OpenVAS daemon: openvasd.
Stopping nagios3 monitoring daemon: nagios3
.
Using CATALINA_BASE: /var/tomcat
Using CATALINA_HOME: /var/tomcat
Using CATALINA_TMPDIR: /var/tomcat/temp
Using JRE_HOME: /usr
Ignore errors end ----------------------------
Ignore errors start ----------------------------
Starting OSSIM Server: ossim-server.
Starting OSSIM Framework: ossim-framework.
Starting web server: apache2apache2: Could not reliably determine the
server's fully qualified domain name, using 10.0.4.55 for ServerName
[Wed Oct 07 15:19:56 2009] [warn] NameVirtualHost *:80 has no
VirtualHosts
.
Starting OpenVAS daemon: openvasd.
Starting nagios3 monitoring daemon: nagios3.
Using CATALINA_BASE: /var/tomcat
Using CATALINA_HOME: /var/tomcat
Using CATALINA_TMPDIR: /var/tomcat/temp
Using JRE_HOME: /usr
Ignore errors end ----------------------------
arpwatch: no process killed
p0f: no process killed
pads: no process killed
Stopping Network Intrusion Detection System : snortNo running snort
instance found (warning).
Stopping network top daemon: ntop
Ignore errors start ----------------------------
Stopping OSSIM Agent: ossim-agent failed!
Starting OSSIM Agent: ossim-agent2009-10-07 15:20:49,109 Agent [INFO]:
Forking into background..
.
Ignore errors end ----------------------------
Adjusting monit startup
Stopping daemon monitor: monit.
Starting daemon monitor: monit.
Using database password defined at config file.
Ignore errors start ----------------------------
mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'
mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'
Ignore errors end ----------------------------
Ignore errors start ----------------------------
Wed Oct 7 15:20:50 2009 NOTE: Interface merge enabled by default
Wed Oct 7 15:20:50 2009 Initializing gdbm databases
Wed Oct 7 15:20:50 2009 Admin user password has been set
Ignore errors end ----------------------------
Changing Jasper Server password (this might fail if no jasperserver is
present)
Using CATALINA_BASE: /var/tomcat
Using CATALINA_HOME: /var/tomcat
Using CATALINA_TMPDIR: /var/tomcat/temp
Using JRE_HOME: /usr
Oct 7, 2009 3:20:53 PM org.apache.catalina.startup.Catalina stopServer
SEVERE: Catalina.stop:
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
at
java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
at java.net.Socket.connect(Socket.java:519)
at java.net.Socket.connect(Socket.java:469)
at java.net.Socket.<init>(Socket.java:366)
at java.net.Socket.<init>(Socket.java:180)
at
org.apache.catalina.startup.Catalina.stopServer(Catalina.java:421)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:337)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:415)
Restarting Tomcat
Using CATALINA_BASE: /var/tomcat
Using CATALINA_HOME: /var/tomcat
Using CATALINA_TMPDIR: /var/tomcat/temp
Using JRE_HOME: /usr
All in one profile at 10.0.4.55
You have new mail in /var/mail/root
idsmanager:~#
I'm going to reinstall again.
