os-sim-support — Support requests

[Os-sim-support] Apache and More sensors

[tyler <ty...@sc...>]

I have two questions..

My first question/issue concerns the agent and apache.  I am running on
Fedora and have configed the agent to watch my apache install.  It never
sees that apache is up and running, even if I have the agent start it, it
will restart it next time around??  So I have had to set start=no but
would like to have the agent watch it!!   Another thing with apache is
that it is constantly giving this message "apache: Code 200 - OK"  Well I
don't really care when a page is successfully pulled from my webserver,
that is what it is there for.   Or should I care?  How do I disable this?

My second question is about running an agent on another machine other than
the server.  I want to have an agent monitor my production web server and
run snort watching that server.  I have set it up and installed ssh keys
for communication.  I think I have it set up right b/c the agent says it
is connected to the server and I see the apache:Code 200 - OK" messages in
ACID.  But now I also get a ton of spade alerts between my two servers. 
How do I turn this off?

How do I setup the snort sensor?  Do I have the sensor log to the DB on my
ossim server or does it log it locally and the agent takes care of
transferring it to the server??


Thanks,
Tyler

Re: [Os-sim-support] XML Problem with Fedora.

[tyler <ty...@sc...>]

You will need to edit the directives.xml and change the first line to:
 <?xml version='1.0' encoding='UTF-8' ?>

Since you are running a vanilla fedora install you will need to add
php-mysql and php-domxml RPMs.  This can be done with a:
yum install php-mysql
yum install php-domxml

Let us know if you have any other issues!

Tyler



----- Original Message -----
>
> I have a clean install of Fedora Core 1 with all of the latest updates.
> I installed Python 2.3 (because that part was left out of the Fedora
> installation guide) and installed all dependency RPMS that the guide
> stated. I followed the guide without any problems until it came time to
> run 'ossim'. When I did, I got this:
>
> [root@chupacabra server]# ossim
> xmlEncodeEntitiesReentrant : input not UTF-8
> Segmentation fault
>
>
>
>
> __________________________________________________________________________
>
> "The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential, proprietary, and/or
> privileged material.  Any review, retransmission, dissemination or other
> use of, or taking of any action in reliance upon, this information by
> persons or entities other than the intended recipient is prohibited.
> If you received this in error, please contact the sender and delete
> the material from all computers."
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Os-sim-support mailing list
> Os-...@li...
> https://lists.sourceforge.net/lists/listinfo/os-sim-support
>
>

[Os-sim-support] XML Problem with Fedora.

[Josh S. <jsc...@De...>]

I have a clean install of Fedora Core 1 with all of the latest updates.
I installed Python 2.3 (because that part was left out of the Fedora
installation guide) and installed all dependency RPMS that the guide
stated. I followed the guide without any problems until it came time to
run 'ossim'. When I did, I got this:

[root@chupacabra server]# ossim
xmlEncodeEntitiesReentrant : input not UTF-8
Segmentation fault




__________________________________________________________________________

"The information transmitted is intended only for the person or entity to 
which it is addressed and may contain confidential, proprietary, and/or 
privileged material.  Any review, retransmission, dissemination or other 
use of, or taking of any action in reliance upon, this information by 
persons or entities other than the intended recipient is prohibited.  
If you received this in error, please contact the sender and delete 
the material from all computers."

Re: [Os-sim-support] directives.xml

[DK <dk...@os...>]

Hi Tyler,

the nessus script (do_scan.pl) also updates the host_plugin_sid table=20
that is being read once the server is restarted. After that, snort -=20
nessus correlation should work for the given IP supposed an event=20
arrives for which we have previously determined a snort-nessus=20
relationship (table plugin_reference). At this time, we have identified=20=

aprox. 600 snort - nessus equivalences.

The port data isn''t used yet. Once we get the server to connect to the=20=

agents too (not only agent initiated connections, in order to cope with=20=

nat and don't have to pierce firewalls) that port will be the one where=20=

the agent is listening. "Sensor" would be any host running the ossim=20
agent no matter how many plugins it has to watch/parse/monitor.

Regarding your domxml error, install the php-domxml package and=20
everything should work fine.

Thanks for the input and greetings,

Dominique

Am 16.04.2004 um 00:04 schrieb tyler:

> I am glad to hear that you got it working.
>
> I think this product could be VERY cool, but it almost appears that it=20=

> is
> trying to go in too many directions at once.  Or maybe I misunderstood
> what it is supposed to do.
>
> The main thing that I really want out of it is to correlate Nessus =
data
> with Snort.  I want to only see alerts that my computers are vuln (or
> possibly) vuln to.  I followed the info in the README.nessus,
> (/usr/share/doc/os-sim-0.9.3/) but all that did for me that I could=20
> tell
> was run a nessus scan and put the nessus html w/ graphs output under=20=

> the
> vulnerabilities tab.  I must be missing something.
>
> I did see places to have ossim run a scan of the network and add the=20=

> hosts
> to the DB, but I had to add a sensor??  So I tried this, it asks for a
> port? What port? What sensor am I adding?  A nessus sensor, snort,=20
> what?
>
> I also get an error when trying to view the directives.  It says:
>
> Fatal error: Call to undefined function: domxml_open_file() in
> /var/www/ossim/directives/index.php on line 179
>
> I have got no clue on that one?
>
>
> I would really like this project to succeed!  I would really like to=20=

> help
> out too, but I have to get my mind wrapped around it all first.
>
> keep me updated on what you find/figure out!
>
> If there are any developers on the list that could post anything that
> might help Oscar and I out it would be GREATLY appreciated it.
>
> Tyler
>
>
> ----- Original Message -----
>> Tyler,
>>
>> You were right! I didn't have php-mysql installed, now I can see the=20=

>> web
>> interface!
>>
>> Now I also wonder, what next?
>>
>> Were you able to add your servers? How about nessus correlation?
>>
>> I'll let you know of any advances on my side...
>>
>> Thanks for your help,
>>
>>
>> -oscar
>>
>> Oscar Castaneda V.
>> SISAP/Consul
>> -----Original Message-----
>> From: tyler [mailto:ty...@sc...]
>> Sent: Thursday, April 15, 2004 9:49 AM
>> To: Oscar Casta=F1eda V.
>> Cc: ty...@sc...; os-...@li...
>> Subject: Re: [Os-sim-support] directives.xml
>>
>>
>> I am not 100% on this BUT.. Did you install the php-mysql RPM?  By=20
>> default
>> Fedora does not install this packet even if you tell it to install=20
>> MySQL
>> during the install.  Just do yum installl php-mysql and that should=20=

