Ossec

Subject: Use HTTPS instead of HTTP
Posted by phishphreek on Thu, 22 May 2008 19:46:05 GMT

View Forum Message <> Reply to Message
In this how to we'll go over how to make OSSIM run over HTTPS instead of HTTP.
Warning: Doing this will mess up the dashboard links to ntop and nagios. Be sure to read this
WHOLE THREAD before you proceed.
The links can be fixed by editing the /etc/ossim/framework/ossim.conf file and running the
/home/ossim/dist/reconfig.pl script.
This how to is tested in a freshly installed OSSIM vmware install using the 1.0.4 ISO installer.
Immediately following the install, apt-get update && apt-get dist-upgrade was run. A reboot to
get to the newly installed kernel was in order. The OSSIM update script was also run to get the
installer to the latest version 1.0.5p1
Create a certificate
openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout
/etc/apache2/apache.pem
Fill out all of the fields. When you get to the "your name" section, use the FQDN address of
your OSSIM server. (ossimserver.domain.com)
If you don't, you'll get certificate mismatch warnings.
Enable ssl support for apache

a2enmod ssl
Turn on SSL for the default site.

Edit /etc/apache2/sites-available/default with your favorite text editor.
NameVirtualHost *
<VirtualHost *>
ServerAdmin webmaster@localhost
SSLEngine On
SSLCertificateFile /etc/apache2/apache.pem
DocumentRoot /var/www/
<Directory />
Tell apache2 to use HTTPS instead HTTP

Edit /etc/apache2/ports.conf
Listen 443
Restart apache2
/etc/init.d/apache2 restart
Now every website that apache2 hosts will be using SSL.
Page 1 of 123 ---- Generated from OSSIM by FUDforum 2.7.7

Subject: Re: Use HTTPS instead of HTTP
Posted by phishphreek on Fri, 23 May 2008 14:32:42 GMT
Change NTOP to use SSL
Note: This part isn't 100% yet. Have to figure out how to get the dashboard to redirect to the
new link without having to change every dashboard piece separately.
NTOP is running it's own web server. Let's tell it to run over SSL too.
I can't figure out where the NTOP admin password is so lets reset it.
ntop -A
Set a new password.
Copy the apache.pem certificate to the ntop config folder.

cp /etc/apache2/apache.pem /etc/ntop/ntop-cert.pem
Configure NTOP to use HTTPS

Open NTOP in your web browser.
http://ossim.ip:3000
Go to the admin tab and choose startup options.

Enter the admin for the userid and the password you just assigned to it.
Change the HTTP Server (-w) field from 3000 to 0.

Change the HTTPS Server (-W) field from 0 to 3000.
Scroll down and click Save Preferences.
Shutdown NTOP
Click on the admin tab and then click on shutdown.
This will stop NTOP. OSSIM is running a monitor for this service, so you can just simply wait
and OSSIM will restart it.
Change the OSSIM configuration to point to the new ssl site.

Edit /etc/ossim/framework/ossim.conf and change the ntop_link field from # to
https://serverip:3000
Run the reconfig.pl script

chmod 700 /home/ossim/dist/reconfig.pl
/home/ossim/dist/reconfig.pl
Now if you go into the ossim web based config utility, the link will be changed and grayed out.
Unfortunately, that still doesn't change the dashboard links... I'm still trying to find out how to
change those.

Subject: Installing the OSSEC Web Interface on OSSIM
Posted by gsporter on Fri, 30 May 2008 04:02:37 GMT
I found I can see the OSSEC output directly as a cross check by install the web ui
Start by following the general instructions here. I have provided the changes I had to make to
install on the OSSIM all-in-one from the installer:
http://www.ossec.net/wiki/index.php/OSSECWUI:Install
Changes:
Step 3
# mv ossec-wui-0.3 /var/www/htdocs/ossec-wui
to # mv ossec-wui-0.3 /var/www/ossec-wui
Step 5
# nano /etc/group
..
From:
ossec:x:1002:
To:
ossec:x:1002:www-data
Step 6
# chmod 770 tmp/

# chgrp www-data tmp/
# /etc/init.d/apache2 restart
You can access the interface thru
http://<your_host>/ossec-wui

Posted by henry01 on Fri, 06 Jun 2008 11:00:34 GMT
any luck on this?

Thanks

Posted by jimsmithkka on Fri, 06 Jun 2008 17:57:09 GMT
I followed these steps and my pages are now secure, but when i try to use the links in the
sidebar of the availability tab (Nagios) i get a page not found, the issue i know is that the links
are for http, not https.
My question is where is the file that has these links so i can update it or is there a config
change i can make in apache auto forward http requests to https for each page.
The system is a almost bare bones install from the install cd i got from AlienVault.
I am not to familiar with apache, i use lighttpd most of the time instead, so any help would be
gratefully accepted.

Posted by phishphreek on Fri, 06 Jun 2008 21:35:45 GMT
I haven't had an opportunity to mess with it too much more. I ended up changing the links via
Dashboard, edit and then editing the panels separately. This works OK for me as I am the only
user.
These dashboards are configured on a per user basis, so if you have multiple users, each user
will have to change their links.
The panel config files are located in /etc/framework/panel/configs
The main dashboard page is /etc/framework/panel/configs/admin_1
The dashboard page with the ntop data is /etc/framework/panel/configs/admin_5_1
Each time I try to manually edit those files to update the links, it get OSSIM throwing an error
complaining about bad data.
From looking at their reconfig script in /home/ossim/dist/reconfig.pl I found they are using a file
called edit_serialized_ips_panels_conf.php which they use to replace the ip address if you
change it and use the reconfig script.

I haven't yet had the free time to modify this script to have it grab the ntop_link field from
/etc/framework/ossim.conf if it has been modified and store it in some variable. Then have the
script go through and change it in the *_1 and *_5_1 files.
jimsmithkka: I think you're running into a little different issue. My nagios is actually running on a
separate server. I changed my links to point to the server and all worked fine for me... I'll have
to look into it in vmware and see why yours won't work.

Posted by phishphreek on Fri, 06 Jun 2008 21:53:13 GMT
jimsmithkka: You can do it in one of two places. Either in the web configuration --> main -->
nagios link
Change from /nagios2/ to https://serverip/nagios2/
Or, edit /etc/ossim/framework/ossim.conf and change the link to nagios.
#nagios_link
nagios_link=https://serverip/nagios2/
Then run /home/ossim/dist/reconfig.pl

It will update to the correct link.
Sorry about that!

Posted by jimsmithkka on Mon, 09 Jun 2008 13:30:11 GMT
It all works now, Thanks
Figured it would be help others as well so i posted the question here.
Once Again thanks
Subject: NagiosQL Walktrough

Posted by umarzuki on Mon, 09 Jun 2008 14:48:25 GMT

Note: This was done on installer version 1.0.4, so as they say, YMMV.
After you got OSSIM up and running, install php-pear then execute
pear install HTML_Template_IT
After that download the latest NagiosQL from

http://www.nagiosql.org/index.php/component/content/article/ 44 then extract in your /var/www
cd into the extracted directory
Create mysql database

mysql -uroot -p < nagiosQL_v2_db_mysql.sql
if asked for password, find it somewhere in /etc/ossim/ossim_setup.conf
put these into Apache2 config file: httpd.conf

<Directory /srv/www/htdocs/nagiosQL>
<FilesMatch \.(?i:ini)$>
Order allow,deny
Deny from all
</FilesMatch>
</Directory>
then edit setting.ini and change value in it accordingly

root = /nagiosql-2.0.2/
physical = /var/www/nagiosql-2.0.2/
config = "/etc/nagios2/"
confighosts = "/etc/nagios2/conf.d/"
configservices = "/etc/nagios2/conf.d/"
binary = "/usr/sbin/nagios2"
cmdfile = "/var/lib/nagios2/rw/nagios.cmd"
pidfile = "/var/run/nagios2/nagios2.pid"
lang = lang_en
then try browsing to: server_IP/nagiosql-directory/testQL.php
if you got permission read/write error, chmod -R 777 it
if you got error about folder missing o something like that, make one by referring to setting.ini
Don't forget to import config files: Tools > Data Import
Corrections are most welcome :)
Subject: Re: NagiosQL Walktrough

Posted by eflinton on Mon, 09 Jun 2008 18:27:28 GMT
can't find nagios.cmd on a freshly installed system v1.0.4 and upgraded through
ossim-update.pl.
any ideas?
thanks.

Posted by jvblanco on Mon, 09 Jun 2008 20:56:41 GMT
Check at /etc/nagios2/nagios.cfg if you have external commands enabled.
BTW, this is a very interesting Nagios addon. I'm going to give it a try.
Juan.

Posted by umarzuki on Tue, 10 Jun 2008 00:02:12 GMT
it's a pipe file, to make it
mknod nagios.cmd p
but it'll give error anyway thru testQL.php. Actually, a pipe file will only be there when nagios
run.

Posted by eflinton on Tue, 10 Jun 2008 14:44:45 GMT
Thanks had the external command value set on the prod. unit and saw the file but hadn't move
the configs to the test unit.
Its there after adjusting the value -- thanks jvblanco!

Posted by umarzuki on Tue, 10 Jun 2008 23:57:42 GMT
wow you guys got it up and running? Nice, since i never setup manual nagios before, stuck
when creating host (the pull downs don't have value)
rouven from ngiosql said something about timeperiods.cfg which is isn't available at fist so
probably i'll have to create it.

Posted by eflinton on Wed, 11 Jun 2008 00:29:47 GMT
haven't gotten the prod_configs into nagiosql yet but things are working out will post any
information that may be of value. i didn't know this was available so trying it out.
in regards to nagios -- i keep the host file simple, than group with hostgroup. I have several
*.cfg depending on the system type and required checks. not sure if default ossim is setup like
that as I have just been moving prod_configs over.

Posted by umarzuki on Wed, 18 Jun 2008 06:32:56 GMT
actually, i had to import the config files :)

Posted by eflinton on Wed, 18 Jun 2008 14:42:28 GMT
If starting from scratch there were a lot of dependencies between hosts, contacts, services. I
would agree import your configs.
Subject: Re: Installing the OSSEC Web Interface on OSSIM

Posted by umarzuki on Wed, 25 Jun 2008 08:31:22 GMT
this tutorial works..i can confirm that. But no fancy graphs... 8)

Posted by redbarron on Fri, 27 Jun 2008 01:55:10 GMT
So, from the last few posts it sounds like I should NOT attempt this if I haven't set up nagios at
all yet? Or is it just the couple extra steps as mentioned?
If it's going to make configuring nagios harder for a nagios noob, I'll just stick with straight
nagios until I feel like I've got that under my belt.
Thanks,
Joe

Quote:If it's going to make configuring nagios harder for a nagios noobyeah, absolutely. Most
of 'em are.
Subject: OSSIM: Configuration steps

Posted by ajcborges on Mon, 14 Jul 2008 19:21:28 GMT
HI,
I have been wokning on Security Information around 8yrs. I know several SIM products,
including Sentinel from Novell. I am currently putting together a monitoring project with Open
Source Products and OSSIM caught my attention. I know Linux (debian, among others),
Windows, Unix, etc. OSSIM has many virtues which I do not know where to start.
If anyone knows or has done a guide to perform a basic configuration of OSSIM, it will be
widely appreciated.
Already download the ISO. And I installed it without any problems ... I think I am ok. :!:
I would learn to configure it. I think it is a solution with a high market potential. 8)
TIA.
Subject: Re: OSSIM: Configuration steps

Posted by kristian_paul on Mon, 14 Jul 2008 20:50:00 GMT
i may help
http://www.ossim.com/blog/dk/ossim/tutorials/tut3_intro.html

Posted by guihen01 on Fri, 18 Jul 2008 01:50:21 GMT
use tutorial on ossim web site

Posted by kristian_paul on Fri, 18 Jul 2008 14:16:19 GMT
did you get running snort and ossim for windows? are you're collecting data to your master
server?
couse i never did it :cry: , so far ;)
any way, if you can help i apreciate

Posted by gsporter on Sun, 27 Jul 2008 03:29:35 GMT
Once you have gone through DK's inital setup try reading:
Wiki
http://www.ossim.net/dokuwiki/doku.php
General Description
http://www.ossim.net/dokuwiki/doku.php?id=documentation:gene ral_description
Users Manual
http://www.ossim.net/dokuwiki/doku.php?id=user_manual:introd uction

It helped me to understand the structure and "work flow" of OSSIM
GP
Subject: OSSEC Quick Start Guide

