Christopher,
I've used just recently actually and can't complain about it. That
said, it is much more than what I need (I think). I didn't know that it
was OSSEC compatible though, I'll have to take a look again.
My only problem with something like OSSIM is that snort's mysql
reporting features are horrible. In ever install of snort that used
mySQL I've run into issues with the database and duplicate entries or
keys. That causes me to miss events which is a serious issue. Do you
know of a way around that issue?
Regards,
Adriel T. Desautels
Chief Technology Officer
Netragard, LLC.
Office : 617-934-0269
Mobile : 617-633-3821
http://www.linkedin.com/pub/1/118/a45
Join the Netragard, LLC. Linked In Group:
http://www.linkedin.com/e/gis/48683/0B98E1705142
---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com - "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security
Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn
Christopher wrote:
> Not to rain on anyone's parade, but have you ever looked at OSSIM? It
> can read from Snort, OSSEC, and lots of other tools, its got a database,
> a nice correlation engine and a pretty web UI...
>
> Just sayin'...
>
> cb
>
> On Thu, Jun 26, 2008 at 2:47 PM, Justin Klein Keane
> <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:
>
>
> Hello,
>
> Sorry, I thought I sent this e-mail earlier but I think it went into
> the big internet /dev/null in the sky. We're currently working on a
> PHP/MySQL based reporting web interface for OSSEC. Unlike the
> traditional WUI (which parses logs to present via web
> interface) we wanted a web based query and reporting engine.
> Unfortunately the WUI wasn't able to do things like show all the logs
> for X host during Y time or show all the alerts for X host on Y rule.
>
> We ran into several problems with the MySQL integration until version
> 1.5. You have to follow the instructions at
> http://www.ossec.net/wiki/index.php/Know_How:DatabaseOutput.
> Additionally we found that there was no way to correlate the alerts with
> the logs that triggered them via the database. In order to do this we
> altered the MySQL database by using:
>
> ALTER TABLE data ADD COLUMN tstamp timestamp DEFAULT now();
>
> you can then use the data.tsamp column to map data to alerts like so:
>
> SELECT d.*, a.* FROM data d, alert a
> WHERE a.time = unix_timestamp(d.tstamp)
>
> Since the data is dropped into the database at the same time the
> timestamps on the data entries will match timestamps on the alert
> entries.
>
> Our project is a traditional MVC PHP/MySQL application but still in the
> early stages (the object model is complete but we don't have a display
> layer worked out yet). We fully intend to share the completed project
> under GPL and hopefully build in some hook for historic NMAP scans of
> hosts and potentially down the road integrate with Snort alerts. If
> anyone would like to help please let me know. I'm also happy to share
> the code we have now if anyone is interested. Hope this helps.
>
> Justin C. Klein Keane
>
> Sr. Information Security Specialist
> Information Security and Unix Systems
> University of Pennsylvania
> School of Arts and Sciences
> 3600 Market St.
> Room 527
> Philadelphia, PA 19104
> 215.898.0236(p)
> 215.573.3166(f)
>
> Dimitri Yioulos wrote:
> > Agreed.
>
> > On Wednesday 25 June 2008 4:05 pm, Herb Steck wrote:
> >> MySQL.
> >>
> >> But there is already a web interface, so why not work off of
> that and make
> >> it better?
> >>
> >> -----Original Message-----
> >> From: [email protected]
> <mailto:[email protected]>
> [mailto:[email protected]
> <mailto:[email protected]>] On
> >> Behalf Of Adriel Desautels
> >> Sent: Wednesday, June 25, 2008 3:00 PM
> >> To: [email protected] <mailto:[email protected]>
> >> Subject: [ossec-list] Re: OSSEC Web Interface
> >>
> >> I don't see why not. I'm not much of a developer myself, so I'd most
> >> probably need some help heading this off. First I need to
> understand how
> >> OSSEC interfaces with what database. Anyone know?
> >>
> >> Regards,
> >> Adriel T. Desautels
> >> Chief Technology Officer
> >> Netragard, LLC.
> >> Office : 617-934-0269
> >> Mobile : 617-633-3821
> >> http://www.linkedin.com/pub/1/118/a45
> >>
> >> Join the Netragard, LLC. Linked In Group:
> >> http://www.linkedin.com/e/gis/48683/0B98E1705142
> >>
> >> ---------------------------------------------------------------
> >> Netragard, LLC - http://www.netragard.com - "We make IT Safe"
> >> Penetration Testing, Vulnerability Assessments, Website Security
> >>
> >> Netragard Whitepaper Downloads:
> >> -------------------------------
> >> Choosing the right provider : http://tinyurl.com/2ahk3j Three
> Things you
> >> must know : http://tinyurl.com/26pjsn
> >>
> >> Derek J. Morris wrote:
> >>> That would be great, are you going to make it open to the ossec
> >>> community?
> >>>
> >>> -Derek
> >>>
> >>>> Greetings,
> >>>> I am interested in possibly creating a new OSSEC web
> interface. What
> >>>>
> >>>> sort of back-end database does OSSEC use today? I thought it was
> >>>> mysql, but I think I'm wrong.
> >>>>
> >>>> Regards,
> >>>> Adriel T. Desautels
> >>>> Chief Technology Officer
> >>>> Netragard, LLC.
> >>>> Office : 617-934-0269
> >>>> Mobile : 617-633-3821
> >>>> http://www.linkedin.com/pub/1/118/a45
> >>>>
> >>>> Join the Netragard, LLC. Linked In Group:
> >>>> http://www.linkedin.com/e/gis/48683/0B98E1705142
> >>>>
> >>>> ---------------------------------------------------------------
> >>>> Netragard, LLC - http://www.netragard.com - "We make IT Safe"
> >>>> Penetration Testing, Vulnerability Assessments, Website Security
> >>>>
> >>>> Netragard Whitepaper Downloads:
> >>>> -------------------------------
> >>>> Choosing the right provider : http://tinyurl.com/2ahk3j Three
> Things
> >>>> you must know : http://tinyurl.com/26pjsn
> >>> - Derek
>
begin:vcard
fn:Adriel T Desautels
n:Desautels;Adriel T
org:Netragard, LLC.
adr:;;17 Sheldon Road;Mendham ;NJ;;USA
email;internet:[EMAIL PROTECTED]
title:Chief Technology Officer
tel;work:617-934-0269
tel;cell:617-633-3821
x-mozilla-html:FALSE
url:http://www.netragard.com
version:2.1
end:vcard
