Hello everyone,
I’m working on upgrading my OSSEC + SNORT + prelude_manager\prewikka setup and ran into a bit of a challenge. Snort has decided to drop prelude support<http://seclists.org/snort/2012/q2/312>as of version 2.9.3 (hit the link for details). On the other hand OSSEC offers the following output options as I understand: - 1. Multi line output towards <install path>/logs/alerts/alerts.log - 2. DB output using <ossec_source>/src/os_dbd/<mysql\postgresql>.schema - 3. Prelude output - 4. Email alerting With prelude’s package no longer supported by snort I either need to find a new GUI that supports both or run one GUI per IDS\HiDS. My objective is to find a GUI that displays info as compacted and categorized as possible so that all it takes is one look to know if everything is good, or not.. ( like snorby’s dashboard ). I’ve searched the web for a week or so and found the following alternatives: · BASE, which hasn’t been updated since 2009 ( http://base.secureideas.net/) o Supports Snort AND OSSEC ( using ossec2mysql) · Snort Report, AnaLogi, OSSEC WUI, or similar… o Only seems to supports either OSSEC or Snort · Log analyzers such as syslog-ng, ELSA, logstash, etc o Although they output useful stats, it’s not quite what I’m looking for. · Snorby o Supports Snort and Sagan with the usage of Unified2 output \ Barnyard2 o Can partially support OSSEC with the usage of ossec2mysql since it uses snort’s DB schema. · OSSIM \ securityOnion o Full blown OS with everything packed together § You seem restricted to specific versions of OSSEC, snort, etc. Upgrading manually isn’t recommended. Searching OSSEC’s google group for Snorby or unified2 didn’t yield much result which seems to indicate interest is low right now or I've something ... So, my questions are: 1. Would adding support for Unified2 output be considered in the near future in OSSECs roadmap? 2. Is there a chance ossec2mysql be updated to support Snort's DB schema ( snorby )? ( my programming skills are null at best but it seems only minimal updates are needed, basically redirect the DB INSERTs from acid_events to iphrd.) 3. What is everyone else using as an Open Source security monitoring GUI for snort =>2.9.3 & OSSEC ? As usual, thanks in advance for the continuous support the OSSEC community gives, all types of comments are welcome ^_^ --
