Not to take anything away from OSSIM, but unless you're willing to run their VM, it is next to impossible to install.
Too bad too, it looked nice. On Thu, 2008-06-26 at 19:55 -0500, Christopher wrote: > Not to rain on anyone's parade, but have you ever looked at OSSIM? It > can read from Snort, OSSEC, and lots of other tools, its got a > database, a nice correlation engine and a pretty web UI... > > Just sayin'... > > cb > > On Thu, Jun 26, 2008 at 2:47 PM, Justin Klein Keane > <[EMAIL PROTECTED]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > > Sorry, I thought I sent this e-mail earlier but I think it > went into > the big internet /dev/null in the sky. We're currently > working on a > PHP/MySQL based reporting web interface for OSSEC. Unlike the > traditional WUI (which parses logs to present via web > interface) we wanted a web based query and reporting engine. > Unfortunately the WUI wasn't able to do things like show all > the logs > for X host during Y time or show all the alerts for X host on > Y rule. > > We ran into several problems with the MySQL integration until > version > 1.5. You have to follow the instructions at > http://www.ossec.net/wiki/index.php/Know_How:DatabaseOutput. > Additionally we found that there was no way to correlate the > alerts with > the logs that triggered them via the database. In order to do > this we > altered the MySQL database by using: > > ALTER TABLE data ADD COLUMN tstamp timestamp DEFAULT now(); > > you can then use the data.tsamp column to map data to alerts > like so: > > SELECT d.*, a.* FROM data d, alert a > WHERE a.time = unix_timestamp(d.tstamp) > > Since the data is dropped into the database at the same time > the > timestamps on the data entries will match timestamps on the > alert entries. > > Our project is a traditional MVC PHP/MySQL application but > still in the > early stages (the object model is complete but we don't have a > display > layer worked out yet). We fully intend to share the completed > project > under GPL and hopefully build in some hook for historic NMAP > scans of > hosts and potentially down the road integrate with Snort > alerts. If > anyone would like to help please let me know. I'm also happy > to share > the code we have now if anyone is interested. Hope this > helps. > > > Justin C. Klein Keane > > Sr. Information Security Specialist > Information Security and Unix Systems > University of Pennsylvania > School of Arts and Sciences > 3600 Market St. > Room 527 > Philadelphia, PA 19104 > 215.898.0236(p) > 215.573.3166(f) > > Dimitri Yioulos wrote: > > > > Agreed. > > > > On Wednesday 25 June 2008 4:05 pm, Herb Steck wrote: > >> MySQL. > >> > >> But there is already a web interface, so why not work off > of that and make > >> it better? > >> > >> -----Original Message----- > >> From: [email protected] > [mailto:[EMAIL PROTECTED] On > >> Behalf Of Adriel Desautels > >> Sent: Wednesday, June 25, 2008 3:00 PM > >> To: [email protected] > >> Subject: [ossec-list] Re: OSSEC Web Interface > >> > >> I don't see why not. I'm not much of a developer myself, so > I'd most > >> probably need some help heading this off. First I need to > understand how > >> OSSEC interfaces with what database. Anyone know? > >> > >> Regards, > >> Adriel T. Desautels > >> Chief Technology Officer > >> Netragard, LLC. > >> Office : 617-934-0269 > >> Mobile : 617-633-3821 > >> http://www.linkedin.com/pub/1/118/a45 > >> > >> Join the Netragard, LLC. Linked In Group: > >> http://www.linkedin.com/e/gis/48683/0B98E1705142 > >> > >> > --------------------------------------------------------------- > >> Netragard, LLC - http://www.netragard.com - "We make IT > Safe" > >> Penetration Testing, Vulnerability Assessments, Website > Security > >> > >> Netragard Whitepaper Downloads: > >> ------------------------------- > >> Choosing the right provider : http://tinyurl.com/2ahk3j > Three Things you > >> must know : http://tinyurl.com/26pjsn > >> > >> Derek J. Morris wrote: > >>> That would be great, are you going to make it open to the > ossec > >>> community? > >>> > >>> -Derek > >>> > >>>> Greetings, > >>>> I am interested in possibly creating a new OSSEC web > interface. What > >>>> > >>>> sort of back-end database does OSSEC use today? I thought > it was > >>>> mysql, but I think I'm wrong. > >>>> > >>>> Regards, > >>>> Adriel T. Desautels > >>>> Chief Technology Officer > >>>> Netragard, LLC. > >>>> Office : 617-934-0269 > >>>> Mobile : 617-633-3821 > >>>> http://www.linkedin.com/pub/1/118/a45 > >>>> > >>>> Join the Netragard, LLC. Linked In Group: > >>>> http://www.linkedin.com/e/gis/48683/0B98E1705142 > >>>> > >>>> > --------------------------------------------------------------- > >>>> Netragard, LLC - http://www.netragard.com - "We make IT > Safe" > >>>> Penetration Testing, Vulnerability Assessments, Website > Security > >>>> > >>>> Netragard Whitepaper Downloads: > >>>> ------------------------------- > >>>> Choosing the right provider : http://tinyurl.com/2ahk3j > Three Things > >>>> you must know : http://tinyurl.com/26pjsn > >>> - Derek > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > iD8DBQFIY/JjR4a3EW2yjlQRAuvoAJ0bVDG7oZGL/uGhQ007TZtnxj5grwCfZKyn > swm7gBs53KfyTJPGYBuyQ6M= > =prmB > -----END PGP SIGNATURE----- > -- Sean Brown Senior Systems Engineer Eagle Press 252-451-1825 x232 [EMAIL PROTECTED]