>> take
>> care of it.
>>
>> I noticed the Directives.xml error when I tried to start ossim from=20=

>> the
>> command line.
>>
>>
>> Let me know if that helps you out.  If not let me know and we will =
see
>> what else we can try!
>>
>>
>> Tyler
>>
>>
>> ----- Original Message -----
>>> Tyler,
>>>
>>>
>>>
>>> I also installed according to the fedora core 1 instructions on the
>>> ossim
>>> website. I had to download some additional rpm=92s (eg. Python 2.3,=20=

>>> some
>>> libraries like curl) however I can=92t seem to get ossim to work.
>>>
>>>
>>>
>>> Once I logon to the web interface I get several php errors:
>>>
>>>
>>>
>>> On the Control Panel tab I get
>>>
>>>
>>>
>>> Fatal error: Call to undefined function: mysql_escape_string() in
>>> /var/www/ossim/control_panel/global_score.php on line 73
>>>
>>>
>>>
>>> Also
>>>
>>>
>>>
>>> Fatal error: Call to undefined function: mysql_pconnect() in
>>> /var/www/adodb-411/drivers/adodb-mysql.inc.php on line 335
>>>
>>>
>>>
>>> Do you think this could be related to thed directives.xml file you
>>> mentioned
>>> needed some changes for ossim to work?
>>>
>>>
>>>
>>>
>>>
>>> -oscar
>>>
>>>
>>>
>>> Oscar Castaneda V.
>>>
>>> SISAP/Consul
>>>
>>>
>>>
>>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by: IBM Linux Tutorials
>> Free Linux tutorial presented by Daniel Robbins, President and CEO of
>> GenToo technologies. Learn everything from fundamentals to system
>> administration.http://ads.osdn.com/?ad_id=1470&alloc_id638&op=3Dclick
>> _______________________________________________
>> Os-sim-support mailing list
>> Os-...@li...
>> https://lists.sourceforge.net/lists/listinfo/os-sim-support
>>
>>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=3D1470&alloc_id=3D3638&op=3Dcl=
ick
> _______________________________________________
> Os-sim-support mailing list
> Os-...@li...
> https://lists.sourceforge.net/lists/listinfo/os-sim-support
>

RE: [Os-sim-support] directives.xml

[tyler <ty...@sc...>]

I am glad to hear that you got it working.

I think this product could be VERY cool, but it almost appears that it is
trying to go in too many directions at once.  Or maybe I misunderstood
what it is supposed to do.

The main thing that I really want out of it is to correlate Nessus data
with Snort.  I want to only see alerts that my computers are vuln (or
possibly) vuln to.  I followed the info in the README.nessus,
(/usr/share/doc/os-sim-0.9.3/) but all that did for me that I could tell
was run a nessus scan and put the nessus html w/ graphs output under the
vulnerabilities tab.  I must be missing something.

I did see places to have ossim run a scan of the network and add the hosts
to the DB, but I had to add a sensor??  So I tried this, it asks for a
port? What port? What sensor am I adding?  A nessus sensor, snort, what?

I also get an error when trying to view the directives.  It says:

Fatal error: Call to undefined function: domxml_open_file() in
/var/www/ossim/directives/index.php on line 179

I have got no clue on that one?


I would really like this project to succeed!  I would really like to help
out too, but I have to get my mind wrapped around it all first.

keep me updated on what you find/figure out!

If there are any developers on the list that could post anything that
might help Oscar and I out it would be GREATLY appreciated it.

Tyler


----- Original Message -----
> Tyler,
>
> You were right! I didn't have php-mysql installed, now I can see the web
> interface!
>
> Now I also wonder, what next?
>
> Were you able to add your servers? How about nessus correlation?
>
> I'll let you know of any advances on my side...
>
> Thanks for your help,
>
>
> -oscar
>
> Oscar Castaneda V.
> SISAP/Consul
> -----Original Message-----
> From: tyler [mailto:ty...@sc...]
> Sent: Thursday, April 15, 2004 9:49 AM
> To: Oscar Castañeda V.
> Cc: ty...@sc...; os-...@li...
> Subject: Re: [Os-sim-support] directives.xml
>
>
> I am not 100% on this BUT.. Did you install the php-mysql RPM?  By default
> Fedora does not install this packet even if you tell it to install MySQL
> during the install.  Just do yum installl php-mysql and that should take
> care of it.
>
> I noticed the Directives.xml error when I tried to start ossim from the
> command line.
>
>
> Let me know if that helps you out.  If not let me know and we will see
> what else we can try!
>
>
> Tyler
>
>
> ----- Original Message -----
>> Tyler,
>>
>>
>>
>> I also installed according to the fedora core 1 instructions on the
>> ossim
>> website. I had to download some additional rpm’s (eg. Python 2.3, some
>> libraries like curl) however I can’t seem to get ossim to work.
>>
>>
>>
>> Once I logon to the web interface I get several php errors:
>>
>>
>>
>> On the Control Panel tab I get
>>
>>
>>
>> Fatal error: Call to undefined function: mysql_escape_string() in
>> /var/www/ossim/control_panel/global_score.php on line 73
>>
>>
>>
>> Also
>>
>>
>>
>> Fatal error: Call to undefined function: mysql_pconnect() in
>> /var/www/adodb-411/drivers/adodb-mysql.inc.php on line 335
>>
>>
>>
>> Do you think this could be related to thed directives.xml file you
>> mentioned
>> needed some changes for ossim to work?
>>
>>
>>
>>
>>
>> -oscar
>>
>>
>>
>> Oscar Castaneda V.
>>
>> SISAP/Consul
>>
>>
>>
>>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
> _______________________________________________
> Os-sim-support mailing list
> Os-...@li...
> https://lists.sourceforge.net/lists/listinfo/os-sim-support
>
>

RE: [Os-sim-support] directives.xml

[<oca...@si...>]

Tyler,=20

You were right! I didn't have php-mysql installed, now I can see the web
interface!

Now I also wonder, what next?