Posted by Ahriakin on Sun, 07 Sep 2008 00:34:03 GMT
Hi Folks,
This is not a detailed tutorial on OSSEC just a getting started guide. I highly recommend
Syngress "OSSEC - Host Based Intrusion Detection Guide"
http://www.amazon.com/OSSEC-Host-Based-Intrusion-Detection-G
uide/dp/159749240X/ref=pd_bbs_sr_1?ie=UTF8&s=books&q id=1220745267&sr=8-1 if you
intend to seriously use this excellent tool.
I'm still a Linux beginner myself and from the other posts I see here I'm not the only one so I'm
going to try and make these instructions as verbose as possible command-wise so that even
beginners can perform them.
I'll try and follow this up with some tips that I've found useful in later posts. If anyone has any
comments or improvements let me know (like I said I am no expert, or a script-god like
PhishPhreak ;), this is just an attempt to help others at my level so any comments are
welcome)
Anyway :
****
Upgrade the master server:
As of posting OSSIM includes OSSEC 1.4 and 1.6 has just become available. Thankfully
upgrading is a very simple process.
1. Download the latest source from www.ossec.net to your TMP folder

- cd /tmp
- wget http://www.ossec.net/files/ossec-hids-1.6.tar.gz (for later versions simply open a
browser and go to the OSSEC.net download page and right-click the link to the file you want,
then copy-link-location and paste it after "wget "
2. Extract the file
- tar -zxvf ossec-hids-1.6.tar.gz
3. Enter the newly extracted folder
- cd ossec-hids-1.6
4. Run the install script
- ./install.sh

--- It will detect the existing install and ask if you want to upgrade: YES
--- It will ask if you want to upgrade the rules: YES
5. Add OSSEC to the agent plugin list
- nano /etc/ossim/agent/config.cfg
--- under the [plugins] section add the following line
ossec=/etc/ossim/agent/plugins/ossec.cfg
6. Restart the OSSIM agent
- /etc/init.d/ossim-agent restart
That's it the OSSEC server is now on the latest version and OSSIM is monitoring it. This
upgrade will keep any existing client details, historical data etc. and is backward compatible
with older clients so you won't break anything by doing it.
**
Adding clients to the OSSEC server

All important files for OSSEC are located in /var/ossec, the control utilities are in /var/ossec/bin
1. Add a new client:
- cd /var/ossec/bin
- ./manage_agents
--- Choose A to add an agent, enter the client IP and ID you'd like to use (accepting the
defaults is fine, ID's are how OSSEC keeps track of clients internally so it doesn't have to
match anything else it just has to be unique)
Personally I prefer to pre-configure all of my clients here at once so I add each and every host
that will have OSSEC agents installed now. I'm going to presume you do the same and don't
have RSS injuries when you're done :). So from this point on I will act as if you have added
every agent to the master server.
2. Restart the OSSEC server to make the changes (in this case new agents) active.
- ./ossec-control stop
- ./ossec-control start
****
Installing the OSSEC agent on Windows Hosts

Get the latest agent from www.ossec.net
1. Run the installer executable and accept all defaults.
2. When presented with the 'OSSEC Agent Manager' enter the IP of your OSSIM/OSSEC
Master Server.
3. Enter the Client/Server authentication key
- SSH to your Master Server and run the manage_agent utility
- /var/ossim/bin/manage_agents
--- choose 'E' to extract a client key

--- Enter the ID for this client (if you are not sure of the ID then first choose 'L' to list the agents
and record the ID number).
--- Copy the entire text below the line "Agent key Information for "ID" is:" and paste it into the
Authentication Key line on the client's OSSEC Manage Agent window, then hit Save -
IMPORTANT when you hit save it will show a small popup window with this client's IP, name
and ID, make sure they are all correct as this is the data it has extracted from the key you just
pasted in and it is what the server is expecting to see, if they do not match then the client will
not authenticate to the server and it won't work. If they do match just hit Okay, if not go back
and check how the agent was setup on the server and that you pasted the extracted key
properly.
4. Start the OSSEC service
- From the client OSSEC Manage Agent utility click Manage / Start OSSEC and then refresh,
make sure it says it is running.
* An alternative of course is to extract all keys and IDs into a text file that you can access from
each client but if you do make sure it is absolutely secure, and ideally secure delete it when
done.
**
Installing on Linux Hosts

1. Download the agent software to the TMP folder:
- cd /tmp
- wget http://www.ossec.net/files/ossec-hids-1.6.tar.gz (it uses the same package for all 3 types
of Linux installs so you could just copy the file you used on the server)
2. Extract the package
- tar -zxvf ossec-hids-1.6.tar.gz
3. Install it
- cd ossec-hids-1.6
- ./install.sh
--- When prompted for the installation type choose "agent"
--- When prompted for the OSSEC server IP use the OSSIM/OSSEC Master server
--- Accept all other defaults.
4. Configure the agent authentication from the client
- /var/ossec/bin/manage_agent
--- choose 'I' to import the key
--- follow the steps described in the Windows agent install to copy the client's key from the
Master Server and paste it into the Import Key prompt.
5. Restart the agent
- /var/ossec/bin/ossec-control stop
- /var/ossec/bin/ossec-control start
**
Replacing the full OSSEC server on OSSIM-Child servers with agent only reporting to your
master server, and also upgrading

Follow the steps above for the Linux agent installation but at the start OSSEC will detect the
existing installation:
--- When prompted to upgrade say 'No'
--- When prompted to delete the folder say 'Yes'
Otherwise it is identical to a normal Linux Agent install. (and remember to restart with
"/var/ossec/bin/ossec-control stop+start" when done.
****
Testing the connection between client and server
Firstly you can install OSSEC's own Web interface alongside OSSIM's. There is a guide on
how to do this here https://www.ossim.net/forum/index.php?t=msg&th=62&st
art=0&S=d92e33f115348ff90f531433414935e0 . The only thing I'd add is I had issues with
some of the other functions like NTop and Snort graphs until I changed the permissions on
/TMP to anyone full control (chmod 777 /tmp) which is not the most secure but it solved my
issues. Most of the UI's functions are intact except some searches and graphs.
Anyway to directly test the client connection: From the Master Server:
1. List active all clients
- /var/ossec/bin/agent_control -l
--- Look for the clients you have connected and make sure they are Active
2. Get more detail from the client
- /var/ossec/bin/agent_control -i (ID of client)
--- This will tell you the last scan times, client version etc.
If your client is shown as active you should be good to go....
Subject: Re: OSSEC Quick Start Guide

Posted by DK on Wed, 10 Sep 2008 19:03:38 GMT
Cheers on the nice update guide, will be releasing an update with OSSEC 1.6 pretty soon.
Blame Daniel for not getting it into 1.0.6 :) (Just kidding, OSSEC is awesome.)

Posted by Ahriakin on Wed, 10 Sep 2008 19:42:15 GMT

No problem, I ask enough questions here and obviously use OSSIM enough that I'm glad to be
able to give even a little back. Thanks for all your great work.
Subject: ossim for newbies

Posted by ashar on Sat, 20 Sep 2008 09:59:00 GMT
Hi,
I have started to document configuration of the various parts, for newbies. I aim to get people
started quickly - there is a huge amount to figure out.
Let me know if there are any mistakes, and what I should do next.
http://sites.google.com/site/ossimnewbie/Home

Posted by gsporter on Sat, 20 Sep 2008 23:48:01 GMT
I also have to give you kudos’s. Sometimes training and documentation doesn't seem
that exciting
But it can mean the success or failure of a project!
Subject: Re: ossim for newbies

Posted by gsporter on Sat, 20 Sep 2008 23:48:46 GMT
I have to give you kudos’s. Sometimes training and documentation doesn't seem that
exciting
But it can mean the success or failure of a project!

Posted by DK on Fri, 03 Oct 2008 20:54:48 GMT
Cheers on this, please keep up the awesome work.

I'd suggest opening an own thread for this (please give me a shout should you want special
rights) and updating it frequently, including dates :p
Subject: Documentation Overhaul

Posted by gsporter on Sat, 04 Oct 2008 19:01:14 GMT
If you did not see this in DK's blog PLEASE read before posting questons!!!
http://www.alienvault.com/blog/dk
Documentation Overhaul
Thu, 02 Oct 2008
"Just a quick note to throw some attention at the major changes we are making to the OSSIM
documentation section.
We're sort-of hiding deprecated or non-important documentation, reorganizing existing one and
releasing new stuff such as configuration instructions forthird party devices. "
Configuration
http://www.ossim.net/dokuwiki/doku.php?id=documentation:conf iguration

Posted by gsporter on Wed, 08 Oct 2008 23:57:57 GMT
Quick question. Which versions did you use nagiosql-2.0.2.tar.gz /installer 1.04/6?
Thanks
GP
Subject: Osiris - Quick Guide

Posted by Ahriakin on Sun, 12 Oct 2008 01:54:15 GMT
Hi folks,

Just like the OSSEC guide this is just to get you going, if you want to delve into Osiris properly
I highly recommend "Host Integrity Monitoring using Osiris and Samhain" by Brian Wotring (
http://www.amazon.com/Integrity-Monitoring-Using-Osiris-Samh
ain/dp/1597490180/ref=sr_1_1?ie=UTF8&s=books&qid=122 3771961&sr=8-1).
Firstly why would you want to use Osiris when you use OSSEC? OSSEC is more fully featured
in that it performs system file, registry, service, user, rootkit checks, parses Syslog etc. with
some event correlation whereas Osiris is mainly a file integrity (change) monitor with some
extra modules for detecting changes in services, ports and users. If you had to choose
between the 2 then OSSEC is a better bet for intensive monitoring (it also works brilliantly
within allowing you to use it to filter Syslog and other events from it's own engine before
placing them in the Database which can save you a lot of CPU cycles if your OSSEC server is
a child OSSIM server), but that's just it it is intensive whereas Osiris is more easily tuned and
less resource intensive. \
By default OSSEC agents run their system checks every 6 hours (you can change this but I'll
place that note in the OSSEC thread). If you increase the frequency you run the risk of
degrading host performance but at the same time I think you need more granularity in the logs,
at least for the more important files. What I like to do is running Osiris every 2 hours to bridge
the gaps between the more intensive OSSEC scans. I may change this in the future but for
now I think it works well.
I'm also planning on setting up a second scan weekly that does not purge the databases so I
have a 7 day snapshot of the files for my records but I'm getting a but beyond the scope of this
guide, just trying to make it clear why I still use Osiris in conjunction with OSSEC.
Anyway on to the installation/config:
****************************************************
Osiris agents work differently to OSSEC. With OSSEC you created keys on the server and
imported them to the agents, from then on the agents run on their own schedule with their own
configs and report the results back to the server based on the <frequency>xxxxx</frequency>
value in ossec.conf. Osiris agents work differently in that they are essentially like remote
sockets to which the Server will push the scan config and request scans when needed, i.e. the
agent will do nothing on it's own, it always waits for instructions from the Master server. You do
not need to manually create and import authentication keys it uses certificates, when you
install an agent it will listen for and trust the first master server that contacts it, after that it will
only accept communications from that server as it saves it's certificate. You still have to create
clients on the Master Server
Server Configuration - Configs
Before configuring within Osiris itself you will want to view and perhaps modify the configs it
will use on the agents. Since Osiris keeps all of it's config data within flat files you can edit
them with nano, though many can be configured within Osiris CLI itself I prefer to do it

manually outside.
The host config files are located in /var/lib/osirismd/configs/ . In the following example I will
read and modify the Server 2003 config to change the file hash method to SHA1 and add the
optional module for reading port changes, add scanning of C:\Windows (Osiris defaults to
using c:\winnt as the Windows folder, adding a folder that does not exist (i.e. having both Winnt
and Windows) will not cause any issues as it will just skip the one that isn't there) and include
.bat and .scr files in the scan filetypes, finally I will add an exclusion to ignore my Symantec AV
definition folder aswell as the OCS Inventory Agent folder (as they change a lot and yield
log-noise false positives).
enter the config folder

1. cd /var/lib/osirismd/configs/
run 'ls' to read the directory and then 'nano' your config file
2. nano default.windowsserver2003
change the hash method to SHA1
3. Change 'Hash md5' to 'Hash sha1'
add the port module
4. Under <system> add 'Include mod_ports'
add .bat and .scr to the filetypes to scan
5. Under <Directory c:\WINNT> add 'Include suffix("bat")' and 'Include suffix("scr")'
Add the same scanning options for c:\windows
6. Highlight the entire <Directory c:\winnt> section (including </Directory>, press CTRL+C,
move the cursor to below that Directory section and right-click to paste (most terminal
emulators follow that convention, if yours doesn't then find how to paste). Edit the new
<Directory c:\winnt> line to read <Directory c:\windows>
Exclude the Symantec definition and OCS folders
7. Under <Directory C:\Program Files> add :
NoEntry OCS Inventory Agent
NoEntry Common Files\Symantec Shared\VirusDefs
NoEntry Common Files\Symantec Shared\SymcData
NoEntry Symantec\Symantec Endpoint Protection Manager\Inetpub\content
NoEntry SAV\I2_LDVP.VDB
NoEntry Symantec AntiVirus\I2_LDVP.VDB
Save and exit
8. Press CTRL+X, Y to save changes and accept the same filename.
OPTIONAL: Use the same config for your Windows 2000 Servers
9. Rename the existing Server 2000 config mv default.windows2000 default.windows2000.old.
Copy your modified 2003 config to replace it cp default.windowsserver2003
default.windows2000
When you look at the config files you'll see they are very intuitive so adding files,
including/excluding folders etc. is quite easy. Just remember that if you modify a config and
want to manually scan an existing client you need to push the config first, if you manually start
a scan it does not send the new config (however the scheduled scans always push the current
config first so they are covered).

