Built on ACID by Roman Danyliw )
I truncated my db as you did and it works ok
|
On 9/21/06, Leonardo Goldim <[EMAIL PROTECTED]
> wrote:
hey meir
my logs are equal to logs you post here in the list before...
---------------- LOG ----------------------------
** Alert 1158838515.0:
2006 Sep 21 08:35:15 smart09->/var/log/secure
Rule: 5303 (level 3) -> 'User sucessfully changed UID to root'
Src IP: (none)
User: (none)
su: pam_unix(su:session): session opened for user root by (uid=501)
** Alert 1158844531.229:
2006 Sep 21 10:15:31 smart09->/var/log/secure
Rule: 5303 (level 3) -> 'User sucessfully changed UID to root'
Src IP: (none)
User: (none)
su: pam_unix(su:session): session opened for user root by (uid=501)
---------------- LOG ----------------------------
i was looking at base db and consulting the table signature i saw the signatures are registered there, but the base interface don't show this information ...
here are a little bit of table:
-------------- TABLE ------------------
+--------+-------------------------------------------------------------------------------+--------------+--------------+---------+---------+---------+
| sig_id | sig_name | sig_class_id | sig_priority | sig_rev | sig_sid | sig_gid |
+--------+-------------------------------------------------------------------------------+--------------+--------------+---------+---------+---------+
| 1 | 'Unknown problem somewhere in the system.' | 1 | 7 | 0 | 102 | NULL |
| 2 | 'SSHD authentication failed.' | 1 | 5 | 0 | 1516 | NULL |
| 3 | 'Attempt to access an non-existent file.' | 1 | 5 | 0 | 3012 | NULL |
| 4 | 'Web server 400 error code.' | 1 | 5 | 0 | 3101 | NULL |
| 5 | 'Integrity checksum of file '/etc/httpd/conf/httpd.conf' has changed.' | 1 | 8 | 0 | 13 | NULL |
| 6 | 'Multiple attempts to access non-existent files (web scan) from same source.' | 1 | 10 | 0 | 3014 | NULL |
| 7 | 'User authentication failure.' | 1 | 5 | 0 | 401 | NULL |
| 8 | 'User sucessfully changed UID to root' | 1 | 3 | 0 | 1103 | NULL |
| 9 | 'Integrity checksum of file '/etc/alsa/pcm/dsnoop.conf' has changed.' | 1 | 8 | 0 | 13 | NULL |
| 10 | 'Integrity checksum of file '/etc/alsa/pcm/dmix.conf' has changed.' | 1 | 8 | 0 | 13 | NULL |
+--------+-------------------------------------------------------------------------------+--------------+--------------+---------+---------+---------+
-------------- TABLE ------------------
here are the base interface:
ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto > #0-(1-1) 1 2006-07-31 10:41:33 0.0.0.0 10.0.0.9 IP
its possible the ossim has broken something more? which version of base you are using?
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks[EMAIL PROTECTED]Intranetworks Rua Marquês do Pombal 1710/805 Porto Alegre - RS - 90540-000 +55 51 3325-5700 +55 51 8415-8604
Meir Michanie wrote:the only thing I can sugest is that you look at the alerts log in the wiki. if your alert log format is not there append it and I can check more
On 9/21/06, Leonardo Goldim <[EMAIL PROTECTED]> wrote:
hey meir
i had installed ossim and this one change somethings at my base, so i
download the base source and install it in another place.
i do these steps for install ossec-ui:
* mysqladmin create base -p
* mysql base -p < snort_tables.sql
* mysql base -p < ossec2base.sql
* mysql base -p < trunc_ossecbase.sql
* configure my new base to access the base db
* cat /opt/ossec/rules/*.xml |ossec2basetxt.pl -e -o
/var/www/html/ossecbase/signatures/
* cat /opt/ossec/logs/alerts/2006/Jul/ossec-alerts-31.log
|ossec2mysql.pl --interface manualfeed
after this i access the url http://127.0.0.1/ossecbase/ but the problem
with signatures continue, look:
ID <
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=sig_a > Signature >
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=sig_d >
<
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=time_a > Timestamp >
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=time_d >
<
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=sip_a > Source Address >
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=sip_d >
<
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=dip_a > Dest. Address >
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=dip_d >
<
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=proto_a > Layer 4 Proto >
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=proto_d >
#0-(1-1)
<http://127.0.0.1/ossecbase/base_qry_alert.php?submit=%230-%281-1%29&sort_order= >
1 2006-07-31 10:41:33 0.0.0.0
<http://127.0.0.1/ossecbase/base_stat_ipaddr.php?ip=0.0.0.0&netmask=32 > 10.0.0.9
<http://127.0.0.1/ossecbase/base_stat_ipaddr.php?ip=10.0.0.9&netmask32 > IP
i don't know what i can do anymore ... do you have any suggestion?
but the good side is that the "problem" with dest. address and source
address appears to be ok.
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
[EMAIL PROTECTED]
Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604
Meir Michanie wrote:
>
>
> On 9/19/06, *Leonardo Goldim* <[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>> wrote:
>
>
> hey meir
>
> do you have any suggestion that i can do to correct my problem with
> signatures?
>
> after this fixes at ossec-ui, how we have to import the signatures ?
> with the ossec2base_sigs.pl or ossec2basetxt.pl ?
> in my case i used ossec2basetxt.pl ...
>
>
> ossec2base_sigs.pl is legacy.
> I will remove it from cvs
> it doesn't hurts but it is not needed.