Were you able to add your servers? How about nessus correlation?

I'll let you know of any advances on my side...

Thanks for your help,


-oscar
=20
Oscar Castaneda V.
SISAP/Consul
-----Original Message-----
From: tyler [mailto:ty...@sc...]=20
Sent: Thursday, April 15, 2004 9:49 AM
To: Oscar Casta=F1eda V.
Cc: ty...@sc...; os-...@li...
Subject: Re: [Os-sim-support] directives.xml


I am not 100% on this BUT.. Did you install the php-mysql RPM?  By =
default
Fedora does not install this packet even if you tell it to install MySQL
during the install.  Just do yum installl php-mysql and that should take
care of it.

I noticed the Directives.xml error when I tried to start ossim from the
command line.


Let me know if that helps you out.  If not let me know and we will see
what else we can try!


Tyler


----- Original Message -----
> Tyler,
>
>
>
> I also installed according to the fedora core 1 instructions on the =
ossim
> website. I had to download some additional rpm=92s (eg. Python 2.3, =
some
> libraries like curl) however I can=92t seem to get ossim to work.
>
>
>
> Once I logon to the web interface I get several php errors:
>
>
>
> On the Control Panel tab I get
>
>
>
> Fatal error: Call to undefined function: mysql_escape_string() in
> /var/www/ossim/control_panel/global_score.php on line 73
>
>
>
> Also
>
>
>
> Fatal error: Call to undefined function: mysql_pconnect() in
> /var/www/adodb-411/drivers/adodb-mysql.inc.php on line 335
>
>
>
> Do you think this could be related to thed directives.xml file you
> mentioned
> needed some changes for ossim to work?
>
>
>
>
>
> -oscar
>
>
>
> Oscar Castaneda V.
>
> SISAP/Consul
>
>
>
>

Re: [Os-sim-support] directives.xml

[tyler <ty...@sc...>]

I am not 100% on this BUT.. Did you install the php-mysql RPM?  By default
Fedora does not install this packet even if you tell it to install MySQL
during the install.  Just do yum installl php-mysql and that should take
care of it.

I noticed the Directives.xml error when I tried to start ossim from the
command line.


Let me know if that helps you out.  If not let me know and we will see
what else we can try!


Tyler


----- Original Message -----
> Tyler,
>
>
>
> I also installed according to the fedora core 1 instructions on the ossim
> website. I had to download some additional rpm’s (eg. Python 2.3, some
> libraries like curl) however I can’t seem to get ossim to work.
>
>
>
> Once I logon to the web interface I get several php errors:
>
>
>
> On the Control Panel tab I get
>
>
>
> Fatal error: Call to undefined function: mysql_escape_string() in
> /var/www/ossim/control_panel/global_score.php on line 73
>
>
>
> Also
>
>
>
> Fatal error: Call to undefined function: mysql_pconnect() in
> /var/www/adodb-411/drivers/adodb-mysql.inc.php on line 335
>
>
>
> Do you think this could be related to thed directives.xml file you
> mentioned
> needed some changes for ossim to work?
>
>
>
>
>
> -oscar
>
>
>
> Oscar Castaneda V.
>
> SISAP/Consul
>
>
>
>

[Os-sim-support] directives.xml

[<oca...@si...>]

Tyler,=20

=20

I also installed according to the fedora core 1 instructions on the ossim
website. I had to download some additional rpm=92s (eg. Python 2.3, some
libraries like curl) however I can=92t seem to get ossim to work.=20

=20

Once I logon to the web interface I get several php errors:

=20

On the Control Panel tab I get=20

=20

Fatal error: Call to undefined function: mysql_escape_string() in
/var/www/ossim/control_panel/global_score.php on line 73

=20

Also

=20

Fatal error: Call to undefined function: mysql_pconnect() in
/var/www/adodb-411/drivers/adodb-mysql.inc.php on line 335

=20

Do you think this could be related to thed directives.xml file you mentioned
needed some changes for ossim to work?

=20

=20

-oscar

=20

Oscar Castaneda V.

SISAP/Consul

=20

Re: [Os-sim-support] what next?

[DK <dk...@os...>]

Hi Tyler,

Almost everything is collected by the agent and sent by the server. A 
good start would be having  the agent correctly parse the logfiles 
generated by what you want to collect. Then configure sensors, hosts, 
networks, policies and a couple more of things within the web UI (sorry 
for the poor documentation,). Don't mind to ask if there's something 
you want to know regarding setup.

For nessus-snort correlation to work, first you have to setup snort 
correctly. Have a look at README.nessus, included within the src.tgz. 
The update_nessus_plugins.pl script updates the ossim DB using your 
current loaded nessus plugins. (For this script to work, nessus has to 
be run manually once so the client accepts the server's certificate).

After that, insert a couple of hosts from within Configuration->Host 
Scan and run do_nessus.pl. Use it with care, the script hasn't been 
tested much. That script should populate the host_plugin_sid table 
(ossim DB).

If you examine the plugin_reference table you can see the nessus id's 
that correspond to the different snort id's those are only an example, 
if you know of more please report them to us ;-)

And yes, the encoding was missing within directives.xml...

Greetings,

DK

Am 14.04.2004 um 16:17 schrieb tyler:

> OK I have setup ossim according to the fedora guide and now everything
> appears to be running fine.  But what do I do next?  I have seen there 
> is
> a place to config servers, so I need to add my snort, ossim, nessus
> servers there?
>
> What I really want to do is correlate snort data with nessus info, can 
> I
> do this?  What all do I have to setup to accomplish this?
>
> Also I had to change directives.xml  (/etc/ossim/server/) from <?xml
> version="1.0"?> to <?xml version='1.0' encoding='UTF-8' ?> for ossim to
> start up.  Is this a common issue or do I have something screwed up?
>
>
> Thanks,
> Tyler
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Os-sim-support mailing list
> Os-...@li...
> https://lists.sourceforge.net/lists/listinfo/os-sim-support
>

[Os-sim-support] what next?

[tyler <ty...@sc...>]

OK I have setup ossim according to the fedora guide and now everything
appears to be running fine.  But what do I do next?  I have seen there is
a place to config servers, so I need to add my snort, ossim, nessus
servers there?

What I really want to do is correlate snort data with nessus info, can I
do this?  What all do I have to setup to accomplish this?