**********
Installing the Linux agent

1. apt-get install osiris
That's it :) - if you are doing this on an existing server like an OSSIM child server remove it first
(apt-get remove osiris).
**********
Installing the Windows Agent

1. Get the executable from OSSIM / TOOLS / DOWNLOADS and run it. When presented with
the installation options only leave the Osiris agent ticked and continue until complete.
**********
Adding clients to the Master Server

1. From the server CLI just run the command osiris (Its in the path so you don't need to specify
any folders), User/Pass = admin (make sure to change the password when inside)
2. Press ? for help. Again you will see the layout is very intuitive.
3. Edit basic server parameters:
edit-mhost (mainly here if you plan on using email alerts outside of OSSIM add your default
address, you can override this on each client if you wish but it can save sometime just to do it
here, add your SMTP host and if you wish modify the Authorized management hosts (I advise
you to just leave it on the default of 127.0.0.1 so it can only be edited when logged into the
server directly).
4. Edit admin users:
edit-users Add a new user or change the admin password - WARNING it does not prompt you
to verify your password changes so make sure you get it right :), it's a good idea to add a
backdoor account for this reason.
5. Add new clients - I'm going with the OSSIM recommended setup, only changing the email
options and scheduling.
new-host
- Name (only significant to Osiris, but it's a good idea to match it to the hostname or functional
name you use in all of OSSIM's other tools (I like to use (location)-(type)-(hostname) e.g. A
server called SuperServer in Orlando would be orl-SRVR-SuperServer). The name is similar to
IDs in OSSEC, it is how you identify the client through the console for all operations.
- Hostname/IP (yes you can use the DNS FQDN here if you wish)
- Description (up to you)
- agent-port (do not change)
- enable log files for this host? (Since we are logging to OSSIM no need, and they take up
space)
- Keep archives of scan databases? (Definitely no as it will keep databases even if no changes
are detected...what's the point unless you want a nice warm fuzzy feeling that nothing has
changed?)
- auto accept changes? (Yes, let it set the new baselines when changes are detected)

- purge databases? (Again since we are logging to OSSIM leave this as Yes, if disabled each
scan of each host is kept on the server and they can pretty soon eat up your storage space -
this is not your only option for keeping historical data outside of OSSIM though, see the email
section below)
- enable email notifications for this host? (Here's where I deviate from the OSSIM
recommendations as I want historical data available to my colleagues without having them
access OSSIM/Osiris directly). I set it to Yes but it's your call.
-- send notification on scheduled scan failures? (Yes, I want to know if it didn't run).
- send scan notification, even when no changes detected? (No, again I think this is pointless
unless it is required by your security policy).
- send notification when agent has lost session key? (I set it to Yes, Clients use the same
session key with the Server until their Osirisd service is restarted. It will happen naturally when
the client is rebooted, but if the client lost it's session key and it wasn't rebooted then someone
restarted the service and that is a wee bit suspicious to me and you may need the event later
for correlation).
- notification email? (here you can override the default email address you entered when you
used 'edit-most' earlier to set some basic server parameters, leaving it blank just uses that
default address)
- configure scan scheduling information? (yes)
- enter the start date and time
- enter the scan frequency (enter the time between scans in minutes. The default is 4 hours, I
prefer 2 - I am using Osiris to fill the gaps between the OSSEC scans (6 hours). If you are
entering a lot of hosts at once I recommend varying your scan frequency a little, e.g. 1st = 120,
next = 121, next = 119 etc. This way over time the scans will move apart and you randomize
the scan times a bit to reduce the load on your Master Server)
- enable this host (Yes).
The server will contact the client and provided it is a clean install of Osiris it will show you the
OS type and ask if you want to use the default config (since we edited that config earlier we
can accept it). And finally initialize and begin scanning the host.
********
Getting OSSIM to read the Osiris events - Credit to Crislato for clarifying this for me
1. Edit the agent configuration on the Master Server
nano /etc/ossim/agent/plugins/osiris.cfg
Under the [translation] section add all of the clients you added previously with the same Names
and IP addresses you used within Osiris.
2. Restart the OSSIM agent
/etc/init.d/ossim-agent restart
************************************************
I mentioned setting up email alerts earlier and the reason I do is my default address is a
mailbox that my colleagues also have access to. They can quickly read the email alerts for the
servers they need details on for the time period in question right from their email clients rather

than me having to show them how to navigate OSSIM (and restoring archived data for older
events). I find it pretty handy. Also I advise setting up a Plugin group called HIMS, adding only
Osiris, and adding it as an Event filter so you can quickly just view Osiris events from within
OSSIM.
Anyway I hope this helps.

Posted by gmicalzoma on Mon, 03 Nov 2008 22:25:22 GMT
Thanks gsporter, it works like a charm, cheers!!!!
Subject: Installing Webmin

Posted by kristian_paul on Thu, 06 Nov 2008 14:57:21 GMT
Installing Webmin
Webmin is a great tool for manage a gnu/linux system using a web framework
(remember don't leave the powerful console)
1. Edit the /etc/apt/sources.list file on your system and add the line :
deb http://download.webmin.com/download/repository sarge contrib
2. You should also fetch and install a GPG key with which the repository is signed :
cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc
3. You will now be able to install:
apt-get update
apt-get install webmin
Adding Webmin to OSSIM Framework
1. edit:
/usr/share/ossim/www/top.php

add:
if (Session::menu_perms("MenuConfiguration", "ConfigurationSystem"))
$menu["Configuration"][] = array(
"name" => gettext("System"),
"id" => "System",
"url" => "https://ossimip:10000"
);
2. edit:
/usr/share/ossim/include/ossim_acl.inc
add:
"ConfigurationMaps" => array

(
"name" => "Configuration -> System",
"default_perm" => true
),
Go user=> reload ACl
Done, know you can access webmin at Configuration => System

Posted by umarzuki on Mon, 17 Nov 2008 23:25:10 GMT
that was 1.0.4

Posted by umarzuki on Mon, 17 Nov 2008 23:34:20 GMT
ashar wrote on Sat, 20 September 2008 03:59Hi,
I have started to document configuration of the various parts, for newbies. I aim to get people
started quickly - there is a huge amount to figure out.
Let me know if there are any mistakes, and what I should do next.

http://sites.google.com/site/ossimnewbie/Home
How about one that I'm trying to figure out here
https://www.ossim.net/forum/index.php?t=msg&goto=1522&am
p;S=82542d405b07209204333f984f11d169#msg_1522 and the right way for sending sms and
e-mail alert (my last attempt on 1.0.4 didn't work) or would it be possible for a (annoying)
pop-up message?
Subject: Re: Installing Webmin

Posted by kurtsecure on Tue, 18 Nov 2008 17:40:11 GMT
This is excellent although a couple of typos:
apt-get install
should be
apt-get install webmin
/usr/share/ossim/include/ossim.acl.inc
should be
/usr/share/ossim/include/ossim_acl.inc
Thanks
Kurt

Posted by dropadrop on Wed, 19 Nov 2008 12:53:50 GMT
Thanks, nice instructions. There is a typo on your interfaces page concerning eth1 though:
Quote:
down ifconfig down
for eth2 it's correct.
Subject: Bare metal back up and restore

Posted by here2serve on Fri, 21 Nov 2008 20:30:48 GMT

We wanted a fool proof back up and restore. That would not require any real thought or skill.
Restoring from scratch with this method took less than 25 minutes.
Backup script
#!/bin/bash
#Proccesses to shut down before backup,apache2,arpwatch,cron,munin-node
#mysql,mysql-ndb,mysql-ndb-mgm,nagios2,nessusd,ntop,openvpn, osirisd
#osirismd,ossec,ossim-agent,ossim-framework,ossim-server,pad s,snmpd,snmptrapfmt
#snort,ssh,webmin
/etc/init.d/arpwatch stop
/etc/init.d/ntop stop
/etc/init.d/munin-node stop
/etc/init.d/apache2 stop
/etc/init.d/nagios2 stop
/etc/init.d/openvpn stop
/etc/init.d/osirisd stop
/etc/init.d/osirismd stop
/etc/init.d/ossec stop
/etc/init.d/ossim-agent stop
/etc/init.d/ossim-framework stop
/etc/init.d/ossim-server stop
/etc/init.d/pads stop
/etc/init.d/snmpd stop
/etc/init.d/snmptrapfmt stop
/etc/init.d/snort stop
/etc/init.d/ssh stop
/etc/init.d/webmin stop
/etc/init.d/cron stop
/etc/init.d/mysql stop
/etc/init.d/mysql-ndb stop
/etc/init.d/mysql-ndb-mgm stop
tar cvpzf /mnt/backup/backup.tgz --exclude=/proc --exclude=/lost+found --exclude=/mnt
--exclude=/sys /
reboot -n
Restore Script
!#/bin/bash
#restore Script
cp /media/cdrom0/*.tgz /backup.tgz
tar xvpfz /backup.tgz -C /

reboot -n
Directions for the Tech
OSSIM Restore
In case of a system failure you will need the OSSIM cd and the most recent full back up and
restore script. The full system back up and script can be found on (what ever location)
1. Unplug the NIC, Boot from the OSSIM cd

2. Enter what ever values you like at any prompt. Except under partitioning accept the defaults.
3. After the install is complete put in the backup cd with the restore script.
4. Log in at the prompt as root with whatever password you set during the install.
5. type " mount /dev/hda "
6. type "/media/cdrom0/./restore.sh "
7. After it is finished restoring it will reboot. Remove the cd, plug in the NIC, log in and test out
your restored system. All user accounts,original passwords, data and programs should be
available.
I don't know if you really need to kill all the services in the back up script but it works. The Idea
came from a forum somewhere. Just don't know which one.
Subject: Re: Bare metal back up and restore

Posted by kristian_paul on Fri, 21 Nov 2008 20:42:17 GMT
need to add monit process or you'll get all ossim process stuff running again
Subject: Important configuration files

Posted by umarzuki on Sat, 22 Nov 2008 14:53:01 GMT
This is sort of a quick info page for ossim users. The main reason I posted it here so I can
check on it back later. I'm a very forgetful person ;) You all can add up and correct me if I'm
wrong. Highly appreciate it.
/home/ossim/dist/ossim-update.pl is to update your OSSIM to current version.

/etc/ossim/ossim_setup.conf is where you can configure information on various things such as
mysql's user root password, sensor, main NIC and such.
/home/ossim/dist/reconfig.pl is to update informations on interfaces and related configurations

that you had done manually.

Posted by here2serve on Tue, 25 Nov 2008 09:49:11 GMT
I tested it 3 times and it worked like a champ. I kind of thought I was killing more stuff than
needed.

