Not to rain on anyone's parade, but have you ever looked at OSSIM? It can read from Snort, OSSEC, and lots of other tools, its got a database, a nice correlation engine and a pretty web UI...
Just sayin'... cb On Thu, Jun 26, 2008 at 2:47 PM, Justin Klein Keane <[EMAIL PROTECTED]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > Sorry, I thought I sent this e-mail earlier but I think it went into > the big internet /dev/null in the sky. We're currently working on a > PHP/MySQL based reporting web interface for OSSEC. Unlike the > traditional WUI (which parses logs to present via web > interface) we wanted a web based query and reporting engine. > Unfortunately the WUI wasn't able to do things like show all the logs > for X host during Y time or show all the alerts for X host on Y rule. > > We ran into several problems with the MySQL integration until version > 1.5. You have to follow the instructions at > http://www.ossec.net/wiki/index.php/Know_How:DatabaseOutput. > Additionally we found that there was no way to correlate the alerts with > the logs that triggered them via the database. In order to do this we > altered the MySQL database by using: > > ALTER TABLE data ADD COLUMN tstamp timestamp DEFAULT now(); > > you can then use the data.tsamp column to map data to alerts like so: > > SELECT d.*, a.* FROM data d, alert a > WHERE a.time = unix_timestamp(d.tstamp) > > Since the data is dropped into the database at the same time the > timestamps on the data entries will match timestamps on the alert entries. > > Our project is a traditional MVC PHP/MySQL application but still in the > early stages (the object model is complete but we don't have a display > layer worked out yet). We fully intend to share the completed project > under GPL and hopefully build in some hook for historic NMAP scans of > hosts and potentially down the road integrate with Snort alerts. If > anyone would like to help please let me know. I'm also happy to share > the code we have now if anyone is interested. Hope this helps. > > Justin C. Klein Keane > > Sr. Information Security Specialist > Information Security and Unix Systems > University of Pennsylvania > School of Arts and Sciences > 3600 Market St. > Room 527 > Philadelphia, PA 19104 > 215.898.0236(p) > 215.573.3166(f) > > Dimitri Yioulos wrote: > > Agreed. > > > > On Wednesday 25 June 2008 4:05 pm, Herb Steck wrote: > >> MySQL. > >> > >> But there is already a web interface, so why not work off of that and > make > >> it better? > >> > >> -----Original Message----- > >> From: [email protected] [mailto:[EMAIL PROTECTED] > On > >> Behalf Of Adriel Desautels > >> Sent: Wednesday, June 25, 2008 3:00 PM > >> To: [email protected] > >> Subject: [ossec-list] Re: OSSEC Web Interface > >> > >> I don't see why not. I'm not much of a developer myself, so I'd most > >> probably need some help heading this off. First I need to understand how > >> OSSEC interfaces with what database. Anyone know? > >> > >> Regards, > >> Adriel T. Desautels > >> Chief Technology Officer > >> Netragard, LLC. > >> Office : 617-934-0269 > >> Mobile : 617-633-3821 > >> http://www.linkedin.com/pub/1/118/a45 > >> > >> Join the Netragard, LLC. Linked In Group: > >> http://www.linkedin.com/e/gis/48683/0B98E1705142 > >> > >> --------------------------------------------------------------- > >> Netragard, LLC - http://www.netragard.com - "We make IT Safe" > >> Penetration Testing, Vulnerability Assessments, Website Security > >> > >> Netragard Whitepaper Downloads: > >> ------------------------------- > >> Choosing the right provider : http://tinyurl.com/2ahk3j Three Things > you > >> must know : http://tinyurl.com/26pjsn > >> > >> Derek J. Morris wrote: > >>> That would be great, are you going to make it open to the ossec > >>> community? > >>> > >>> -Derek > >>> > >>>> Greetings, > >>>> I am interested in possibly creating a new OSSEC web interface. > What > >>>> > >>>> sort of back-end database does OSSEC use today? I thought it was > >>>> mysql, but I think I'm wrong. > >>>> > >>>> Regards, > >>>> Adriel T. Desautels > >>>> Chief Technology Officer > >>>> Netragard, LLC. > >>>> Office : 617-934-0269 > >>>> Mobile : 617-633-3821 > >>>> http://www.linkedin.com/pub/1/118/a45 > >>>> > >>>> Join the Netragard, LLC. Linked In Group: > >>>> http://www.linkedin.com/e/gis/48683/0B98E1705142 > >>>> > >>>> --------------------------------------------------------------- > >>>> Netragard, LLC - http://www.netragard.com - "We make IT Safe" > >>>> Penetration Testing, Vulnerability Assessments, Website Security > >>>> > >>>> Netragard Whitepaper Downloads: > >>>> ------------------------------- > >>>> Choosing the right provider : http://tinyurl.com/2ahk3j Three Things > >>>> you must know : http://tinyurl.com/26pjsn > >>> - Derek > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFIY/JjR4a3EW2yjlQRAuvoAJ0bVDG7oZGL/uGhQ007TZtnxj5grwCfZKyn > swm7gBs53KfyTJPGYBuyQ6M= > =prmB > -----END PGP SIGNATURE----- >