Also I had to change directives.xml  (/etc/ossim/server/) from <?xml
version="1.0"?> to <?xml version='1.0' encoding='UTF-8' ?> for ossim to
start up.  Is this a common issue or do I have something screwed up?


Thanks,
Tyler

Re: [Os-sim-support] OSSIM startup woes . . .

[Troy R. <roc...@hr...>]

Hmm, that's not it I don't think.  I removed the password and also removed
it from the file and get the same error message.  I think someone else
posted recently and had a different error message when they had the
password wrong . . .=20

On Tue, 13 Apr 2004, Fabio Ospitia Trujillo wrote:

> Hi
>=20
> If your DB not have password please delete the PASSWORD=3Dxxxxxxxx; label
> of the file.
>=20
> FOT.
>=20
>=20
> El jue, 01 de 04 de 2004 a las 01:27, Troy Rockwood escribi=C3=B3:
> > Thanks for the note about the php-domxml rpm, after installing that, I =
can
> > look at the directives.  I am still not getting alerts into OSSIM thoug=
h
> > and noticed this new problem.
> >=20
> > I went through the installation instructions again and changed the
> > /etc/ossim/server/config.xml to this:
> >=20
> > <?xml version=3D'1.0' encoding=3D'UTF-8' ?>
> >=20
> > <config>
> >         <log filename=3D"/tmp/ossim.log"/>
> >         <sensor name=3D"server" ip=3D"1.2.3.4" interface=3D"eth0"/>
> >         <datasources>
> >                 <datasource name=3D"ossimDB" provider=3D"MySQL" dsn=3D"=
PORT=3D3306;USER=3Droot;PASSWORD=3Dxxxxxxxx;DATABASE=3Dossim;HOST=3Dlocalho=
st"/>
> >                 <datasource name=3D"snortDB" provider=3D"MySQL" dsn=3D"=
PORT=3D3306;USER=3Droot;PASSWORD=3Dxxxxxxxx;DATABASE=3Dsnort;HOST=3Dlocalho=
st"/>
> >         </datasources>
> >         <directive filename=3D"/etc/ossim/server/directives.xml"/>
> >         <scheduler interval=3D"15"/>
> >         <server port=3D"40001"/>
> > </config>
> >=20
> > and when I try to start ossim, I get the following error message:
> >=20
> > (process:13827): GLib-GObject-CRITICAL **: file gobject.c: line 1337 (g=
_object_unref): assertion `G_IS_OBJECT (object)' failed
> >=20
> > as well as this in the /tmp/ossim.log file:
> >=20
> > file sim-container.c: line 380 (sim_container_db_get_recovery): asserti=
on `database !=3D NULL' failed
> >=20
> > repeated over and over again.
> >=20
> > the mysql database looks like this:
> > mysql> show databases;
> > +---------------+
> > | Database      |
> > +---------------+
> > | mysql         |
> > | ossim         |
> > | snort         |
> > | snort_archive |
> > | test          |
> > +---------------+
> > 5 rows in set (0.02 sec)
> >=20
> > mysql> use ossim;
> > Reading table information for completion of table and column names
> > You can turn off this feature to get a quicker startup with -A
> >=20
> > Database changed
> > mysql> show tables;
> > +---------------------------+
> > | Tables_in_ossim           |
> > +---------------------------+
> > | alert                     |
> > | backlog                   |
> > | category                  |
> > | classification            |
> > | conf                      |
> > | control_panel_host        |
> > | control_panel_net         |
> > | host                      |
> > | host_mac                  |
> > | host_netbios              |
> > | host_os                   |
> > | host_plugin_sid           |
> > | host_qualification        |
> > | host_scan                 |
> > | host_sensor_reference     |
> > | host_services             |
> > | host_vulnerability        |
> > | net                       |
> > | net_host_reference        |
> > | net_qualification         |
> > | net_sensor_reference      |
> > | net_vulnerability         |
> > | plugin                    |
> > | plugin_reference          |
> > | plugin_sid                |
> > | policy                    |
> > | policy_host_reference     |
> > | policy_net_reference      |
> > | policy_port_reference     |
> > | policy_sensor_reference   |
> > | policy_sig_reference      |
> > | policy_time               |
> > | port                      |
> > | port_group                |
> > | port_group_reference      |
> > | protocol                  |
> > | rrd_anomalies             |
> > | rrd_anomalies_global      |
> > | rrd_conf                  |
> > | rrd_conf_global           |
> > | scan                      |
> > | sensor                    |
> > | signature                 |
> > | signature_group           |
> > | signature_group_reference |
> > +---------------------------+
> > 45 rows in set (0.00 sec)
> >=20
> > mysql> use snort;
> > Reading table information for completion of table and column names
> > You can turn off this feature to get a quicker startup with -A
> >=20
> > Database changed
> > mysql> show tables;
> > +------------------+
> > | Tables_in_snort  |
> > +------------------+
> > | acid_ag          |
> > | acid_ag_alert    |
> > | acid_event       |
> > | acid_ip_cache    |
> > | data             |
> > | detail           |
> > | encoding         |
> > | event            |
> > | icmphdr          |
> > | iphdr            |
> > | opt              |
> > | ossim_event      |
> > | reference        |
> > | reference_system |
> > | schema           |
> > | sensor           |
> > | sig_class        |
> > | sig_reference    |
> > | signature        |
> > | tcphdr           |
> > | udphdr           |
> > +------------------+
> > 21 rows in set (0.01 sec)
> >=20
> > Any help would be appreciated!
> >=20
> > Troy Rockwood  | Security is mostly a supersition.
> > Research Staff | It does not exist in nature . . .
> > HRL Labs       | Life is either a daring adventure
> >                | or nothing. -- Helen Keller
> >=20
> >=20
> >=20
> >=20
> >=20
> >=20
> >=20
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: IBM Linux Tutorials
> > Free Linux tutorial presented by Daniel Robbins, President and CEO of
> > GenToo technologies. Learn everything from fundamentals to system
> > administration.http://ads.osdn.com/?ad_id=3D1470&alloc_id=3D3638&op=3Dc=
lick
> > _______________________________________________
> > Os-sim-support mailing list
> > Os-...@li...
> > https://lists.sourceforge.net/lists/listinfo/os-sim-support
>=20
>=20
>=20

RE: [Os-sim-support] mysql error

[<oca...@si...>]

Fabio,=20

That did work, now I realize why config.xml must be edited for each
environment.