Posted by redbarron on Mon, 01 Dec 2008 15:45:44 GMT
So, if I upgrade my OSSEC via this guide, what happens when 1.07 (presumably) comes out
with 1.6 and I run ossim-update.pl on my 1.06 box. Do I need to be concerned with breakage?
Thanks!
DK wrote on Wed, 10 September 2008 15:03Cheers on the nice update guide, will be
releasing an update with OSSEC 1.6 pretty soon.
Subject: Install Oinkmaster and update snort rules

Posted by umarzuki on Wed, 03 Dec 2008 13:13:14 GMT
This is some sort of a walktrough in hope anyone can benefit from my past experience
Install oinkmaster packageaptitude install oinkmaster

Register at snort's site to get access and download the rules from http://www.snort.org/
Get the oinkcode

Edit oinkmaster.confvi /etc/oinkmaster.conf commentQuote:url =
http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gzand place under itQuote:url =
http://www.snort.org/pub-bin/oinkmaster.cgi/your-oinkcode/sn ortrules-snapshot-2.7.tar.gz
To make list of what rules have been disabled/usr/share/oinkmaster/makesidex.pl
/etc/snort/rules/ >autodisable.conf
As normal user, update rules withoinkmaster -C /etc/oinkmaster.conf -C /etc/autodisable.conf
-o /etc/snort/rules/
Run create_sidmap.pl (Generates the priority and reliability level for every snort rule)perl
/usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/
Restart ossim-server/etc/init.d/ossim-server restart
*The last two steps were pointed out by juanma

Credits to http://internetsecurityguru.com/ and ossim forum members.
Note: Later the next day, I got mysql error about not be able to access certain socket (I forgot
to copy the error message) but I don't know if this related to oinkmaster. A quick reconfig
withperl /home/ossim/dist/reconfig.plwould fix that. At least visually :)
Moderator note: I've modified the post so it points to the correct scripts, thank you. Juanma
Subject: Re: Install Oinkmaster and update snort rules

Posted by juanma on Fri, 05 Dec 2008 03:56:10 GMT
Hi umarzuki
Thanks a lot for writing this tutorial. Just two notes, every time you add new snort rules in
ossim you have to run:
perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/
and restart the ossim-server.
This is going to insert into the database the priority and reliability information for all the new
rules into the database.Without this info the server is not going to store any event coming from
the new snort rules.
Also as a note, you do not have to run reconfig.pl after downloading new rules. It would be nice
if you could update your tutorial, if you can not do that just let me know and I'll edit your post.
Thank you
Juanma

***Note: I've edited my post, I was talking about create_sidmap.pl, but the command I was
running was reconfig.pl

Posted by here2serve on Sat, 06 Dec 2008 14:23:39 GMT
I was having some trouble with rrd_threshold. I took your suggestion to add monit to the
processes that need to be stopped during backup. rrd is back up again. I'll continue monitoring
to see if this fixed my rrd problem or not. Looks good for now.
Thanks- Would love to know why it came back but it's just good to have it working again. The
box I am using started off with the 1.04 installer and has all it's up dates. I may be able to free
up another box to run up with the 1.06.
After adding monit to to script I tried to restore from backup. Mysqld fails to start. Had to go
back to dec 6 backup/Troubleshoot Mysqld.

Posted by here2serve on Sat, 06 Dec 2008 14:43:54 GMT
Spoke to soon rrd is down. Back to the rrd forum.
Subject: OSSIM@VMWARE
Posted by udom on Mon, 08 Dec 2008 10:16:29 GMT
Hi,
in version 1.0.6 of ossim-installer = debian 2.6.18 at vmware esx 2.5.1 and 2.5.4 and probably
some more versions) the clock is not synchronized. I solved the problem by using
vmware-tools but the configuration of the vmware-tools is not working without doing some
changes. Here is the full list of the necessary commands:
apt-get install autoconf automake make psmisc gcc
apt-get install linux-headers-`uname -r` build-essential

tar -xzvf VMwareTools-######.tar.gz
cd vmware-tools-distrib
./vmware-install.pl
#all default-values are ok, but do not configure at the end of the install-script!
cd /usr/src/linux-headers-`uname -r`/include/linux
cat utsrelease.h >> version.h
vmware-tools-config.pl
# all default-values are ok
reboot and the clock ist synchronized
Subject: SNORT - Fast Sensor Up to date

Posted by sapling on Wed, 10 Dec 2008 20:09:53 GMT
First of all I would like to say that although I like OSSIM and its abilities I do not like the agent. I
seem to have nothing but issues trying to get the agent to properly give OSSIM servers data
from agents. The other problem I have is that by default the OSSIM installer for a server is way
to slow and not easy to customize for my needs. Not the speed of which it installs but its ability
to handle data and create alerts.
This is why I decided that I would build a snort sensor that was capable of handling a large flow
of data. My snort sensor is capable of handling all of the rules turned on if I so desired and
capture full packets from a our bandwidth which is 3xT1's. I am not logging in unified format
and send the data directly into mysql. On top of all of this I am running it on a Pentium 4 Single
Core 2.4Ghz desktop machine with 1.5Gb's of RAM without any dropped packets. I have a
single 80Gb 7200RPM IDE drive.
So with that in mind let me begin my tutorial...

Insert a minimal installer disk for debian.
Install debian with no additional packages selected. So in other words when it asks if you want
Server files, Desktop files, etc... unselect all the options so that it installs only the minimal

packages.
Next for my purpose of I decided to give my system 4Gb's of Swap space and formatted the
system using ext 2 file system.
The reason I decided on ext 2 was for the speed of the reading and writing.
Once my system has rebooted and I have my new command line server I get to work.
First I edit the sources from etch to testing distribution because I want the newest packages.
#nano /etc/apt/sources.list
Change everywhere it says etch to testing...
#apt-get update
#apt-get upgrade
#apt-get dist-upgrade
#apt-get upgrade
reboot
Double check to make sure your system is fully up to date and there are no newer versions out
there.
Install some required files onto the system for the packages I will be installing.
#apt-get install gcc g++ make flex gawk automake bison byacc \ libc6 libc6-dev build-essential
libtool autoconf mysql-common \ libmysqlclient15-dev libnet1 libnet1-dev libpcre3 libpcre3-dev
\ ssh
Now that we have the required packages for snort it's time to install a special version of
libpcap. This version of libpcap has mmap enabled. This means that instead of snort waiting
for libpcap to move or copy the packets into user land memory it enables snort to pull directly
from memory where the packets are first written. So lets go ahead and download it.
#wget http://public.lanl.gov/cpw/libpcap-0.9.8.20081022.tar.gz
#mv libpcap-0.9.8.20081022.tar.gz /usr/src
#cd /usr/src
#tar xvzf libpcap-0.9.8.20081022.tar.gz
#cd libpcap-0.9.8.20081022
#bash bootstrap answer with a lowercase y
I like to use c flags for optimization when I install libpcap and snort so feel free to ignore this if
you dont want to use my c flats
#CFLAGS=-O3 ./configure --enable-shared
make
make install
Copy the following files to the following directories
#cp ./libs/libpcap-0.9.8.so /lib/libpcap.so
#cp ./libs/libpcap-0.9.8.so /lib/libpcap-0.9.8.so
#cp pcap.h /usr/include
#cp pcap-bpf.h /usr/include
Now you will need to download and install snort I am using the latest stable version at this time
2.8.3.1....

#cd /usr/src
#wget http://www.snort.org/dl/snort-2.8.3.1.tar.gz
#tar -xvzf snort-2.8.3.1.tar.gz
#cd snort-2.8.3.1
#CFLAGS=-O3 ./configure --with-mysql --enable-dynamicplugin
#make
#make install
#mkdir /etc/snort
#mkdir /etc/snort/rules
#mkdir /var/log/snort
#addgroup snort
#useradd -g snort snort
#chown snort:snort /var/log/snort
#cp etc/*.conf* /etc/snort/
#cp etc/*.map /etc/snort/
I use oinkmaster for my rules because its easier when using the emerging threat rules as they
change sometimes daily and it updates your sids for you.
#apt-get install oinkmaster

Edit oinkmaster to the latest free ruleset and enter your oinkcode assuming your registered at
snort.org
add in the following url to get the emerging threat rules
http://www.emergingthreats.net/rules/emerging.rules.tar.gz
#oinkmaster -o /etc/snort/rules
In the future if you want to backup your rules you can always use the -b flag to specify a
directory to backup the old rule sets.
I create a simple little script for the purpose of starting snort and the key here is that.
========/etc/init.d/snort==========
#!/bin/bash
ifconfig eth0 up #change this to whatever sniffing interface you so desire to use
PCAP_MEMORY=650000 snort -c /etc/snort/snort.conf -D -i eth0 -M -u snort -g snort -P 65000
===================================
Explanation of the above:
Check to make sure the interface is up
Dedicate 650,000kb to snort and use that config in Daemon mode, sniff on interface eth0, Log
messages to /var/log/syslog to gather information back, use user snort and group snort, and
capture the first 65000 bytes.
Now I know I said I do full packet captures and I do sorta, I dont capture the tail because of a
bug in something I did earlier I can actually run that command with 65412 which isn't the
maximum size a packet can be but you will be hard pressed to find packets this large most of
the time.

#chmod +x /etc/init.d/snort
Modify your snort config to include your emerging threat rules and configure it to log to your
database on your ossim server.
=======================================
output database: log, mysql, user=root password=your password dbname=snort host=ossim
server ip sensor_name=I use local ip addresses here
output database: alert, mysql, user=root password=your password dbname=snort host=ossim
server ip sensor_name=I use local ip addresses here
=======================================
Now we need to make a change on the ossim server so that it will allow us to log to the
database.
First modify the mysql server to listen on an accessible ip address... Through the
/etc/mysql/my.cnf and just to make sure that it doesnt get changed I went ahead and modified
the file /etc/ossim/ossim_setup.conf
Then make sure you tell the database that the user is allowed to access things from that ip
address. I stuck with using the root account for this tutorial because I wanted to keep things
simple but you could always create other users that have limited access in mysql.
#mysql -u root -p
mysql> GRANT create,insert,select,update,delete on snort.* to root@$mysensor1IPaddress

identified by 'mypassword';
mysql>GRANT create,insert,select,update,delete on snort.* to root@$mysensor2IPaddress
identified by 'mypassword'; #make sure your password is the one from the ossim_setup.conf if
you use root
Modify the snort database so that it can be used by the latest version of snort...
mysql> use snort;

mysql> ALTER TABLES signature ADD sig_gid INT UNSIGNED;
mysql> INSERT INTO `schema` (vseq, ctime) VALUES ('107', now());
mysql> DELETE FROM `schema` WHERE vseq=106;
That should take care of it all. Now if you want to determine how many packets your dropping
based on all of this you can do the following.
You can enable all rules if you like through this oinkmaster command...
#oinkmaster -e -o /etc/snort/rules
Now all your rules are turned on which I dont recommend because there are some noisy ones.
Just try and keep things to what might happen on your network.
Then go ahead and start snort up in another screen without the -D

So use this command...

#apt-get install screen
#screen -S snort
#PCAP_MEMORY=650000 snort -c /etc/snort/snort.conf -i eth0 -M -u snort -g snort -P 65000
Hit Ctrl+a+d to minimize that screen and allow snort to run during a busy time on your network.
Go back into the screen snorts running on with...
#screen -x snort
Ctrl+c to kill the process and if you like restart it again this time you can use the -D if you want
it to run in the background without issues.
Ctrl+a+d again and now run this command
#cat /var/log/syslog |grep Dropped
This should show you how many packets if any snort dropped mine always says 0% 0
Enjoy!