|
|
From: David W. <dw...@ad...> - 2009-09-30 21:05:32
|
________________________________ From: David Wilson Sent: Wednesday, September 30, 2009 11:56 AM To: 'Juan Manuel Lorenzo' Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001 interface=eth0 language=en profile=all-in-one version=2.1 [database] acl_db=ossim_acl db_ip= db_port=3306 event_db=snort ocs_db=ocsweb ossim_db=ossim osvdb_db=osvdb pass=PASSWORD_REDACTED type=mysql user=root [expert] profile=server [sensor] detectors=apache,arpwatch,iptables,nagios,osiris,p0f,pads,pam_unix,rrd,s nare,snortunified,ssh,sudo interfaces=eth1 ip= monitors=nessus-monitor,nmap-monitor,ntop-monitor,opennms-monitor,ossim- monitor,ping-monitor,session-monitor,tcptrack-monitor name=ossim networks=10.0.0.0/8 priority=5 [server] server_ip= server_plugins=osiris, pam_unix, ssh, snare, sudo server_port=40001 ________________________________ From: Juan Manuel Lorenzo [mailto:jml...@al...] Sent: Wednesday, September 30, 2009 11:18 AM To: David Wilson Subject: Re: [Os-sim-support] OSSIM-server not listening on port 40001 post your ossim_setup.conf file please On Sep 30, 2009, at 8:04 PM, David Wilson wrote: I have a new error message: 2009-09-30 10:56:45 (null)-Critical: gda_connection_is_open: assertion `GDA_IS_CONNECTION (cnc)' failed 2009-09-30 10:58:30 OSSIM-Message: Starting OSSIM Server engine. Version: 2.1.4-2 I think I am making progress. -Dave ________________________________ From: Ritter, Nicholas [mailto:Nic...@am...] Sent: Wednesday, September 30, 2009 10:55 AM To: Juan Manuel Lorenzo; David Wilson Cc: os-...@li... Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001 Nice catch Jaunma.... David- that line should read datasource name="ossimDS" provider="MySQL" dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=ossim;HOST= localhost"/> DATABASE should be "ossim", not "idsmanager". ________________________________ From: Juan Manuel Lorenzo [mailto:jua...@gm...] Sent: Wednesday, September 30, 2009 12:53 PM To: David Wilson Cc: Ritter, Nicholas; os-...@li... Subject: Re: [Os-sim-support] OSSIM-server not listening on port 40001 idsmanager as db?? On Sep 30, 2009, at 7:07 PM, David Wilson wrote: <datasource name="ossimDS" provider="MySQL" dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=idsmanager; HOST=localhost"/> ------------------------------------------------------------------------ ------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf_____________________________________________ __ Os-sim-support mailing list Os-...@li... https://lists.sourceforge.net/lists/listinfo/os-sim-support |
|
From: David W. <dw...@ad...> - 2009-09-30 18:04:42
|
I have a new error message: 2009-09-30 10:56:45 (null)-Critical: gda_connection_is_open: assertion `GDA_IS_CONNECTION (cnc)' failed 2009-09-30 10:58:30 OSSIM-Message: Starting OSSIM Server engine. Version: 2.1.4-2 I think I am making progress. -Dave ________________________________ From: Ritter, Nicholas [mailto:Nic...@am...] Sent: Wednesday, September 30, 2009 10:55 AM To: Juan Manuel Lorenzo; David Wilson Cc: os-...@li... Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001 Nice catch Jaunma.... David- that line should read datasource name="ossimDS" provider="MySQL" dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=ossim;HOST= localhost"/> DATABASE should be "ossim", not "idsmanager". ________________________________ From: Juan Manuel Lorenzo [mailto:jua...@gm...] Sent: Wednesday, September 30, 2009 12:53 PM To: David Wilson Cc: Ritter, Nicholas; os-...@li... Subject: Re: [Os-sim-support] OSSIM-server not listening on port 40001 idsmanager as db?? On Sep 30, 2009, at 7:07 PM, David Wilson wrote: <datasource name="ossimDS" provider="MySQL" dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=idsmanager; HOST=localhost"/> |
|
From: David W. <dw...@ad...> - 2009-09-30 18:02:39
|
Ok. So after DATABASE=ossim , ossim-reconfig -v , I see : idsmanager:/etc/ossim# netstat -anp | grep 4000 tcp 0 0 127.0.0.1:40003 0.0.0.0:* LISTEN 14016/python -dave ________________________________ From: Ritter, Nicholas [mailto:Nic...@am...] Sent: Wednesday, September 30, 2009 10:55 AM To: Juan Manuel Lorenzo; David Wilson Cc: os-...@li... Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001 Nice catch Jaunma.... David- that line should read datasource name="ossimDS" provider="MySQL" dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=ossim;HOST= localhost"/> DATABASE should be "ossim", not "idsmanager". ________________________________ From: Juan Manuel Lorenzo [mailto:jua...@gm...] Sent: Wednesday, September 30, 2009 12:53 PM To: David Wilson Cc: Ritter, Nicholas; os-...@li... Subject: Re: [Os-sim-support] OSSIM-server not listening on port 40001 idsmanager as db?? On Sep 30, 2009, at 7:07 PM, David Wilson wrote: <datasource name="ossimDS" provider="MySQL" dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=idsmanager; HOST=localhost"/> |
|
From: David W. <dw...@ad...> - 2009-09-30 17:55:52
|
What is supposed to be in there? -Dave ________________________________ From: Juan Manuel Lorenzo [mailto:jua...@gm...] Sent: Wednesday, September 30, 2009 10:53 AM To: David Wilson Cc: Ritter, Nicholas; os-...@li... Subject: Re: [Os-sim-support] OSSIM-server not listening on port 40001 idsmanager as db?? On Sep 30, 2009, at 7:07 PM, David Wilson wrote: <datasource name="ossimDS" provider="MySQL" dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=idsmanager; HOST=localhost"/> |
|
From: David W. <dw...@ad...> - 2009-09-30 17:55:15
|
idsmanager:/etc/ossim# tail -5 /etc/ossim/ossim_setup.conf
[server]
server_ip=
server_plugins=osiris, pam_unix, ssh, snare, sudo
server_port=40001
________________________________
From: Ritter, Nicholas [mailto:Nic...@am...]