Now I get no problems when firing up ossim, but I do have a few troubles =
on
the web interface.

On the Control Panel tab I get=20

Fatal error: Call to undefined function: mysql_escape_string() in
/var/www/ossim/control_panel/global_score.php on line 73

Also

Fatal error: Call to undefined function: mysql_pconnect() in
/var/www/adodb-411/drivers/adodb-mysql.inc.php on line 335



I get these error messages on all tabs on the web interface.


What could be wrong?

Thanks again for your help,=20

-oscar


-----Original Message-----
From: Fabio Ospitia Trujillo [mailto:fo...@ip...]=20
Sent: Tuesday, April 13, 2004 3:20 AM
To: Oscar Casta=F1eda V.
Cc: os-...@li...
Subject: Re: [Os-sim-support] mysql error

Hi

This error is produced by MySQL. If your DB not have password please
delete the PASSWORD=3Dxxxxx label from datasource element in the
config.xml file.

FOT

El lun, 12 de 04 de 2004 a las 23:52, Oscar Casta=F1eda V. escribi=F3:
> =20
>=20
> I recently finished installing ossim 0.9.3
>=20
> =20
>=20
> I installed it on a fedora core 1 system, following the steps in
> http://www.ossim.net/docs/INSTALL.fc1
>=20
> =20
>=20
> When I start ossim I get the following mysql errors:
>=20
> =20
>=20
> [root@localhost root]# ossim
>=20
> CONNECTION ERROR
>=20
> NAME: ossimDS PROVIDER: MySQL DSN:
> PORT=3D3306;USER=3Droot;PASSWORD=3Dpasswd;DATABASE=3D
>=20
> ossim;HOST=3Dlocalhost
>=20
> =20
>=20
> (process:10062): GNet-CRITICAL **: file tcp.c: line 999
> (gnet_tcp_socket_server_
>=20
> accept): assertion `socket !=3D NULL' failed
>=20
> CONNECTION ERROR
>=20
> NAME: ossimDS PROVIDER: MySQL DSN:
> PORT=3D3306;USER=3Droot;PASSWORD=3Dpasswd;DATABASE=3D
>=20
> ossim;HOST=3Dlocalhost
>=20
> CONNECTION ERROR
>=20
> NAME: ossimDS PROVIDER: MySQL DSN:
> PORT=3D3306;USER=3Droot;PASSWORD=3Dpasswd;DATABASE=3D
>=20
> ossim;HOST=3Dlocalhost
>=20
> CONNECTION ERROR
>=20
> NAME: snortDS PROVIDER: MySQL DSN:
> PORT=3D3306;USER=3Droot;PASSWORD=3Dpasswd;DATABASE=3D
>=20
> snort;HOST=3Dlocalhost
>=20
> CONNECTION ERROR
>=20
> NAME: snortDS PROVIDER: MySQL DSN:
> PORT=3D3306;USER=3Droot;PASSWORD=3Dpasswd;DATABASE=3D
>=20
> snort;HOST=3Dlocalhost
>=20
> =20
>=20
> Any ideas?
>=20
> =20
>=20
> Thanks for your help,=20
>=20
> =20
>=20
> -oscar
>=20
> =20
>=20
> Oscar Castaneda V.
>=20
> SISAP/Consul
>=20
> =20
--=20



Fabio Ospitia Trujillo
IP Soluciones S.A.
web: www.ipsoluciones.com
Tel: +34 91 748 63 63
Fax: +34 91 748 63 37
C/ Ulises, 108
28043 Madrid
Espa=F1a

ADVERTENCIA
ESTE CORREO ELECTR=D3NICO CONTIENE INFORMACI=D3N PRIVADA Y ESTRICTAMENTE
CONFIDENCIAL. Si usted no es el destinatario del presente mensaje no
est=E1 autorizado a leerlo,=20
retenerlo o difundirlo.

Re: [Os-sim-support] OSSIM Design/Configuration

[Fabio O. T. <fo...@os...>]

El lun, 05 de 04 de 2004 a las 22:27, jo...@al... escribi=C3=B3:
> Hello -
>=20
> I've managed to set up OSSIM and get to the interface, although I have
> a few "design" questions.
>=20
> 1/ My infrastructure is a set of snort sensors w/ an OSSIM server (not
> running snort). All of these sensors log to a mysql db on the OSSIM
> server. I have that configured in snort's output plugins, but from
> what I've seen I need to run the OSSIM agent on each sensor as well.
> Assuming that these are only running snort, do I just enable that
> plugin within the agent? Also - since all of the alerts are going to
> the snort db on the OSSIM server, what purpose does the agent server -
> basically, what does it do?

Yes, You have to configure one agent by snort, you can do this comment
the others plugins in the agent config.xml. The agent send alerts to the
server to calculate them and correlate them.

>=20
> 2/ I see on the site that OSSIM integrates w/ Snortcenter as well -
> how is this interface established?
>=20
> 3/ Has anyone had experience w/ a tool like winsyslog to redirect
> event logs to syslog and then correlate them w/ OSSIM? What kind of
> correlation is built in for Windows events?
>=20
> 4/ This is a more technical question, but do I run the agent on the
> OSSIM server as well as the sensors? If so, can anyone figure out why
> it won't start? I get:=20
> (!!) Agent: Error connecting to server (X.X.X.X, 40001) ... (111,
> 'Connection refused')
>=20
Yes you can run the agent in the server. you have to config the element
"server" in the config.xml of the agent, it must to be an IP.

> Thanks alot!
> B

Re: [Os-sim-support] OSSIM startup woes . . .

[Fabio O. T. <fo...@os...>]

Hi

If your DB not have password please delete the PASSWORD=3Dxxxxxxxx; label
of the file.

FOT.