Posted by javieralbarra on Wed, 10 Dec 2008 21:42:12 GMT
Problem Update
#ossim:/tmp/ossec-hids-1.6.1# ./install.sh
os_xml_writer.c:74: error: for each function it appears in.)

os_xml_writer.c:74: error: 'fp_in' undeclared (first use in this function)
os_xml_writer.c:75: error: 'fp_out' undeclared (first use in this function)
os_xml_writer.c:85: warning: implicit declaration of function 'fopen'
os_xml_writer.c:96: warning: implicit declaration of function 'fclose'
os_xml_writer.c:101: warning: implicit declaration of function '_WReadElem'
os_xml_writer.c:115: warning: implicit declaration of function 'fseek'
os_xml_writer.c:115: error: 'SEEK_END' undeclared (first use in this function)
os_xml_writer.c:116: warning: implicit declaration of function 'fprintf'
os_xml_writer.c:116: warning: incompatible implicit declaration of built-in function 'fprintf'
os_xml_writer.c: At top level:
os_xml_writer.c:153: error: expected ')' before '*' token
make[1]: *** [xml] Error 1
make[1]: Leaving directory `/tmp/ossec-hids-1.6.1/src/os_xml'
Error Making os_xml

make: *** [all] Error 1

Error 0x5.
Building error. Unable to finish the installation.
Subject: Re: SNORT - Fast Sensor Up to date

Posted by kristian_paul on Tue, 16 Dec 2008 21:23:42 GMT
are you sure sending events to snort database is the best way to improcve?
i remenber ossim earlies it used that method, and was replaced for the unfied format (kind of
formate binary info) with the intention of be able to send more data faster on high trafic network
(ej: 500 mbs)
in my point of view, put snort write to databse alone with acidabase is ok, but remeber that
ossim exists (if u think snort + spade + ossim system)
- also all that info is saved on mysql databases for future analisis
other point is:

if ur trying improve package capture there are experimental approaches out there like PF RING
and Streamline (FFPF), or just begin disabling device polling, in fact there is a big work to do
around that area (http://sc08.supercomputing.org/)

Posted by sapling on Tue, 23 Dec 2008 19:28:22 GMT
You bring up some very good things and I am here to address them.
First yes on heavier networks you should absolutely use Binary output aka unified in
conjunction with Barnyard sending the alerts to Mysql. Why?
Well if you want snort to move a quickly as possible and capture everything it takes less time
for it to keep everything in binary format. AKA Snort doesnt have to convert anything to user
readable formats.
But why barnyard? Well because taking the burden off of snort by using an additional program
to convert from unified format over to user readable and inserting into our database...
Cant OSSIM do this? Well ossim will send the unified format over to the OSSIM_Server
however when I attempted this I ran into a many issues. Also it put more burden on my already

heavily loaded OSSIM_server.
Second PF_RING: Well you have to first understand PF_RING and MMAP on a more indepth
basis before you go assuming one is better. The benefits of PF_RING are... It handles more
volume and its not as sloppy and it doesnt require the kernel as much which means kernel
related tasks are now free to continue...
MMAP - Allows us to get our packets directly out of RAM so we can analyze them immediately.
So when does it really have an advantage over PF_RING? When your dealing with larger
packets. In the article I am assuming you read Advanced Packet Capturing he touched the
surface of how PF_RING is generally only about .5% slower than MMAP when the packet is
1500bytes long and the bandwidth is full... Well how about when you have a larger packet
come across? Tried it? Yes I have... MMAP due to the fact I am giving it Direct Memory
allocation can handle it while PF_RING begins to lose focus. So its greatest benefit is for Lots
of Packets which are smaller. Making it perfect for NTOP, and other systems that only pull the
first 1000 bytes or so.
Any other benefits to MMAP? yes its easier to install and get working if your not running
RED-HAT...
What about PF_RING? Not only is it a kernel patch meaning there is no longer and interaction,
but from what I understand you shouldnt need to do anything extra to make it work. As long as
your libpcap version supports PF_RING then you dont have to worry about your applications
being allocated x memory.
In the articles I have been reading as well I dont like that they only use MMAP at its basic
stages... using PCAP_PACKETS=max is not the best solution if your trying to make sure
nothing gets dropped like in my case. I want EVERYTHING.
So I use PCAP_MEMORY= (meaning I tell it instead of allocating the based on maximum
packets Allocate me a chunk of memory which is the more ideal solution if your are capturing
larger packets)
How do I know if my packets are that large? If your NTOP is running it will tell you... On my
network its not as common but I do see packets above 1500 bytes because we dont restrict it
on the routers. I am not the network admin dont ask me...
So if your not seeing a lot of packets over 1500 yes PF_RING will be a great solution.
So they apparently have been improving the PF_RING work as I read but I can't say for sure if
it is the ultimate solution. What I can say is for most of us try both and try and turn on
everything. If all goes smoothly on a lower class machine on one way than the other then you
have your solution.
Now what I have also read is that adding in a few other patches such as the RTIRQ patch will
increase even further the amount you can capture with PF_RING. Again test it out... My tutorial
is just so you can understand how I am doing it and to improve your homegrown ossim
solution.

I do recommend though if you are concerned with the mysql solution adding in barnyard and
have it perform the MYSQL transfers as I do still believe you should get it into mysql as well.

Posted by DK on Fri, 09 Jan 2009 10:12:37 GMT
I'd like to join this interesting discussion :)
Personally I've had very good experiences using PF_RING, getting to a <1% package loss with
2 interfaces sniffing at around 900Mbps each.
As for the database output part, last time I checked into it snort was single-threaded; capture /
analysis and output sharing a single thread. That would mean it's not optimal for any type of
serious capture.
On the other hand, since you're talking about 3xT1 (4.5Mbps), you really don't have to check
onto PF_RING and such.
But as said, I disagree with direct database output and, if you having issues with the agent,
barnyard should be the way to go. Fixing the issues you've got with the agent would be even
better ;)

javieralbarra wrote on Wed, 10 December 2008 22:42Problem Update
#ossim:/tmp/ossec-hids-1.6.1# ./install.sh
os_xml_writer.c:74: error: for each function it appears in.)

os_xml_writer.c:74: error: 'fp_in' undeclared (first use in this function)
os_xml_writer.c:75: error: 'fp_out' undeclared (first use in this function)
os_xml_writer.c:85: warning: implicit declaration of function 'fopen'
os_xml_writer.c:96: warning: implicit declaration of function 'fclose'
os_xml_writer.c:101: warning: implicit declaration of function '_WReadElem'
os_xml_writer.c:115: warning: implicit declaration of function 'fseek'
os_xml_writer.c:115: error: 'SEEK_END' undeclared (first use in this function)

os_xml_writer.c:116: warning: implicit declaration of function 'fprintf'
os_xml_writer.c:116: warning: incompatible implicit declaration of built-in function 'fprintf'
os_xml_writer.c: At top level:
make[1]: *** [xml] Error 1
make[1]: Leaving directory `/tmp/ossec-hids-1.6.1/src/os_xml'
Error Making os_xml

Error 0x5.
This looks like either an OSSEC issue or a compilation environment issue to me. The installer
isn't meant to be a complete development environment :)

redbarron wrote on Mon, 01 December 2008 16:45So, if I upgrade my OSSEC via this guide,
what happens when 1.07 (presumably) comes out with 1.6 and I run ossim-update.pl on my
1.06 box. Do I need to be concerned with breakage?
Thanks!
DK wrote on Wed, 10 September 2008 15:03Cheers on the nice update guide, will be
releasing an update with OSSEC 1.6 pretty soon.
No, an ossec update shouldn't break that becasue either we include the new one (it would
overwrite yours) or don't touch it.

Posted by blucas on Sun, 08 Feb 2009 22:20:31 GMT

Hello all,
I'm newbie at linux and even more at OSSIM,

i try to do the upgrade to ossec, but i always get this msg.
ossim:/tmp/ossec-hids-1.6.1# ./install.sh
** Para instalaÃ§Ã£o em portuguÃªs, escolha [br].

** è¦ä½¿ç¨ä¸-æè¿¡å®è£
, è¯·éæ© [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** ÎÎ¹Î± ÎµÎ³ÎºÎ±Ï
Î¬ÏÏ
Î±ÏÎ· ÏÏ
Î± ÎÎ»Î»Î·Î½Î¹ÎºÎ¬, ÎµÏÎ¹Î»Î-Î¾Ï
Îµ [el].
** For installation in English, choose [en].
** Para instalar en EspaÃ±ol , eliga [es].
** Pour une installation en franÃ§ais, choisissez [fr]
** Per l'installazione in Italiano, scegli [it].
** æ¥æ¬èªã§ã¤ã³ã¹ãã¼ã«ãã¾ãï¼é¸æãã¦ä¸ãã
ï¼[jp].
** Aby instalowaÄ w jÄzyku Polskim, wybierz [pl].
** ÐÐ»Ñ Ð¸Ð½ÑÑÑÑÐºÑÐ¸Ð¹ Ð¿Ð¾ ÑÑÑÐ°Ð½Ð¾Ð²ÐºÐµ Ð½Ð° ÑÑÑÑÐºÐ¾Ð¼
,Ð²Ð²ÐµÐ´Ð¸ÑÐµ [ru].
** Za instalaciju na srpskom, izaberi [sr].
** TÃ¼rkÃ§e kurulum iÃ§in seÃ§in [tr].
(en/br/cn/de/el/es/fr/it/jp/pl/ru/sr/tr) [en]:
Error 0x3.
You need a compiler (like gcc or cc) to continue with the
with the installation.
ossim:/tmp/ossec-hids-1.6.1#
I even tried with ver. 1.6, and i got the same error.
Does anyone know why this happen?
Thanks for the great work.
Regards
Blucas

Posted by gsporter on Mon, 09 Feb 2009 01:11:39 GMT
I assume you are working with a install from the installer?
It should have gcc included. Try running this to check and
see if gcc is installed
# dpkg -l | grep gcc
You should get an output similar to this:
ii gcc-4.1-base 4.1.1-21 The GNU Compiler Collection (base

package)
ii libgcc1 4.1.1-21 GCC support library
Since OSSIM is an appliance rather than a development environment it does not have all the
development tools installed.
Try running this:

apt-get install build-essential
then retrying the install script.
GP

Posted by hidoa on Fri, 13 Feb 2009 21:56:32 GMT
I have OSSIM 1.06.
I see the OSSEC version is 1.4.
I tried running the update.
I am in /ossec/tmp.
I have it extracted to folder.
I run ./install.sh.
I tell it 'en', then tell it to upgrade, it fails with this error.
Error making os_xml

Error 0x5

Takes me back to prompt....
Any ideas?

Posted by hidoa on Fri, 13 Feb 2009 22:03:09 GMT
I followed the instructions and I get the error below when I try to browse to the site....
My step 5 was
not
ossec:x:1002:www-data.
Not sure if that matters or not...
Warning: opendir(/var/ossec) [function.opendir]: failed to open dir: Permission denied in

/var/www/ossec-wui/lib/os_lib_handle.php on line 94
Unable to access ossec directory.
Subject: Ethernet capture

Posted by gsporter on Sun, 15 Feb 2009 00:52:02 GMT
In talking with my students I realized there is a need to discuss the need for a method of
capturing Ethernet traffic. As the industry moves away from shared media (hubs) it becomes
more complicated than simply putting your nic in promiscuous mode. The principle methods in
use are Taps / Span-Mirroring / Hubs / Inline Machine
There is a well written basic discussion on Wireshark site discussing the various methods of
capturing Ethernet along with the pros and cons of each method.
http://wiki.wireshark.org/CaptureSetup/Ethernet
If you login to the Snort site there are a number of articles under IDS Deployment
Guides” on the requirements for different types of taps
http://www.snort.org/docs/
These even include a guide for building your own “passive tap”. This can be
important for proto-types, labs etc since commercial taps start at @ $300 and go up.
A follow up article on building a passive tap which also covers how to set up nic

bonding/trunking which is necessary if you want to hear full duplex traffic
http://altsec.info/passive-network-tap.html
I am including a couple of additional referances on nic bonding also
(Note: since OSSIM is based on Debian I have stuck to that distro.)
http://www.howtoforge.com/nic_bonding
http://packages.debian.org/stable/net/ifenslave
I hope forums readers will post their solutions and ideas here!

Posted by gsporter on Sun, 15 Feb 2009 01:23:00 GMT
To be honest I can't seem to lay my hands on my orginal documentation. I checked the
original OSSEC wiki documentation here:
I checked
grep ossec /etc/groups

grep ossec /etc/passwd
I received the same group (113) you did.
I believe the problem is to be sure the ossec user has permissions to the web directory which
is accomplished by
making it a part of the apache (www-data) group.
I had updated ossec (1.4 to 1.6)on the ossim server using the tutorial on the forums which may
account for the differance in the group.
https://www.ossim.net/forum/index.php?t=msg&th=290&s
tart=0&S=449d8eaaa2181cd6b7a6db10b81a833f
When I get a few minutes I will do the upgrade/web install and see if I can reproduce the issue.

GP

Posted by wintech on Mon, 23 Feb 2009 08:24:40 GMT
Hi,
While i try to enable OSSEC WUI i get the following error. Please do help me.
I have installed in Centos 5.2 with Apache 2.x.x Version
./setup.sh
which: no htpasswd in (/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/l
ocal/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)
which: no htpasswd2 in (/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/l
ocal/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)
Setting up ossec ui...
Username:
Username: root
** ERROR: Could not find htpasswd. No password set. :(
Regards
Wintech

Posted by DK on Mon, 23 Feb 2009 17:41:36 GMT
OSSEC is searching htpasswd in your path, try a "find / -name htpasswd" or "find / -name
htpasswd2", then add that path to your $PATH or link it to some of the paths searched by the
wui installer.

