On Thu, Jan 24, 2013 at 9:12 AM, JPZ <[email protected]> wrote: > Hello everyone, > > I’m working on upgrading my OSSEC + SNORT + prelude_manager\prewikka setup > and ran into a bit of a challenge. Snort has decided to drop prelude support > as of version 2.9.3 (hit the link for details). On the other hand OSSEC > offers the following output options as I understand: >
I'm pretty sure that functionality is still part of barnyard2. Using by2 for storing the alerts in something like this has been the only sane choice for a while now. > 1. Multi line output towards <install path>/logs/alerts/alerts.log > 2. DB output using <ossec_source>/src/os_dbd/<mysql\postgresql>.schema > 3. Prelude output > 4. Email alerting > > With prelude’s package no longer supported by snort I either need to find a > new GUI that supports both or run one GUI per IDS\HiDS. My objective is to > find a GUI that displays info as compacted and categorized as possible so > that all it takes is one look to know if everything is good, or not.. ( like > snorby’s dashboard ). > > I’ve searched the web for a week or so and found the following alternatives: > > · BASE, which hasn’t been updated since 2009 > (http://base.secureideas.net/) > > o Supports Snort AND OSSEC ( using ossec2mysql) > > · Snort Report, AnaLogi, OSSEC WUI, or similar… > > o Only seems to supports either OSSEC or Snort > > · Log analyzers such as syslog-ng, ELSA, logstash, etc > > o Although they output useful stats, it’s not quite what I’m looking for. > > · Snorby > > o Supports Snort and Sagan with the usage of Unified2 output \ Barnyard2 > > o Can partially support OSSEC with the usage of ossec2mysql since it uses > snort’s DB schema. > > · OSSIM \ securityOnion > > o Full blown OS with everything packed together > > § You seem restricted to specific versions of OSSEC, snort, etc. Upgrading > manually isn’t recommended. > > > Searching OSSEC’s google group for Snorby or unified2 didn’t yield much > result which seems to indicate interest is low right now or I've something > ... > > So, my questions are: > > 1. Would adding support for Unified2 output be considered in the near > future in OSSECs roadmap? > I think it would be neat, I look forward to the diffs! > 2. Is there a chance ossec2mysql be updated to support Snort's DB > schema ( snorby )? ( my programming skills are null at best but it seems > only minimal updates are needed, basically redirect the DB INSERTs from > acid_events to iphrd.) > Again, send diffs! > 3. What is everyone else using as an Open Source security monitoring > GUI for snort =>2.9.3 & OSSEC ? > Prelude, elsa, logstash, splunk, arcsight, etc. should all work just fine. > > > As usual, thanks in advance for the continuous support the OSSEC community > gives, all types of comments are welcome ^_^ > > -- > > > --
