very good ... now the ips are ok ... perfect ...
but, at signature column appear just a number, not the text ... is it a
problem at db ?
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
[EMAIL PROTECTED]
Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604
Meir Michanie wrote:
I just tested I will release a new file in 5 mins
On 9/14/06, *Meir Michanie* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
I apologize that I did all my last testings on ossec2mysqld and
not ossec2mysql. I just fixed the declaration of the variable.
Please download again from riunx and let me know if it is ok. I
will do QA in a few hours.
TIA
On 9/14/06, *Leonardo Goldim* < [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
i got the ossec-ui-latest.tar.bz2
<http://www.riunx.com/public/ossec-ui-latest.tar.bz2
<http://www.riunx.com/public/ossec-ui-latest.tar.bz2>> at
www.riunx.com <http://www.riunx.com>
<http://www.riunx.com> and do this:
* mysql base -p < ossec2base.sql
* mysql base -p < snort_tables.sql
* mysql base -p < trunc_ossecbase.sql
* cp ossec2mysqld.pl ossec2mysql.pl ossec2basetxt.pl
/usr/local/bin/
* cat rules/*.xml |ossec2basetxt.pl -e -o
/usr/share/base-php4/signatures/
* echo 'TRUNCATE TABLE `signature` ;' | mysql base -p
* echo 'TRUNCATE TABLE `sensor` ;' | mysql base -p
* echo 'TRUNCATE TABLE `acid_event` ;' | mysql base -p
* echo 'TRUNCATE TABLE `events` ;' | mysql base -p
* echo 'TRUNCATE TABLE `event` ;' | mysql base -p
* echo 'TRUNCATE TABLE `data` ;' | mysql base -p
* cat /opt/ossec/logs/alerts/2006/Jul/ossec-alerts-31.log
|ossec2mysql.pl --interface manualfeed
when i try to import the logs (last command) i got the
follow error:
Global symbol "$alerthostip" requires explicit package name at
/usr/local/bin/ossec2mysql.pl line 206.
Global symbol "$alerthostip" requires explicit package name at
/usr/local/bin/ossec2mysql.pl line 207.
Global symbol "$alerthostip" requires explicit package name at
/usr/local/bin/ossec2mysql.pl line 208.
Global symbol "$alerthostip" requires explicit package name at
/usr/local/bin/ossec2mysql.pl line 246.
Global symbol "$alerthostip" requires explicit package name at
/usr/local/bin/ossec2mysql.pl line 279.
Execution of /usr/local/bin/ossec2mysql.pl aborted due to
compilation
errors.
i forgot to do something?
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604
Meir Michanie wrote:
> yes, I removed from cvs ossec2base and now is a link to
ossec2mysql
>
>
> On 9/14/06, *Leonardo Goldim* < [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>> wrote:
>
>
> ossec2mysql and ossec2base/ossec-ui are the same ?
>
> --
> ________________________________________
> Leonardo Goldim - Auditoria Intranetworks
> [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> <mailto:
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
>
> Intranetworks
> Rua Marquês do Pombal 1710/805
> Porto Alegre - RS - 90540-000
> +55 51 3325-5700
> +55 51 8415-8604
>
>
>
> Meir Michanie wrote:
> > Leonardo, get the last ossec2mysql from cvs or from
> www.riunx.com <http://www.riunx.com> < http://www.riunx.com>
> > < http://www.riunx.com <http://www.riunx.com>>
> >
> > Vitor:
> > it seems that your alert logs shows that the log was
generated
> by the
> > agent.
> > We have to work to make ossec-hids report dstip by
parsing the event
> > and reporting it to the log, so I do not have to make
it up.
> >
> > On 9/14/06, *Leonardo Goldim* <
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
> > <mailto: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> <mailto: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> >> wrote:
> >
> >
> > sorry, but i don't understand your answer ...
> > like is today, the dstip is the agent ip ?
> > in my base, the dstip and the srcip are the same,
it's right ?
> >
> > --
> > ________________________________________
> > Leonardo Goldim - Auditoria Intranetworks
> > [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> <mailto: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> <mailto:
> [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> <mailto:
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>>
> >
> > Intranetworks
> > Rua Marquês do Pombal 1710/805
> > Porto Alegre - RS - 90540-000
> > +55 51 3325-5700
> > +55 51 8415-8604
> >
> >
> >
> > Meir Michanie wrote:
> > >
> > >
> > > On 9/14/06, *Leonardo Goldim* <
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
> > <mailto: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>>
> > > <mailto: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
> > <mailto: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> <mailto: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>>>> wrote:
> > >
> > >
> > > my idea to use the real ip instead 0.0.0.0
<http://0.0.0.0>
> <http://0.0.0.0> < http://0.0.0.0>
> > <http://0.0.0.0> is to
> > > organize the alerts at
> > > base ...
> > > for example, i have a server that monitor
many agents
> ... using
> > > base for
> > > analise the alerts, i can' t order by host,
the alerts are
> > mixed ...
> > >
> > >
> > > Why not? the agent is the dst ip. sort by dstip.
> > >
> > >
> > > if use the dstip like real ip, i can go to
dest ip
> addrs ->
> > select
> > > an ip
> > > and i got all the alerts from that host, it's
possible
> make this
> > > comparison that you explain using the srcip like
> 0.0.0.0 <http://0.0.0.0> < http://0.0.0.0>
> > <http://0.0.0.0>
> > > < http://0.0.0.0> or real ip ...
> > >
> > > The dst ip is the one who has logged the event
> > > and src ip is either a know network real IP or
null if unknown
> > or not
> > > network related.
> >
> >
>
>