Posted by wintech on Tue, 24 Feb 2009 11:37:41 GMT
Hi,

Thanks for the reply.. I have rectified the issue. Should i add the Ossec-WUI in Apache Virtual
Host directory... When i try to access the site i get "You don't have permission to access
/ossec-wui/index.php on this server.".
Kindly help on this issue.
Regards
Wintech

Posted by DK on Tue, 24 Feb 2009 11:43:08 GMT
You should check your apache logs, I don't know where they are located on CentOS. Maybe
it's indeed a permission problem, a symlink problem or it's just trying to reach the wrong site.
Subject: Basic OSSIM 1.0.6 Sensor set up

Posted by paul_psmith on Wed, 25 Feb 2009 20:03:32 GMT
Created this document to build a basic OSSIM sensor on 1.0.6 installer.
Shows how to basic configurations to make the sensor just do that and send info to a main
server.
Assumes main server is DB, Server, webgui, main policy host.
Please post changes, ideas, corrections, etc.
PS
File Attachments
1) Build OSSIM 1.0.6 sensor.doc, downloaded 650 times

Posted by binaryman on Wed, 25 Feb 2009 20:44:39 GMT
Hi,

Thanks for this. I was able to perform these steps with a few minor adjustments:
1. I first had to do an "apt-get update" before I could do "aptitude install oinkmaster"
2. You said "Get the oinkcode" which confused me, but I figured out you need to perform the
following steps:
- Create an account at https://www.snort.org

- Once you login, you will see a section "Oinkmaster Download Codes" click the "Get Code"
button at the very bottom
- Follow the instructions in "Configuration Changes:" section
3. You need to make sure you include (/etc) before autodisable.conf if you are not in the /etc
directory when running the command: /usr/share/oinkmaster/makesidex.pl /etc/snort/rules/
>/etc/autodisable.conf
Subject: Re: Basic OSSIM 1.0.6 Sensor set up

Thanks Paul, good job.
Some comments:
1. According to DK in this post, this is not necessary:
Modify the /etc/ossim/ossim_setup.conf file and change two profile= lines to sensor. No other
changes needed.
a. profile=sensor
2. For step #7, you put "I can’t remember if I hit “Insert New Sensor” or I
clicked the modify button. Will need to fix this." I can confirm you do not need to "Insert New
Sensor" it shows up automatically.
3. Can you add the oinkmaster thread (or a link to it).
It would be great if we can update this thread on how to configure the sensor for each agent
(ie. Nessus, Ntop, OSSEC, etc.), or at least include a link if it is somewhere else in the forum.
Subject: Re: OSSIM@VMWARE


Thanks, I needed this.

Posted by paul_psmith on Wed, 25 Feb 2009 22:32:05 GMT
Thanks b-man.
Ah. i see what you mean on the ossim_setup.conf. i think you might want to change it anyway
for forward compatibility with the upcoming upgrade? DK could possible answer that. Seems to
me after i did that things changed, but maybe that was on the server. i know when i changed it
there, the agent stuff went away.
I also think this file gets used on boot to tell ossim what this system is used for. So you might
be able to remove or add agents there in the sensor area.
on step 7, what i meant to say was that the sensor showed up without me doing anything, but
had a state of Active=no. i don;t remember what i did to change it to active=yes. if you
remember let me know.
Thanks!!

Posted by wintech on Thu, 26 Feb 2009 08:38:02 GMT
Hi,
I have some other sites accessing same location... All sites works perfect and when i try
ossec-wui i can able access the site and i get password prompt and after that i get "You don't
have permission to access /ossec-wui/index.php on this server.".
Please help in this to resolve the issue once for all

Posted by gsporter on Thu, 26 Feb 2009 13:31:25 GMT

I don't have the ossec-wui installed anywhere right now to check but let me see if I understand
the problem.
When you access the ossec-wui from another box you get the password prompt and
permission error? If that is what is happening is you didn't assign the apache user permissions
to the folder. If it is a ossim installer box the apache user is www-data.
Please let me know if I am not following the problem correctly.
GP

Posted by hidoa on Thu, 26 Feb 2009 15:29:54 GMT
gsporter wrote on Sat, 14 February 2009 18:23To be honest I can't seem to lay my hands on
my orginal documentation. I checked the original OSSEC wiki documentation here:
I checked
grep ossec /etc/groups

grep ossec /etc/passwd
I received the same group (113) you did.
I believe the problem is to be sure the ossec user has permissions to the web directory which
is accomplished by
making it a part of the apache (www-data) group.
I had updated ossec (1.4 to 1.6)on the ossim server using the tutorial on the forums which may
account for the differance in the group.
https://www.ossim.net/forum/index.php?t=msg&th=290&s
tart=0&S=449d8eaaa2181cd6b7a6db10b81a833f
When I get a few minutes I will do the upgrade/web install and see if I can reproduce the issue.
GP
GP,
I do have the ossec user in the www-data group.

This line in etc/group - ossec:x:113:www-data.
My exact error is--------------

----------------------------
I did a ls -l in /var/www, here are the results.

drwxr-xr-x 8 ossec 1000 4096 2009-02-13 15:10 ossec-wui
I also did a ls -l in /var/www/ossec-wui, here are the results.

-rwxr-xr-x 1 ossec 1000 278 2008-02-27 18:38 CONTRIB
drwxr-xr-x 3 ossec 1000 4096 2008-03-04 12:24 css
-rw-r--r-- 1 ossec 1000 218 2008-02-29 13:21 htaccess_def.txt
drwxr-xr-x 2 ossec 1000 4096 2008-03-04 12:24 img
-rwxr-xr-x 1 ossec 1000 5225 2008-02-27 18:38 index.php
drwxr-xr-x 2 ossec 1000 4096 2008-03-04 12:24 js
drwxr-xr-x 3 ossec 1000 4096 2009-02-13 15:10 lib
-rw-r--r-- 1 ossec 1000 35745 2008-03-03 08:27 LICENSE
-rw-r--r-- 1 ossec 1000 462 2007-03-19 21:36 ossec_conf.php
-rw-r--r-- 1 ossec 1000 1157 2008-02-27 18:38 README
-rw-r--r-- 1 ossec 1000 923 2008-02-27 18:38 README.search
-rwxr-xr-x 1 ossec 1000 1824 2008-02-29 13:21 setup.sh
drwxr-xr-x 2 ossec 1000 4096 2009-02-13 15:10 site
drwxrwx--- 2 root www-data 4096 2009-02-13 15:10 tmp
-------------------------------------------
I did a vi /etc/group and couldn't find the 1000 group anywhere...not sure who/what that is.
Thanks

Posted by wintech on Fri, 27 Feb 2009 10:38:55 GMT
Hi,
You are correct... As per the Wiki docs i have installed and configured, But still i get the error

Regards
Wintech

Posted by binaryman on Fri, 27 Feb 2009 16:09:06 GMT
Yeah, it would be good if DK can confirm if this is needed or not.
I do not recall the exact step I did to make the sensor active in console, but I remember it was
a single click such as "activate"

Posted by DK on Fri, 27 Feb 2009 17:40:02 GMT
Hey, both of you are right but the best idea is to set it to sensor. Indeed I intend to release the
next version with the multi-profile reconfig script.
Aaah, and cheers on the doc. I'm afraid I didn't have the time to check it out yet, am very busy
with the release right now :)

Posted by gsporter on Sat, 28 Feb 2009 05:28:57 GMT
I just got the OSSIM OSSEC server output into a standalone Splunk server working. I think
this is a better way to analysis the OSSEC output than to OSSEC-WUI since you can do more
granular searchs plus the ablity to do "pretty" graphs.
I will be putting together a tutorial soon.
GP
Subject: OSSIM Password listing

Posted by DK on Sat, 28 Feb 2009 09:33:33 GMT

I want to summarize the default passwords used inside ossim, where they are located and how
to change them. This is work in progress as new stuff with passwords is being added and
behaviour may change. It will always refer to the latest AlienVault installer version, which right
now is:
- 1.2beta1 (public testing release)
Basic behaviour is that the installer creates a random password that gets stored into
/etc/ossim/ossim_setup.conf.
An automated way to extract it would be:
grep pass /etc/ossim/ossim_setup.conf | cut -f 2 -d "="
This password is used for:

- ntop(it's inside a db file under /var/lib/ntop/)
- mysql database password (mysql.users table)
- ossim (/etc/ossim/framework/ossim.conf)
- snort database access (somewhere in the table ossim.config)
- phpgacl database access (somewhere in the table ossim.config)
- osvdb database access (somewhere in the table ossim.config)
- nessus (for the user ossim /var/lib/nessus/users/ossim/auth/hash)
- ossim server, various entries (/etc/ossim/server/config.xml)
- SEM crypto signing key (same server config.xml, only applies to the pro version)
- Jasperserver mysql access (/var/tomcat/conf/Catalina/localhost/jasperserver.xml)
- Forensics console, former BASE (/usr/share/ossim/www/forensics/base.conf and
/etc/acidbase/database.php)
Then there's the OSSIM interface user/password combination "admin/admin" by default. This is
stored as an md5 hash with a user-configured salt under ossim.users. Other users are stored
in here too.
OCS uses a default admin/admin too (we need to code single sign on for this). This password
is stored inside the ocs_inventory DB (verify DB/table).
The jasperserver console defaults to jasperadmin/jasperadmin. Ditto with single sign on. This
is configured in the jasperadmin DB.
Tomcat management access defaults to admin/admin, configured under /var/tomcat/conf/(self

note: ENTER FILE). Ditto.
Note: it's on top of our todo list to unify password management for all the admin/jasper stuff.
If you're missing any place or see something incorrect please post below and I'll edit this post :)

Posted by wintech on Mon, 02 Mar 2009 06:52:05 GMT
HI GP,
Thanks for the reply.... Please let me know once the document is uploaded...
Regards
Wintech

Posted by kingwah on Tue, 03 Mar 2009 07:58:14 GMT
I found a way to update the graphs in Executive Panel while running HTTPS.
Steps are:
1. Go to "Executive Panel" page
2. Click [Edit] at the top right hand corner
3. Click [config] next to the graph which cannot be shown
4. In “Sub-category”, change the image src from http to https, then click
“Accept config”.

Posted by binaryman on Tue, 03 Mar 2009 17:02:34 GMT
Thank you for the clarification DK

Posted by wintech on Thu, 05 Mar 2009 11:56:24 GMT
HI,
Please let us know once you uploaded the document...
Thanks
-Wintech

Subject: Re: OSSIM Password listing
Posted by mime on Thu, 05 Mar 2009 19:15:05 GMT
Thanks a lot DK

Posted by ecuison on Wed, 11 Mar 2009 16:51:49 GMT
I have this setup on CentOS 5.2. The user is apache if anyone comes across any problems as
I found this out the hard way.

Posted by wintech on Thu, 12 Mar 2009 09:57:10 GMT
Hi,
Not only for you.. Everyone faces the same issue :blush: ....
Regards
Wintech 8o

Posted by gsporter on Thu, 12 Mar 2009 12:42:46 GMT
Correct the apache user may vary by distro. See step 5 of the OSSEC documentation I
referanced in my orginal post:
I was assuming everyone would be using the installer therefore Debian.
I like the splunk method alot better (see post else where) and it has pretty graphs! Great for
management.
GP
For Splunk:

Down and dirt OSSIM OSSEC >> Splunk [message #2543 is a reply to message #2285 ]
https://www.ossim.net/forum/index.php?t=msg&goto=2543&am
p;S=d30366386f5cd9ca818860c7bac52009#msg_2543

Posted by attrib75 on Thu, 12 Mar 2009 18:27:07 GMT
I tried this method and the result after checking ifconfig is:
ip: unknown host

failed to bring up eth1
I installed this as a virtual machine with two host attached nics.

Posted by paul_psmith on Thu, 12 Mar 2009 18:43:40 GMT
Are your IF's named eth ?
Also there is a typo in the doc. This has been noted before.
For my sensor IF I used:
#The sensor interface eth1

iface eth1 inet manual
up ifconfig $IFACE up
up ifconfig $IFACE promisc
up ifconfig $IFACE -arp
down ifconfig $IFACE down
And it works fine.


If you are using the new 1.2 installer try using ossim-setup from the cli for netwwork
configuration. Makes it network configuration menu driven.
GP

Posted by attrib75 on Sat, 14 Mar 2009 17:33:08 GMT
Ok, after configuring it the way described in the above turorial, the web interface went down.
So I tried it a lot of ways, and it seemed to work when I configured it like this:
auto lo eth0 eth1

iface lo inet loopback
iface eth0 inet static

address ...
netmask ...
network ...
broadcast ...
gateway ...

up ifconfig $iface up
up ifconfig $iface promisc
up ifconfig $iface -arp
down ifconfig $iface down
as in I could get to the web interface again, but I got an error when running the network restart
command:
UP: error fetching interface infomrmation: device not found

Failed to bring up eth1
So when I configured the eth1 info in the same format as eth0, I didnt get any errors but I still
couldnt see any non broadcast traffic in the web interface. (eth1 is on a mirrored switch port)

Posted by gsporter on Sat, 14 Mar 2009 18:10:12 GMT
From you post it is hard to determine the cause. I would narrow it down. First your nic itself:
Can you post the output of:
ifconfig -a # this should show all the nics the OS sees
and
lspci |grep Ethernet # Information about your nic hardware
Another tool you can use to get info is
ethtool <device> # ie. eth0 or eth1
Referances:
Low level nic/ip
http://www.debian.org/doc/manuals/reference/ch-gateway.en.ht ml

Posted by attrib75 on Mon, 16 Mar 2009 12:50:21 GMT
Sorry I'm a Windows guy, new at this shell. I don't know how to prevent the info from scrolling
past the window. Is there an equivalent to /p?