Sent: Wednesday, September 30, 2009 10:53 AM
To: David Wilson; os-...@li...
Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001
Oops...I meant /etc/ossim/ossim_setup.conf
________________________________
From: David Wilson [mailto:dw...@ad...]
Sent: Wednesday, September 30, 2009 12:08 PM
To: Ritter, Nicholas; os-...@li...
Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001
That file doesn't exist:
idsmanager:~# ls -la /etc/ossim/ossim.conf
ls: cannot access /etc/ossim/ossim.conf: No such file or directory
idsmanager:~#
I have /etc/ossim/server/config.xml like so:
<?xml version='1.0' encoding='UTF-8' ?>
<config>
<log filename="/var/log/ossim/server.log"/>
<framework name="idsmanager" ip="127.0.0.1" port="40003"/>
<datasources>
<datasource name="ossimDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=idsmanager;
HOST=localhost"/>
<datasource name="snortDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=snort;HOST=
localhost"/>
<datasource name="osvdbDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=osvdb;HOST=
localhost"/>
<!-- if you need a server without DB, uncomment this and comment the
other lines -->
<!-- Important: rserver_name must be defined below under "rservers" as
well -->
<!--
<datasource name="ossimDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=idsmanager;
HOST=localhost"/>
<datasource name="snortDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=snort;HOST=
localhost"/>
-->
<!-- NOTE: in a server without DB, you can't do cross correlation, so
you don't need OSVDB DB
-->
</datasources>
<directive filename="/etc/ossim/server/directives.xml"/>
<scheduler interval="15"/>
<server port="40001" name="idsmanager" ip="127.0.0.1"/>
<!-- Replication Servers -->
<!-- if you need a server without DB, you'll need a primary server from
where to load data -->
<!--
<rservers>
<rserver name="serverUP" ip="192.168.2.174" port="40001"
primary="true"/>
</rservers>
-->
</config>
Is that what you meant?
Regards,
-Dave
-----Original Message-----
From: Ritter, Nicholas [mailto:Nic...@am...]
Sent: Wednesday, September 30, 2009 10:01 AM
To: David Wilson
Cc: os-...@li...
Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001
In /etc/ossim/ossim.conf do you see something like:
[server]
server_ip=
server_plugins=osiris, pam_unix, ssh, snare, sudo
server_port=40001
And in /etc/ossim/server/config.xml:
<?xml version='1.0' encoding='UTF-8' ?>
<config>
<log filename="/var/log/ossim/server.log"/>
<framework name="ossim" ip="127.0.0.1" port="40003"/>
<datasources>
<datasource name="ossimDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=mgGaeLiefZL;DATABASE=ossim;HOST=localh
ost"/>
<datasource name="snortDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=mgGaeLiefZL;DATABASE=snort;HOST=localh
ost"/>
<datasource name="osvdbDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=mgGaeLiefZL;DATABASE=osvdb;HOST=localh
ost"/>
<!-- if you need a server without DB, uncomment this and comment the
other lines -->
<!-- Important: rserver_name must be defined below under "rservers" as
well -->
<!--
<datasource name="ossimDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=<censored>;DATABASE=ossim;HOST=localho
st"/>
<datasource name="snortDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=<censored>;DATABASE=snort;HOST=localho
st"/>
-->
<!-- NOTE: in a server without DB, you can't do cross correlation, so
you don't need OSVDB DB
-->
</datasources>
<directive filename="/etc/ossim/server/directives.xml"/>
<scheduler interval="15"/>
<server port="40001" name="ossim" ip="0.0.0.0"/>
<!-- Replication Servers -->
<!-- if you need a server without DB, you'll need a primary server from
where to load data -->
<!--
<rservers>
<rserver name="serverUP" ip="192.168.2.174" port="40001"
primary="true"/>
</rservers>
-->
</config>
|
|
From: Ritter, N. <Nic...@am...> - 2009-09-30 17:55:09
|
Nice catch Jaunma.... David- that line should read datasource name="ossimDS" provider="MySQL" dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=ossim;HOST= localhost"/> DATABASE should be "ossim", not "idsmanager". ________________________________ From: Juan Manuel Lorenzo [mailto:jua...@gm...] Sent: Wednesday, September 30, 2009 12:53 PM To: David Wilson Cc: Ritter, Nicholas; os-...@li... Subject: Re: [Os-sim-support] OSSIM-server not listening on port 40001 idsmanager as db?? On Sep 30, 2009, at 7:07 PM, David Wilson wrote: <datasource name="ossimDS" provider="MySQL" dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=idsmanager; HOST=localhost"/> |
|
From: Ritter, N. <Nic...@am...> - 2009-09-30 17:52:54
|
Oops...I meant /etc/ossim/ossim_setup.conf
________________________________
From: David Wilson [mailto:dw...@ad...]