El jue, 01 de 04 de 2004 a las 01:27, Troy Rockwood escribi=C3=B3:
> Thanks for the note about the php-domxml rpm, after installing that, I =
can
> look at the directives.  I am still not getting alerts into OSSIM thoug=
h
> and noticed this new problem.
>=20
> I went through the installation instructions again and changed the
> /etc/ossim/server/config.xml to this:
>=20
> <?xml version=3D'1.0' encoding=3D'UTF-8' ?>
>=20
> <config>
>         <log filename=3D"/tmp/ossim.log"/>
>         <sensor name=3D"server" ip=3D"1.2.3.4" interface=3D"eth0"/>
>         <datasources>
>                 <datasource name=3D"ossimDB" provider=3D"MySQL" dsn=3D"=
PORT=3D3306;USER=3Droot;PASSWORD=3Dxxxxxxxx;DATABASE=3Dossim;HOST=3Dlocal=
host"/>
>                 <datasource name=3D"snortDB" provider=3D"MySQL" dsn=3D"=
PORT=3D3306;USER=3Droot;PASSWORD=3Dxxxxxxxx;DATABASE=3Dsnort;HOST=3Dlocal=
host"/>
>         </datasources>
>         <directive filename=3D"/etc/ossim/server/directives.xml"/>
>         <scheduler interval=3D"15"/>
>         <server port=3D"40001"/>
> </config>
>=20
> and when I try to start ossim, I get the following error message:
>=20
> (process:13827): GLib-GObject-CRITICAL **: file gobject.c: line 1337 (g=
_object_unref): assertion `G_IS_OBJECT (object)' failed
>=20
> as well as this in the /tmp/ossim.log file:
>=20
> file sim-container.c: line 380 (sim_container_db_get_recovery): asserti=
on `database !=3D NULL' failed
>=20
> repeated over and over again.
>=20
> the mysql database looks like this:
> mysql> show databases;
> +---------------+
> | Database      |
> +---------------+
> | mysql         |
> | ossim         |
> | snort         |
> | snort_archive |
> | test          |
> +---------------+
> 5 rows in set (0.02 sec)
>=20
> mysql> use ossim;
> Reading table information for completion of table and column names
> You can turn off this feature to get a quicker startup with -A
>=20
> Database changed
> mysql> show tables;
> +---------------------------+
> | Tables_in_ossim           |
> +---------------------------+
> | alert                     |
> | backlog                   |
> | category                  |
> | classification            |
> | conf                      |
> | control_panel_host        |
> | control_panel_net         |
> | host                      |
> | host_mac                  |
> | host_netbios              |
> | host_os                   |
> | host_plugin_sid           |
> | host_qualification        |
> | host_scan                 |
> | host_sensor_reference     |
> | host_services             |
> | host_vulnerability        |
> | net                       |
> | net_host_reference        |
> | net_qualification         |
> | net_sensor_reference      |
> | net_vulnerability         |
> | plugin                    |
> | plugin_reference          |
> | plugin_sid                |
> | policy                    |
> | policy_host_reference     |
> | policy_net_reference      |
> | policy_port_reference     |
> | policy_sensor_reference   |
> | policy_sig_reference      |
> | policy_time               |
> | port                      |
> | port_group                |
> | port_group_reference      |
> | protocol                  |
> | rrd_anomalies             |
> | rrd_anomalies_global      |
> | rrd_conf                  |
> | rrd_conf_global           |
> | scan                      |
> | sensor                    |
> | signature                 |
> | signature_group           |
> | signature_group_reference |
> +---------------------------+
> 45 rows in set (0.00 sec)
>=20
> mysql> use snort;
> Reading table information for completion of table and column names
> You can turn off this feature to get a quicker startup with -A
>=20
> Database changed
> mysql> show tables;
> +------------------+
> | Tables_in_snort  |
> +------------------+
> | acid_ag          |
> | acid_ag_alert    |
> | acid_event       |
> | acid_ip_cache    |
> | data             |
> | detail           |
> | encoding         |
> | event            |
> | icmphdr          |
> | iphdr            |
> | opt              |
> | ossim_event      |
> | reference        |
> | reference_system |
> | schema           |
> | sensor           |
> | sig_class        |
> | sig_reference    |
> | signature        |
> | tcphdr           |
> | udphdr           |
> +------------------+
> 21 rows in set (0.01 sec)
>=20
> Any help would be appreciated!
>=20
> Troy Rockwood  | Security is mostly a supersition.
> Research Staff | It does not exist in nature . . .
> HRL Labs       | Life is either a daring adventure
>                | or nothing. -- Helen Keller
>=20
>=20
>=20
>=20
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=3D1470&alloc_id=3D3638&op=3Dc=
lick
> _______________________________________________
> Os-sim-support mailing list
> Os-...@li...
> https://lists.sourceforge.net/lists/listinfo/os-sim-support

Re: [Os-sim-support] Install help

[Fabio O. T. <fo...@os...>]

Hi

We are working in documentation to create OSSIM from the sources. Thanks
for your patience.

FOT.


El vie, 02 de 04 de 2004 a las 21:24, Dan Fiorito escribi=C3=B3:
> I would like to install ossim to get familiar with how it works. Hard t=
o
> find any information on anything other than Redhat and Debian. Anyway t=
o
> roll your own?
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id638&op=C3=8Ck
> _______________________________________________
> Os-sim-support mailing list
> Os-...@li...
> https://lists.sourceforge.net/lists/listinfo/os-sim-support

Re: [Os-sim-support] mysql error

[Fabio O. T. <fo...@ip...>]

Hi

This error is produced by MySQL. If your DB not have password please
delete the PASSWORD=3Dxxxxx label from datasource element in the
config.xml file.