Posted by umarzuki on Mon, 16 Mar 2009 13:19:47 GMT
if you want to 'stop/freeze' say, certain info from a command like ifconfig to flow just pipe it to
lessifconfig | less
or you could scroll up by holding shift and pressing page up.

Posted by attrib75 on Mon, 16 Mar 2009 15:32:50 GMT
Ok, the ifconfig -a shows
eth0 Link encap:Ethernet HWaddr ....

inet addr:....
eth1 Link encap:Ethernet HWaddr ....

inet addr ......
so it sees the interface when I configure the interface file as I mentioned. When I configure it
like

I get an error
thanks for all your help so far!

Posted by gsporter on Mon, 16 Mar 2009 19:20:49 GMT
attrib75
What I was trying to find out is if OSSIM was seeing your nic's and if so correctly.
For example I am running a number of systems on Intel D945GCLF/D945GCLF2 with older

debian
kernels. They have Realtek 8168/8111 nics which are incorrectly detected as 8169's.
The 8169 driver loads and may even run for awhile then stops. You have to download the
correct driver and build it.

I understand about the learning curve for linux when coming from windows.
I would sugguest installing putty and winscp on a windows box if you have one available.
Then it is very easy to run cli commands in putty (you can even cut and paste from these
forums) or edit files in a windows type environment with winscp.
lspci | grep Ethernet
or
lshw -C network
Will show what nics are physically in your machine. That way we can tell more what is
going on
By the way which installer are you running? OSSIM 1.0.X is running an older kernel
and does not have as much hardware support.
P.S.
For output that runs off the page you can either
lsmod | less # q to quit
or
lsmod | more # similar to the windows more pipe
GP

Posted by attrib75 on Tue, 17 Mar 2009 12:58:54 GMT
lspci|grep ethernet returns a blank line.
lspci by itself returns a list that contains two ethernet controllers.
I am running ossim 1.0.6 in Sun virtual box on a Dell Poweredge 2950 that has 4 ethernet
ports, (gigabit), and two Intel(R) Xeon(R) CPU E5405 @ 2.00GHz processors. I dont have the
hardware available to run this on a dedicated machine. I tried installing ossim 1.2 and it

returned an error that I had the wrong processor type. It said it was looking for x86 and found
I86. I suspect this is because the server has two processors.
lshow returned command not found.
ethtool returned command not found.
I posted the ifconfig -a already. I really like Ossim and would love to get it to work. Thanks
again for the help everyone.

Posted by paul_psmith on Fri, 20 Mar 2009 20:22:53 GMT
Try getting a copy of putty that you can install on your PC assuming you are using Windows.
Then you can SSH to the OSSIM box and cut and paste things from the comfort of your desk.
Note: highlighting text in putty is like copy.
you wrote:
'>lspci by itself returns a list that contains two ethernet controllers.'
Dell uses Intel NICs on the motherboard and it looks like those two are showing up since you
say you see two NICs.
Your two other NICs in PCI slots are not being recognized is my guess.
This is all based upon your comments.
Do you know what model the other two NICs are? If they are Intel do something like this
dmesg | grep -i eth
Also, when you define NICs in /etc/network/interfaces you will need to add settings for each
adapter, but change the iface name on the first line of each section and put them all in the auto
line at the top.
auto lo eth0 eth1 eth2 eth3




Posted by anton on Fri, 20 Mar 2009 23:01:15 GMT
attrib75 wrote on Tue, 17 March 2009 08:58lspci|grep ethernet returns a blank line.
lspci by itself returns a list that contains two ethernet controllers.
Most everything in Linux/Unix type systems is case sensitive, that's why "lspci | grep ethernet"
didn't work (non-capitalized Ethernet), but "lspci" by itself did..
Quote:I am running ossim 1.0.6 in Sun virtual box on a Dell Poweredge 2950 that has 4
ethernet ports, (gigabit), and two Intel(R) Xeon(R) CPU E5405 @ 2.00GHz processors. I dont
have the hardware available to run this on a dedicated machine. I tried installing ossim 1.2 and
it returned an error that I had the wrong processor type. It said it was looking for x86 and
found I86. I suspect this is because the server has two processors.
I think I know why this happened: OSSIM 1.0.6 is 32bit, while 1.2 is 64bit. I suspect the "Sun
virtual box" (I'm not familiar with it) will not run 64bit OS's? Is the host OS 64bit? The Xeon
E5405 most certainly is 64bit.
If you're having trouble because it's 1.2 is 64bit, OSSIM 1.1 should be available sometime
reasonably soon I think, and it should pretty much be a 32bit version of 1.2, so that may be
good.
Quote:lshow returned command not found.

ethtool returned command not found.
The command is "lshw", not "lshow"... It stands for "list hardware" by the way (remember
everything is case sensitive also).
You can install these tools as follows:

apt-get install ethtool lshw
Tip: you can use tab completion - for example, type "lsh", then hit the 'tab' key (after lshw is
installed). It saves on typing (and typos...). 8)
Anton
Subject: Re: Installing Webmin

Posted by gutzba on Tue, 24 Mar 2009 18:04:49 GMT
Thnks
Excellent How To Install WebMin

Posted by attrib75 on Wed, 25 Mar 2009 15:31:49 GMT
Awesome answer! I think I figured out what the problem was. I think I was typing $Iface
instead of $IFACE. Anyway it shows the nic in promiscuous mode. I look forward to Ossim
1.1. I'm not sure if you can run 64 bit OS in virtual box. Now its just a matter of tackling the
rest of the configuration for Ossim. You would think I could see all of the destination
addresses for remote traffic in Nmap, since the promiscuous port is attached to a switch port
where traffic for the whole network is mirrored. But so far I only see local broadcast and
unicast traffic. How disappointing! I'm still only seeing what I would see on a non mirrored
switch port.
Subject: Tuning OSSIM for Your Environment

For those of you who have kept up with the 1.2beta’s you know there are
LOT’s of alerts and incidents.
The trick is which ones are important and translating it into some thing usable.

I am trying to work out a process to start cutting down the “white noise” or false
positives generated by my network. I am running a heterogeneous network with several
distro’s of linux, Windows (AD domain), a number of vmware guest and the
miscellaneous other OS.
My test network is behind both a hardware and software firewall that are configured fairly
strictly and all host run current AV. Therefore so I started under the idea most of the
alerts/incidents I was seeing were generated by my network.
Note: For the purpose of base lining my network I have not set the two firewalls to log to
OSSIM. That will be the next step.
The trick as I see it is identifying “normal” traffic from your network, and the
traffic generated by OSSIM (plus sensors etc) in order to implement a way to filter out normal
traffic.
First I have to establish a baseline and “normalize” my data. Then I can look at
ways to configure OSSIM correctly
The areas I see for identifying reported traffic include:
I.The “Forensics Console”
If I select “Unique Alerts” (by the way click on the little graph box to the left for
a time trend of that specific alert)
My system is current showing 621 total unique alerts. The vast majority of the volume of
alerts is generated by 5 signatures’:
portscan: Open Port unclassified 261798(47%)

Spade: Closed dest port used unclassified 185224(33%)
Spade: Source used odd dest port unclassified 145818(26%)
MISC UPnP malformed advertisement unclassified 127904(23%)
WEB-MISC Invalid HTTP Version String" unclassified 50706(9%)
Note: the percentages do not seem to total up to 100% at this time
The first three are generated by OSSIM itself. In fact OSSIM is listed reports a the
“attacker” 97% of the time. The UPnP is being generated by Vista and I can
disable it.
II. Incidents
I am hoping that by “tagging” incidents that are benign in my network as

OSSIM_INTERNAL_FALSE_POSITIVE or things I need to harden/disable etc
OSSIM_INTERNAL_PENDING I will be able to use the jasper server and iReports to generate
a more detailed implementation plan.

III Reports
Host Report
Alarm Report
Security Report
Incident Report
From those reports I found some of the other things to look into :
Identify IP addresses you do not recognize ( both source /attacker and destination /target).
Note: I put a referance of special use IP ranges used for things like routing protocols at the end
of this document
202.47.28.150#still unknown not registered
239.255.255.250#special use broad cast UPnP Vista
192.0.2.42 673#unknown
207.46.197.32 633#unknown
202.47.28.150 #unknown
213.30.161.23 241#mondo.hpintelco.net mondo project ok
68.1.17.1# my ISP
208.67.222.222 # OpenDNS server
208.67.220.220 # OpenDNS server
212.211.132.32 # villa.debian.org
35.9.37.225 # ike.egr.msu.edu debian repository
195.20.242.89 # wieck.debian.org debian repository
64.50.238.52 534#ftp-atl.osuosl.org debian repository

Note: I had already identified some of the IP’s as my DNS servers or debian
repositories and added them as host and created a policy to drop them. I use nslookup, whois
and a browser to try and identify the rest. The IP’s that show up on your box maybe
different. Check them out and be sure they are suppose to be showing up.
P.S. Any help identifying the unknowns would be appreciated
Identify ports you do not recognize ( both source/ destination ). And the service that use them (
and if you are suppose to be running them!!)
From the alarms report I had listed the following ports :

__________________________________________________________
59313 unknown
32768-61000tcpip-local-port-rangelocal-client-port-linuxlocal clients ports for outgoing traffic

on LinuxKurt SeifriedThis port range can be configured on Linux by using the "sysctl"
command and the "net.ipv4.ip_local_port_range" variable.
32768-61000udpip-local-port-rangelocal-client-port-linuxlocal clients ports for outgoing traffic

on LinuxKurt SeifriedThis port range can be configured on Linux by using the "sysctl"
command and the "net.ipv4.ip_local_port_range" variable.
Note: need to confirm
__________________________________________________________
25611 unknown #see above
__________________________________________________________
49804 unknown #see above
__________________________________________________________
47149 unknown#see above
__________________________________________________________
Now look at the events section:

__________________________________________________________
Top 15 Events Occurrences
MISC UPnP malformed advertisement 130208

portscan: Open Port 115145
"WEB-MISC Invalid HTTP Version String" 46777
"BLEEDING-EDGE POLICY Nagios HTTP Monitoring Connection" 43469
POLICY VNC server response 32335
"COMMUNITY WEB-MISC mod_jrun overflow attempt" 26873
ossec: Login session closed. 24631
ossec: Login session opened. 24382
DNS SPOOF query response with ttl: 1 min. and no authority 16132
portscan: TCP Portsweep 10667
p0f: OS Change 9101
directive_event: An important host (SRC_IP) has changed its OS 8933
portscan: TCP Portscan 8529
directive_event: TCP Portscan against DST_IP 7047
Spade: Closed dest port used 6047
Note: some of these values are skewed since I have deleted some events and put policies not
to store others.
__________________________________________________________
Top 15 Events by risk
directive_event: TCP Portscan against DST_IP 3

directive_event: Recurrent Snort event 2
directive_event: NMAP portscan against DST_IP 2
directive_event: Possible DST_PORT intrusion against DST_IP 2
directive_event: Possible portscan against DST_IP 1
directive_event: Possible Worm port 80. Origin: SRC_IP 1
directive_event: Possible Worm port DST_PORT/PROTOCOL 1
EXPLOIT ntpdx overflow attempt1
FTP command overflow attempt 1
SNMP AgentX/tcp request 1
directive_event: HTTP Tunnel through web proxy 1
WEB-CGI cgiforum.pl access 0
WEB-MISC changepw.exe access 0
"BLEEDING-EDGE POLICY Yahoo Chat Activity Inside Webmail" 0
WEB-CGI ezadmin.cgi access0
__________________________________________________________
Now that I have a “baseline” or an idea of “normal” traffic on my

network I can consider how to tune OSSIM
The incident report also give me a list of Vulnerabilities to work on
__________________________________________________________