Sent: Wednesday, September 30, 2009 12:08 PM
To: Ritter, Nicholas; os-...@li...
Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001
That file doesn't exist:
idsmanager:~# ls -la /etc/ossim/ossim.conf
ls: cannot access /etc/ossim/ossim.conf: No such file or directory
idsmanager:~#
I have /etc/ossim/server/config.xml like so:
<?xml version='1.0' encoding='UTF-8' ?>
<config>
<log filename="/var/log/ossim/server.log"/>
<framework name="idsmanager" ip="127.0.0.1" port="40003"/>
<datasources>
<datasource name="ossimDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=idsmanager;
HOST=localhost"/>
<datasource name="snortDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=snort;HOST=
localhost"/>
<datasource name="osvdbDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=osvdb;HOST=
localhost"/>
<!-- if you need a server without DB, uncomment this and comment the
other lines -->
<!-- Important: rserver_name must be defined below under "rservers" as
well -->
<!--
<datasource name="ossimDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=idsmanager;
HOST=localhost"/>
<datasource name="snortDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=snort;HOST=
localhost"/>
-->
<!-- NOTE: in a server without DB, you can't do cross correlation, so
you don't need OSVDB DB
-->
</datasources>
<directive filename="/etc/ossim/server/directives.xml"/>
<scheduler interval="15"/>
<server port="40001" name="idsmanager" ip="127.0.0.1"/>
<!-- Replication Servers -->
<!-- if you need a server without DB, you'll need a primary server from
where to load data -->
<!--
<rservers>
<rserver name="serverUP" ip="192.168.2.174" port="40001"
primary="true"/>
</rservers>
-->
</config>
Is that what you meant?
Regards,
-Dave
-----Original Message-----
From: Ritter, Nicholas [mailto:Nic...@am...]
Sent: Wednesday, September 30, 2009 10:01 AM
To: David Wilson
Cc: os-...@li...
Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001
In /etc/ossim/ossim.conf do you see something like:
[server]
server_ip=
server_plugins=osiris, pam_unix, ssh, snare, sudo
server_port=40001
And in /etc/ossim/server/config.xml:
<?xml version='1.0' encoding='UTF-8' ?>
<config>
<log filename="/var/log/ossim/server.log"/>
<framework name="ossim" ip="127.0.0.1" port="40003"/>
<datasources>
<datasource name="ossimDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=mgGaeLiefZL;DATABASE=ossim;HOST=localh
ost"/>
<datasource name="snortDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=mgGaeLiefZL;DATABASE=snort;HOST=localh
ost"/>
<datasource name="osvdbDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=mgGaeLiefZL;DATABASE=osvdb;HOST=localh
ost"/>
<!-- if you need a server without DB, uncomment this and comment the
other lines -->
<!-- Important: rserver_name must be defined below under "rservers" as
well -->
<!--
<datasource name="ossimDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=<censored>;DATABASE=ossim;HOST=localho
st"/>
<datasource name="snortDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=<censored>;DATABASE=snort;HOST=localho
st"/>
-->
<!-- NOTE: in a server without DB, you can't do cross correlation, so
you don't need OSVDB DB
-->
</datasources>
<directive filename="/etc/ossim/server/directives.xml"/>
<scheduler interval="15"/>
<server port="40001" name="ossim" ip="0.0.0.0"/>
<!-- Replication Servers -->
<!-- if you need a server without DB, you'll need a primary server from
where to load data -->
<!--
<rservers>
<rserver name="serverUP" ip="192.168.2.174" port="40001"
primary="true"/>
</rservers>
-->
</config>
|
|
From: David W. <dw...@ad...> - 2009-09-30 17:08:00
|
That file doesn't exist:
idsmanager:~# ls -la /etc/ossim/ossim.conf
ls: cannot access /etc/ossim/ossim.conf: No such file or directory
idsmanager:~#
I have /etc/ossim/server/config.xml like so:
<?xml version='1.0' encoding='UTF-8' ?>
<config>
<log filename="/var/log/ossim/server.log"/>
<framework name="idsmanager" ip="127.0.0.1" port="40003"/>
<datasources>
<datasource name="ossimDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=idsmanager;
HOST=localhost"/>
<datasource name="snortDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=snort;HOST=
localhost"/>
<datasource name="osvdbDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=osvdb;HOST=
localhost"/>
<!-- if you need a server without DB, uncomment this and comment the
other lines -->
<!-- Important: rserver_name must be defined below under "rservers" as
well -->
<!--
<datasource name="ossimDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=idsmanager;
HOST=localhost"/>
<datasource name="snortDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=PASSWORD_REDACTED;DATABASE=snort;HOST=
localhost"/>
-->
<!-- NOTE: in a server without DB, you can't do cross correlation, so
you don't need OSVDB DB
-->
</datasources>
<directive filename="/etc/ossim/server/directives.xml"/>
<scheduler interval="15"/>
<server port="40001" name="idsmanager" ip="127.0.0.1"/>
<!-- Replication Servers -->
<!-- if you need a server without DB, you'll need a primary server from
where to load data -->
<!--
<rservers>
<rserver name="serverUP" ip="192.168.2.174" port="40001"
primary="true"/>
</rservers>
-->
</config>
Is that what you meant?
Regards,
-Dave
-----Original Message-----
From: Ritter, Nicholas [mailto:Nic...@am...]
Sent: Wednesday, September 30, 2009 10:01 AM
To: David Wilson
Cc: os-...@li...
Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001
In /etc/ossim/ossim.conf do you see something like:
[server]
server_ip=
server_plugins=osiris, pam_unix, ssh, snare, sudo
server_port=40001
And in /etc/ossim/server/config.xml:
<?xml version='1.0' encoding='UTF-8' ?>
<config>
<log filename="/var/log/ossim/server.log"/>
<framework name="ossim" ip="127.0.0.1" port="40003"/>
<datasources>
<datasource name="ossimDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=mgGaeLiefZL;DATABASE=ossim;HOST=localh
ost"/>
<datasource name="snortDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=mgGaeLiefZL;DATABASE=snort;HOST=localh
ost"/>
<datasource name="osvdbDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=mgGaeLiefZL;DATABASE=osvdb;HOST=localh
ost"/>
<!-- if you need a server without DB, uncomment this and comment the
other lines -->
<!-- Important: rserver_name must be defined below under "rservers" as
well -->
<!--
<datasource name="ossimDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=<censored>;DATABASE=ossim;HOST=localho
st"/>
<datasource name="snortDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=<censored>;DATABASE=snort;HOST=localho
st"/>
-->
<!-- NOTE: in a server without DB, you can't do cross correlation, so
you don't need OSVDB DB
-->
</datasources>
<directive filename="/etc/ossim/server/directives.xml"/>
<scheduler interval="15"/>
<server port="40001" name="ossim" ip="0.0.0.0"/>