FOT

El lun, 12 de 04 de 2004 a las 23:52, Oscar Casta=C3=B1eda V. escribi=C3=B3=
:
> =20
>=20
> I recently finished installing ossim 0.9.3
>=20
> =20
>=20
> I installed it on a fedora core 1 system, following the steps in
> http://www.ossim.net/docs/INSTALL.fc1
>=20
> =20
>=20
> When I start ossim I get the following mysql errors:
>=20
> =20
>=20
> [root@localhost root]# ossim
>=20
> CONNECTION ERROR
>=20
> NAME: ossimDS PROVIDER: MySQL DSN:
> PORT=3D3306;USER=3Droot;PASSWORD=3Dpasswd;DATABASE=3D
>=20
> ossim;HOST=3Dlocalhost
>=20
> =20
>=20
> (process:10062): GNet-CRITICAL **: file tcp.c: line 999
> (gnet_tcp_socket_server_
>=20
> accept): assertion `socket !=3D NULL' failed
>=20
> CONNECTION ERROR
>=20
> NAME: ossimDS PROVIDER: MySQL DSN:
> PORT=3D3306;USER=3Droot;PASSWORD=3Dpasswd;DATABASE=3D
>=20
> ossim;HOST=3Dlocalhost
>=20
> CONNECTION ERROR
>=20
> NAME: ossimDS PROVIDER: MySQL DSN:
> PORT=3D3306;USER=3Droot;PASSWORD=3Dpasswd;DATABASE=3D
>=20
> ossim;HOST=3Dlocalhost
>=20
> CONNECTION ERROR
>=20
> NAME: snortDS PROVIDER: MySQL DSN:
> PORT=3D3306;USER=3Droot;PASSWORD=3Dpasswd;DATABASE=3D
>=20
> snort;HOST=3Dlocalhost
>=20
> CONNECTION ERROR
>=20
> NAME: snortDS PROVIDER: MySQL DSN:
> PORT=3D3306;USER=3Droot;PASSWORD=3Dpasswd;DATABASE=3D
>=20
> snort;HOST=3Dlocalhost
>=20
> =20
>=20
> Any ideas?
>=20
> =20
>=20
> Thanks for your help,=20
>=20
> =20
>=20
> -oscar
>=20
> =20
>=20
> Oscar Castaneda V.
>=20
> SISAP/Consul
>=20
> =20
--=20



Fabio Ospitia Trujillo
IP Soluciones S.A.
web: www.ipsoluciones.com
Tel: +34 91 748 63 63
Fax: +34 91 748 63 37
C/ Ulises, 108
28043 Madrid
Espa=C3=B1a

ADVERTENCIA
ESTE CORREO ELECTR=C3=93NICO CONTIENE INFORMACI=C3=93N PRIVADA Y ESTRICTA=
MENTE
CONFIDENCIAL. Si usted no es el destinatario del presente mensaje no
est=C3=A1 autorizado a leerlo,=20
retenerlo o difundirlo.

Re: [Os-sim-support] Installing on Slackware 9

[Fabio O. T. <fo...@ip...>]

Hi

At the moment we do not have Slackware documentation, but soon we will
have documentation to create OSSIM from the sources.

FOT.

El mi=C3=A9, 07 de 04 de 2004 a las 06:15, Jesse Hurford escribi=C3=B3:
> G'day,
> =20
> I'm trying to follow the installation guide for Debian to install
> OSSIM on a slackware box yet there are a fair few things in there that
> relate only to debian.
> Is there any doc's faq's that anyone can point me to that will help
> me install on a slackware box? as i have gone through the doc's/lists
> on sourceforge and cant find anything that helps.
> Any help at all is very much apreciated.
> =20
> Regards,
> =20
> Jesse Hurford
--=20



Fabio Ospitia Trujillo
IP Soluciones S.A.
web: www.ipsoluciones.com
Tel: +34 91 748 63 63
Fax: +34 91 748 63 37
C/ Ulises, 108
28043 Madrid
Espa=C3=B1a

ADVERTENCIA
ESTE CORREO ELECTR=C3=93NICO CONTIENE INFORMACI=C3=93N PRIVADA Y ESTRICTA=
MENTE
CONFIDENCIAL. Si usted no es el destinatario del presente mensaje no
est=C3=A1 autorizado a leerlo,=20
retenerlo o difundirlo.

[Os-sim-support] mysql error

[<oca...@si...>]

 

I recently finished installing ossim 0.9.3

 

I installed it on a fedora core 1 system, following the steps in
http://www.ossim.net/docs/INSTALL.fc1

 

When I start ossim I get the following mysql errors:

 

[root@localhost root]# ossim

CONNECTION ERROR

NAME: ossimDS PROVIDER: MySQL DSN:
PORT=3306;USER=root;PASSWORD=passwd;DATABASE=

ossim;HOST=localhost

 

(process:10062): GNet-CRITICAL **: file tcp.c: line 999
(gnet_tcp_socket_server_

accept): assertion `socket != NULL' failed

CONNECTION ERROR

NAME: ossimDS PROVIDER: MySQL DSN:
PORT=3306;USER=root;PASSWORD=passwd;DATABASE=

ossim;HOST=localhost

CONNECTION ERROR

NAME: ossimDS PROVIDER: MySQL DSN:
PORT=3306;USER=root;PASSWORD=passwd;DATABASE=

ossim;HOST=localhost

CONNECTION ERROR

NAME: snortDS PROVIDER: MySQL DSN:
PORT=3306;USER=root;PASSWORD=passwd;DATABASE=

snort;HOST=localhost

CONNECTION ERROR

NAME: snortDS PROVIDER: MySQL DSN:
PORT=3306;USER=root;PASSWORD=passwd;DATABASE=

snort;HOST=localhost

 

Any ideas?

 

Thanks for your help, 

 

-oscar

 

Oscar Castaneda V.

SISAP/Consul

 

[Os-sim-support] (no subject)

[<oca...@si...>]

confirm 651705

[Os-sim-support] Installing on Slackware 9

[Jesse H. <jes...@kb...>]

G'day,

I'm trying to follow the installation guide for Debian to install OSSIM =
on a slackware box yet there are a fair few things in there that relate =
only to debian.
Is there any doc's faq's that anyone can point me to that will help me =
install on a slackware box? as i have gone through the doc's/lists on =
sourceforge and cant find anything that helps.
Any help at all is very much apreciated.

Regards,

Jesse Hurford

RE: [Os-sim-support] MySQL OFFSET changes

[David G. <dg...@ip...>]

Sorry, sorry, you are right!

I was thinking about perl scripts (mac.pl and os.pl).

Thank you, i think these .phps work fine with mysql 4.0, i don't tested
them with mysql 3.X. I'll correct it as soon as i can.

Thank you for the bug report.


