Thanks for doing this guys. It was in need of some attention.
Michael D. Wood www.itsecuritypros.org On Feb 6, 2013, at 7:04 PM, Jb Cheng <[email protected]> wrote: > Thanks to Ryan Schulze's contribution, also Darius Jahandarie, ddpbsd, and > Vic Hargrave. > > I started integrating several WUI patches into a BitBucket repository: > https://bitbucket.org/jbcheng/ossec-wui/. > > (1) Updated logo, remove paypal button, wider display format, easier to read > events output. > (2) Updated broken rule ID link, fixed "Src IP:" error, and added "User:" if > available. > (3) Fixed integrity check file regexes to allow period in agent names, and > 'any' for IP address. > (4) Fixed fseek() error. > > It is still a work in progress. You are welcome to download the TIP from > BitBucket and try it. > > On Saturday, February 2, 2013 3:01:00 PM UTC-8, Ryan Schulze wrote: > Hi Vilius, > > If you are using the OSSEC Web UI 0.3 download from ossec.net you may want to > have a look at some of the patches here on the list. > e.g. http://osdir.com/ml/ossec-list/2012-06/msg00161.html > > The log format changed with version OSSEC 2.6 and broke some of the > functionality of the Web UI. I don't use it any more, so I can't say if the > changes still work with 2.7, but as long as the log formatting is the same, > it should. > > On 2/2/2013 1:23 PM, Vilius Benetis wrote: >> Hey, >> >> I try to understand where exactly ossec-wui is parsing srcip, as I have >> often bad parsing, for example: >> >> 2013 Feb 02 10:48:42 Rule Id: 2901 level: 3 >> Location: ubuntu->/var/log/dpkg.log >> Src IP: 02 10:48:41 install libapr1 <none> 1.4.6-1 >> New dpkg (Debian Package) requested to install. >> ** Alert 1359830922.3553: - syslog,dpkg, >> 2013 Feb 02 10:48:42 ubuntu->/var/log/dpkg.log >> Rule: 2901 (level 3) -> 'New dpkg (Debian Package) requested to install.' >> 2013-02-02 10:48:41 install libaprutil1 <none> 1.3.12+dfsg-3 >> >> 2013 Feb 02 10:48:32 Rule Id: 5501 level: 3 >> Location: ubuntu->/var/log/auth.log >> Src IP: 0:48:32 ubuntu sudo: pam_unix(sudo:session): session opened for user >> root by user(uid=1000) >> Login session opened. >> ** Alert 1359830922.3117: - syslog,dpkg, >> 2013 Feb 02 10:48:42 ubuntu->/var/log/dpkg.log >> Rule: 2901 (level 3) -> 'New dpkg (Debian Package) requested to install.' >> 2013-02-02 10:48:41 install libcap2 <none> 1:2.22-1ubuntu3 >> >> this comes from local agent, but equally strange results sometimes come from >> remotes as well. >> >> I believe, that sometimes IP address cannot be extracted, but then most >> probably in this field should be nothing, right? >> >> My programming/debugging skills are very rusty, but if it is not too tricky, >> I could try to adjust regexp not to fire such results, which messes up >> statistics and filtering. >> >> -- >> /Vilius >> -- > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > >
smime.p7s
Description: S/MIME cryptographic signature