<!-- Replication Servers -->
<!-- if you need a server without DB, you'll need a primary server from
where to load data -->
<!--
<rservers>
<rserver name="serverUP" ip="192.168.2.174" port="40001"
primary="true"/>
</rservers>
-->
</config>
|
|
From: Ritter, N. <Nic...@am...> - 2009-09-30 17:00:52
|
In /etc/ossim/ossim.conf do you see something like:
[server]
server_ip=
server_plugins=osiris, pam_unix, ssh, snare, sudo
server_port=40001
And in /etc/ossim/server/config.xml:
<?xml version='1.0' encoding='UTF-8' ?>
<config>
<log filename="/var/log/ossim/server.log"/>
<framework name="ossim" ip="127.0.0.1" port="40003"/>
<datasources>
<datasource name="ossimDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=mgGaeLiefZL;DATABASE=ossim;HOST=localh
ost"/>
<datasource name="snortDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=mgGaeLiefZL;DATABASE=snort;HOST=localh
ost"/>
<datasource name="osvdbDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=mgGaeLiefZL;DATABASE=osvdb;HOST=localh
ost"/>
<!-- if you need a server without DB, uncomment this and comment the
other lines -->
<!-- Important: rserver_name must be defined below under "rservers" as
well -->
<!--
<datasource name="ossimDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=<censored>;DATABASE=ossim;HOST=localho
st"/>
<datasource name="snortDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=<censored>;DATABASE=snort;HOST=localho
st"/>
-->
<!-- NOTE: in a server without DB, you can't do cross correlation, so
you don't need OSVDB DB
-->
</datasources>
<directive filename="/etc/ossim/server/directives.xml"/>
<scheduler interval="15"/>
<server port="40001" name="ossim" ip="0.0.0.0"/>
<!-- Replication Servers -->
<!-- if you need a server without DB, you'll need a primary server from
where to load data -->
<!--
<rservers>
<rserver name="serverUP" ip="192.168.2.174" port="40001"
primary="true"/>
</rservers>
-->
</config>
-----Original Message-----
From: David Wilson [mailto:dw...@ad...]
Sent: Wednesday, September 30, 2009 11:46 AM
To: Ritter, Nicholas
Cc: os-...@li...
Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001
Just for completeness :
idsmanager:~# netstat -anp | grep 4000
tcp 0 0 127.0.0.1:40003 0.0.0.0:*
LISTEN 32705/python
-Dave
-----Original Message-----
From: Ritter, Nicholas [mailto:Nic...@am...]
Sent: Tuesday, September 29, 2009 6:35 PM
To: David Wilson
Cc: os-...@li...
Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001
I'm sorry...got busy with some tasks at work.....
If you installed with the ISO, things should just work. So if there is
an issue where the box is not listening on port 40001....I would first
run ossim-setup, select modify profile, then select all-in-one setup.
This will cause the ossim install to set itself up the way it should.
The other thing to check either before or after this step is the
hostname setting in ossim.conf file (make sure it is set to
"localhost".)
You should not need the source because compiling it on the same system
whose libraries the binaries you are currently using would yield the
same binaries....unless you modified the some system libraries.
After the install from the OSSIM iso, did you do any of the following:
1) apt-get update
2) apt-get dist-upgrade
a.) if you did this step, did you say "N" to the prompts for
modifing config files?
3) install or otherwise compile and install and progams other than
ossim?
I think you said this already, but you did a "netstat -an"?
Nick
|
|
From: David W. <dw...@ad...> - 2009-09-30 16:45:45
|
Just for completeness :
idsmanager:~# netstat -anp | grep 4000
tcp 0 0 127.0.0.1:40003 0.0.0.0:*
LISTEN 32705/python
-Dave
-----Original Message-----
From: Ritter, Nicholas [mailto:Nic...@am...]
Sent: Tuesday, September 29, 2009 6:35 PM
To: David Wilson
Cc: os-...@li...
Subject: RE: [Os-sim-support] OSSIM-server not listening on port 40001
I'm sorry...got busy with some tasks at work.....
If you installed with the ISO, things should just work. So if there is
an issue where the box is not listening on port 40001....I would first
run ossim-setup, select modify profile, then select all-in-one setup.
This will cause the ossim install to set itself up the way it should.
The other thing to check either before or after this step is the
hostname setting in ossim.conf file (make sure it is set to
"localhost".)
You should not need the source because compiling it on the same system
whose libraries the binaries you are currently using would yield the
same binaries....unless you modified the some system libraries.
After the install from the OSSIM iso, did you do any of the following:
1) apt-get update
2) apt-get dist-upgrade
a.) if you did this step, did you say "N" to the prompts for
modifing config files?
3) install or otherwise compile and install and progams other than
ossim?
I think you said this already, but you did a "netstat -an"?
Nick
|
9 messages has been excluded from this view by a project administrator.
