-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello,
Sorry, I thought I sent this e-mail earlier but I think it went into the big internet /dev/null in the sky. We're currently working on a PHP/MySQL based reporting web interface for OSSEC. Unlike the traditional WUI (which parses logs to present via web interface) we wanted a web based query and reporting engine. Unfortunately the WUI wasn't able to do things like show all the logs for X host during Y time or show all the alerts for X host on Y rule. We ran into several problems with the MySQL integration until version 1.5. You have to follow the instructions at http://www.ossec.net/wiki/index.php/Know_How:DatabaseOutput. Additionally we found that there was no way to correlate the alerts with the logs that triggered them via the database. In order to do this we altered the MySQL database by using: ALTER TABLE data ADD COLUMN tstamp timestamp DEFAULT now(); you can then use the data.tsamp column to map data to alerts like so: SELECT d.*, a.* FROM data d, alert a WHERE a.time = unix_timestamp(d.tstamp) Since the data is dropped into the database at the same time the timestamps on the data entries will match timestamps on the alert entries. Our project is a traditional MVC PHP/MySQL application but still in the early stages (the object model is complete but we don't have a display layer worked out yet). We fully intend to share the completed project under GPL and hopefully build in some hook for historic NMAP scans of hosts and potentially down the road integrate with Snort alerts. If anyone would like to help please let me know. I'm also happy to share the code we have now if anyone is interested. Hope this helps. Justin C. Klein Keane Sr. Information Security Specialist Information Security and Unix Systems University of Pennsylvania School of Arts and Sciences 3600 Market St. Room 527 Philadelphia, PA 19104 215.898.0236(p) 215.573.3166(f) Dimitri Yioulos wrote: > Agreed. > > On Wednesday 25 June 2008 4:05 pm, Herb Steck wrote: >> MySQL. >> >> But there is already a web interface, so why not work off of that and make >> it better? >> >> -----Original Message----- >> From: [email protected] [mailto:[EMAIL PROTECTED] On >> Behalf Of Adriel Desautels >> Sent: Wednesday, June 25, 2008 3:00 PM >> To: [email protected] >> Subject: [ossec-list] Re: OSSEC Web Interface >> >> I don't see why not. I'm not much of a developer myself, so I'd most >> probably need some help heading this off. First I need to understand how >> OSSEC interfaces with what database. Anyone know? >> >> Regards, >> Adriel T. Desautels >> Chief Technology Officer >> Netragard, LLC. >> Office : 617-934-0269 >> Mobile : 617-633-3821 >> http://www.linkedin.com/pub/1/118/a45 >> >> Join the Netragard, LLC. Linked In Group: >> http://www.linkedin.com/e/gis/48683/0B98E1705142 >> >> --------------------------------------------------------------- >> Netragard, LLC - http://www.netragard.com - "We make IT Safe" >> Penetration Testing, Vulnerability Assessments, Website Security >> >> Netragard Whitepaper Downloads: >> ------------------------------- >> Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you >> must know : http://tinyurl.com/26pjsn >> >> Derek J. Morris wrote: >>> That would be great, are you going to make it open to the ossec >>> community? >>> >>> -Derek >>> >>>> Greetings, >>>> I am interested in possibly creating a new OSSEC web interface. What >>>> >>>> sort of back-end database does OSSEC use today? I thought it was >>>> mysql, but I think I'm wrong. >>>> >>>> Regards, >>>> Adriel T. Desautels >>>> Chief Technology Officer >>>> Netragard, LLC. >>>> Office : 617-934-0269 >>>> Mobile : 617-633-3821 >>>> http://www.linkedin.com/pub/1/118/a45 >>>> >>>> Join the Netragard, LLC. Linked In Group: >>>> http://www.linkedin.com/e/gis/48683/0B98E1705142 >>>> >>>> --------------------------------------------------------------- >>>> Netragard, LLC - http://www.netragard.com - "We make IT Safe" >>>> Penetration Testing, Vulnerability Assessments, Website Security >>>> >>>> Netragard Whitepaper Downloads: >>>> ------------------------------- >>>> Choosing the right provider : http://tinyurl.com/2ahk3j Three Things >>>> you must know : http://tinyurl.com/26pjsn >>> - Derek > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIY/JjR4a3EW2yjlQRAuvoAJ0bVDG7oZGL/uGhQ007TZtnxj5grwCfZKyn swm7gBs53KfyTJPGYBuyQ6M= =prmB -----END PGP SIGNATURE-----