El mar, 06-04-2004 a las 18:35, Jordi Figueras escribi=F3:
> I'm running 0.9.3!
>=20
> but on my console: "Control Panel" -> "Anomalies" -> "Mac Changes [get =
list]" there is a link to this script:
>=20
> /var/www/ossim/control_panel/mac.php
>=20
>=20
> something i'm doing wrong :-(
>=20
> I've 3 machines with agent only, but one machine with agent, server and=
 framework, I execute this on it:
>=20
> /usr/bin/ossim
> /usr/bin/agent
> /usr/share/ossim/scripts/control_panel.pl
>=20
> and on crontab:
>=20
> 0-59/5 * * * * /usr/share/ossim/mrtg/launch-mrtg
>=20
> Is it not fine?
>=20
> > -----Mensaje original-----
> > De: David Gil [mailto:dg...@ip...]=20
> > Enviado el: martes, 06 de abril de 2004 18:11
> > Para: Jordi Figueras
> > CC: os-...@li...
> > Asunto: Re: [Os-sim-support] MySQL OFFSET changes
> >=20
> >=20
> > Hello,
> >=20
> > Those scripts are deprecated, please ignore them. What=20
> > version of ossim do you have? If your ossim install still=20
> > uses those scripts please upgrade to the latest version 0.9.3.
> >=20
> > Os and Mac changes are now managed directly from agent, there=20
> > is no need of these external scripts.
> >=20
> > Greatings
> >=20
> > David.
> >=20
> >=20
> > El mar, 06-04-2004 a las 17:43, Jordi Figueras escribi=F3:
> > > With my Mysql version (3.23) I've needed to do this changes on
> > > =20
> > > /var/www/ossim/control_panel/os.php
> > > /var/www/ossim/control_panel/mac.php
> > > =20
> > > at line 21
> > > =20
> > > =20
> > > $args =3D "ORDER by $order LIMIT $count OFFSET $offset ";
> > >=20
> > > change to
> > > =20
> > > $args =3D "ORDER by $order LIMIT $offset,$count ";
> > > =20
> > > Is it correct?
> > > =20
> > > =20
> > > =20
> >=20
> >=20
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id638&op=CCk
> _______________________________________________
> Os-sim-support mailing list
> Os-...@li...
> https://lists.sourceforge.net/lists/listinfo/os-sim-support

RE: [Os-sim-support] MySQL OFFSET changes

[Jordi F. <jfi...@se...>]

I'm running 0.9.3!

but on my console: "Control Panel" -> "Anomalies" -> "Mac Changes [get =
list]" there is a link to this script:

/var/www/ossim/control_panel/mac.php


something i'm doing wrong :-(

I've 3 machines with agent only, but one machine with agent, server and =
framework, I execute this on it:

/usr/bin/ossim
/usr/bin/agent
/usr/share/ossim/scripts/control_panel.pl

and on crontab:

0-59/5 * * * * /usr/share/ossim/mrtg/launch-mrtg

Is it not fine?

> -----Mensaje original-----
> De: David Gil [mailto:dg...@ip...]=20
> Enviado el: martes, 06 de abril de 2004 18:11
> Para: Jordi Figueras
> CC: os-...@li...
> Asunto: Re: [Os-sim-support] MySQL OFFSET changes
>=20
>=20
> Hello,
>=20
> Those scripts are deprecated, please ignore them. What=20
> version of ossim do you have? If your ossim install still=20
> uses those scripts please upgrade to the latest version 0.9.3.
>=20
> Os and Mac changes are now managed directly from agent, there=20
> is no need of these external scripts.
>=20
> Greatings
>=20
> David.
>=20
>=20
> El mar, 06-04-2004 a las 17:43, Jordi Figueras escribi=F3:
> > With my Mysql version (3.23) I've needed to do this changes on
> > =20
> > /var/www/ossim/control_panel/os.php
> > /var/www/ossim/control_panel/mac.php
> > =20
> > at line 21
> > =20
> > =20
> > $args =3D "ORDER by $order LIMIT $count OFFSET $offset ";
> >=20
> > change to
> > =20
> > $args =3D "ORDER by $order LIMIT $offset,$count ";
> > =20
> > Is it correct?
> > =20
> > =20
> > =20
>=20
>=20

Re: [Os-sim-support] MySQL OFFSET changes

[David G. <dg...@ip...>]

Hello,

Those scripts are deprecated, please ignore them. What version of ossim
do you have? If your ossim install still uses those scripts please
upgrade to the latest version 0.9.3.

Os and Mac changes are now managed directly from agent, there is no need
of these external scripts.

Greatings

David.


El mar, 06-04-2004 a las 17:43, Jordi Figueras escribi=F3:
> With my Mysql version (3.23) I've needed to do this changes on
> =20
> /var/www/ossim/control_panel/os.php
> /var/www/ossim/control_panel/mac.php
> =20
> at line 21
> =20
> =20
> $args =3D "ORDER by $order LIMIT $count OFFSET $offset ";
>=20
> change to=20
> =20
> $args =3D "ORDER by $order LIMIT $offset,$count ";
> =20
> Is it correct?
> =20
> =20
> =20

[Os-sim-support] MySQL OFFSET changes

[Jordi F. <jfi...@se...>]

With my Mysql version (3.23) I've needed to do this changes on
=20
/var/www/ossim/control_panel/os.php
/var/www/ossim/control_panel/mac.php
=20
at line 21
=20
=20
$args =3D "ORDER by $order LIMIT $count OFFSET $offset ";

change to=20
=20
$args =3D "ORDER by $order LIMIT $offset,$count ";
=20
Is it correct?
=20
=20
=20

[Os-sim-support] OSSIM Design/Configuration

[<jo...@al...>]

Hello -

I've managed to set up OSSIM and get to the interface, although I have a
few "design" questions.

1/ My infrastructure is a set of snort sensors w/ an OSSIM server (not
running snort). All of these sensors log to a mysql db on the OSSIM
server. I have that configured in snort's output plugins, but from what
I've seen I need to run the OSSIM agent on each sensor as well. Assuming
that these are only running snort, do I just enable that plugin within
the agent? Also - since all of the alerts are going to the snort db on
the OSSIM server, what purpose does the agent server - basically, what
does it do?

2/ I see on the site that OSSIM integrates w/ Snortcenter as well - how
is this interface established?

3/ Has anyone had experience w/ a tool like winsyslog to redirect event
logs to syslog and then correlate them w/ OSSIM? What kind of
correlation is built in for Windows events?

4/ This is a more technical question, but do I run the agent on the
OSSIM server as well as the sensors? If so, can anyone figure out why it
won't start? I get: 
(!!) Agent: Error connecting to server (X.X.X.X, 40001) ... (111,
'Connection refused')

Thanks alot!
B