Now what do I do?
DK mentions
“There are at least three ways of doing this:
a.Filtering at origin (disabling a snort rule, setting a tcpdump-style filter at p0f, etc...)
b.Policy
c.Agent Consolidation (undocumented)”
Ref: Re: Hyperthreading [message #1913 is a reply to message #1912 ]
I believe “directives” maybe another approach to this
I think that might be a good place to stop for now.
As always any comments, suggestions’ or ideas are appreciated.
P.S. I just noticed the team has added an installation guide for “rolling your
own” on lenny debian to the DOCs section. Cool! Plus I was reminded what a great
tool the “architecture diagrams” are towards understanding the logic behind
OSSIM (same page under Misc)
https://www.ossim.net/docs.php
GP
Special use IP ranges (case you are running routers,VOIP etc)

_________________________________________________________
Multicast IP Addresses
There are a number of addresses that are set aside for special purposes, such as the IP's used
in OSPF, Multicast, and experimental purposes that cannot be used on the Internet.
Class D
Start End
224.0.0.0 239.255.255.255
Special Use Addresses - Table from RFC 3330

Address Block CIDR Mask Used for Reference
0.0.0.0 /8 Used to communicate with "This" network RFC1700, p. 4
10.0.0.0 /8 Private-Use Networks RFC 1918
14.0.0.0 /8 Public-Data Network RFC1700, p.181
24.0.0.0 /8 Cable TV Networks --
39.0.0.0 /8 Previously Reserved
Available for Regional Allocation RFC1797
127.0.0.0 /8 Loopback address RFC1700, p. 5
128.0.0.0 /16 Previously Reserved
Available for Regional Allocation --

169.254.0.0 /16 Link Local (eg. Microsoft XP systems use Automatic Private IP Addressing
(APIPA) which selects addresses in this range.)
172.16.0.0 /12
191.255.0.0 /16
192.0.0.0 /16
192.88.99.0 /16
192.168.0.0 /16
Subject: Setting Up Logcheck on OSSIM

Posted by gsporter on Sun, 29 Mar 2009 18:12:01 GMT
I have been trying to keep up with the new 1.2 beta's. If you have not tried
them I really suggest you install beta4 even if it is in a vm. It has a lot
of great new features and if it is any indication OSSIM is moving to a whole new
level.
Any time I install a beta or new program I am VERY interested in what is going
on in the background. Traditionally sys admins have used log files for this purpose.
They allow you to locate bugs, errors, bottlenecks and even sometimes rogue processes
or program you do not want running. I have always hated trying to have to wade through
log files from the command line. So I chose to install logcheck to email my OSSIM log
files to me. That way I can go thru them on a workstation with a gui at my leisure.
"What is Logcheck?
Logcheck parses system logs and generates email reports based on anomalies. Anomalies
can be defined by users with 'violations' files. It differentiates between 'Active System Attacks'
, 'Security Violations', and 'Unusual Activity', and is smart enough to remember where in the
log
it stopped processing to improve efficiency. It can also warn when log files shrink, and does
not report errors when they are rotated." (1)
Since OSSIM is going to be our "Central Security Repository" it is important that we

stay on top of potential problems and intrusions. Therefore it is a good idea
to install both a HIDS (ossec) and move copies of the log files to another hopefully
secure location. One of the first steps any intruder is going to take is to
hide their tracks and one of the ways to do this is alter or delete log files.

#apt-get install logcheck
Main Configuration file for logcheck located at /etc/logcheck/logcheck.conf
nano /etc/logcheck/logcheck.conf
First thing to change
REPORTLEVEL="server" # if you set paranoid you will be buried!
# Should be set to an offsite "emailaddress@some.domain.tld"
SENDMAILTO="root"
I create an offsite email account similar to log@yourdomain.tld
Then I create the following filters/directories on the account
logcheck, optional - firewall, OSSIM (for my OSSIM notification)
Logcheck If From contains 'logcheck' move to logcheck;
firewall If From contains 'firewall' move to firewall;
I prefer my logs to be sent as an attachment. To do this you need to

install nail
apt-get install nail
Then change this in the logcheck.conf
# Send the results as attachment or not.

# 0=not as attachment; 1=as attachment
# Default is 0
MAILASATTACH=1
There is alot more that can be done such as installing logtail when added,
allows any number of log files on one or more machines on a network to be
transfered.
Logtail - Logs which transfer to new files are automatically followed, and an option
allows translation of numeric Internet addresses into the corresponding
hostnames where possible. Log items can be relayed to one or more other

hosts on the network, permitting a machine's local log files to be monitored there. (2)
References:
(1) http://www.debianhelp.co.uk/logcheck.htm
(2) http://www.fourmilab.ch/webtools/logtail/
GP
The future is here. It's just not widely distributed yet.

- William Gibson

Posted by dantasrotole on Fri, 03 Apr 2009 18:23:20 GMT
Dear DK,
What did you mean ?
nessus (for the user ossim (insert File Location)?
Insert which file and where?
Thanks!

Posted by DK on Fri, 03 Apr 2009 18:28:11 GMT
Sorry, expected to fill that in as soon as I got access to an installed ossim :)
Just updated a couple of missing lines, still have to find the admin/admin password for tomcat.
Subject: Use DVD Backup >Full Restore OSSIM 1.2

Posted by gsporter on Sun, 12 Apr 2009 02:25:07 GMT
I have wanted a full hopefully bare metal backup/restore for OSSIM and had trouble installing

mondo on OSSIM on lenny.
Found the correct deb files and here is the down and dirty install process. Hope it is helpfull to
some of you:
DISCLAIMER: I ran this on a system setup using the OSSIM 1.2beta5 installer. If you are
using any other distro or installer you may have issues.
Add mondo repositories to /etc/apt/sources.list
deb ftp://ftp.mondorescue.org/debian 5.0 contrib

deb-src ftp://ftp.mondorescue.org/debian 5.0 contrib
Download busybox and mindi
ftp://ftp.mondorescue.org/debian/5.0/mindi-busybox_1.7.3-1_a md64.deb
ftp://ftp.mondorescue.org/debian/5.0/mindi_2.0.5_amd64.deb
Install dependancies
apt-get install binutils bzip2 dosftools mkisofs syslinux parted mtools
Install busybox and mindi
dpkg -i mindi-busybox_1.7.3-1_amd64.deb
dpkg -i mindi_2.0.5_amd64.deb
Test mindi
# mindi
Install additional dependancies for mondo
apt-get install afio buffer

dpkg -i mondo_2.2.8_amd64.deb
Install cd/dvd burning tools
apt-get install cdrecord dvd+rw-tools dvdrtools
Run mondo
mondoarchiver
I have not covered every step but there is alot of mondo documentation out there.

Posted by idealids on Mon, 13 Apr 2009 18:58:43 GMT
I tried to make ntop work by following the above instructions and as a result, i am now unable
to even login to my dashboard.
as soon as i login, i get the following errors:
Warning: session_start() [function.session-start]:

open(/var/lib/php4/sess_ef715ed3e933e7492b0fbb88c872c13d, O_RDWR) failed: Permission
denied (13) in /usr/share/ossim/include/classes/Session.inc on line 13
Warning: session_start() [function.session-start]: Cannot send session cookie - headers

already sent by (output started at /usr/share/ossim/include/classes/Session.inc:13) in
/usr/share/ossim/include/classes/Session.inc on line 13
Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers

already sent (output started at /usr/share/ossim/include/classes/Session.inc:13) in
/usr/share/ossim/include/classes/Session.inc on line 13
Warning: Cannot modify header information - headers already sent by (output started at
/usr/share/ossim/include/classes/Session.inc:13) in /usr/share/ossim/www/session/login.php on
line 94
Warning: Unknown(): open(/var/lib/php4/sess_ef715ed3e933e7492b0fbb88c872c13d,

O_RDWR) failed: Permission denied (13) in Unknown on line 0
Warning: Unknown(): Failed to write session data (files). Please verify that the current setting
of session.save_path is correct (/var/lib/php4) in Unknown on line 0
Can anyone offer some assitance.

thx

Posted by DK on Tue, 14 Apr 2009 07:24:05 GMT
Looks like you somehow got php4 into your running apache. Look at this line:
Warning: Unknown(): Failed to write session data (files). Please verify that the current setting
of session.save_path is correct (/var/lib/php4) in Unknown on line 0

(chown www-data /var/lib/php4 or chmod 1777 /var/lib/php4 should fix that for you)

Posted by idealids on Wed, 15 Apr 2009 20:21:23 GMT
Thanks DK,
that worked!

Posted by crimondi on Fri, 01 May 2009 17:29:21 GMT
Have you had a chance to reconfigure that php script to update the IPs? I would like to see
what you did. Thanks.

Posted by deaqo on Wed, 06 May 2009 15:49:38 GMT
Hi, i'm a newbie and i found out that your documentation is good but i want to have an example
of correlate event interpretation, because in the whole forum i just can't find anything about the
correlation event DB or it's interpretation and for me personally i don't understand very well
about how to work with that. Sorry, but i recently install this product and i don't know about it.
Thank you!
Subject: Set second OSSIM server as sensor/agent only

Posted by umarzuki on Wed, 27 May 2009 12:51:08 GMT
This how to is on configuring a second ossim server as a sensor (agent only)
console = 192.168.1.10
sensor = 192.168.1.11
Install ossim as console (lets set its hostname as console)

Install ossim as sensor (same here, hostname = sensor)
Check on sensor ossim_setup.conf so it will act as sensor
Check sensor's interface(s) in /etc/network/interfaces so it's configuration is consistent with
/etc/ossim/ossim_setup.conf, one as default, other set in promiscuous mode if it have more
than 1 interface
Configure snortdpkg-reconfigure snort
Configure ntopdpkg-reconfigure ntop
Stop mysql and remove it from starting at boot timepgrep mysql | xargs kill -9
update-rc.d remove mysqld
Run ossim-reconfigossim-reconfig
Note:
I figured that on 1.0.6, without configuring snort and ntop correctly, ossim-reconfig would fail
and the sensor won't be listed on the console's sensor list.
Feel free to comment or add correction.
Subject: OSSIM + XMPP - mini howto

Posted by fyfy on Thu, 11 Jun 2009 04:17:21 GMT
Heya!
I don't know if there's much interest in building XMPP/Jabber stuff on the top of OSSIM on
order to simply monitoring process and facilitate the collaboration between OSSIM node
operators. Anyway, if you think it is a fun project to play around, let me know, I'll post up on
writing ossim-xmpp agents and plugins later. This howto hopefully should get you started.
== OSSIM + OpenFire MiniHOWTO ==
By integrating ossim with openfire we get to have a collaboration framework where you could
have groups of operators use Jabber messaging client as primary means of communication
and collaboration. Of course you can do even more than that. XMPP is an extendable protocol.
You can build security monitoring services on the top of it, so you could use your messaging
client (with extensions) as primary security monitoring interface.
The monitoring part can be easily done with XMPP based agents, which could talk to OSSIM
database or other components directly, and maybe we could talk about it later some time. The
cool thing about using agents, that it runs over standard XMPP protocol so you could
technically even use your gmail.com client, or mobile phone jabber client to collaborate with
your ossim system. However, when you run into huge number of users, scallability might
become an issue...
There's also another really neat way of adding things up by extending OpenFire server with

custom plugins, then you won't really need agents anymore. But you'll need customized Jabber
clients. You can read more about this appraoch here: http://java.sys-con.com/node/232087
anyway, we'll start with the basics. Right now we simply want OSSIM users to be able to login
into our XMPP server using ossim framework authentication credentials.
I used ossim installer here to install the base system. Once you get that stuff done, you'll need
to install Java's JRE on your box.
Ossim installer is based on debian, so you'll have to install sun-java6-jre package on it.
echo " deb http://www.backports.org/debian/ etch-backports main non-free" >>

/etc/apt/sources.list
apt-get get update
apt-get install sun-java6-jre
if this went smooth, go to http://www.igniterealtime.org/downloads/index.jsp and download .deb

package. Once you've got it, install it:
dpkg -i openfire_3.6.4_all.deb
you can try to run openfire server at this point:

/etc/init.d/openfire start
now you should have openfire running on your box with admin console on ports 9090 and
9091(ssl'ed).
One thing you will need to do now is to configure the mysql database for openfire to use.
echo "create database openfire" | mysql -p

cat /usr/share/openfire/resources/database/openfire_mysql.sql | mysql -p openfire
(you'll need to peek at root password for mysql, which can be found in
/etc/ossim/ossim_setup.conf)
Once you're done w/ this stuff, launch your browser to ossim:9090 and complete the setup.
Select external database, and choose mysql database for it. Then correct the url for the mysql
database thing. You can skip the setup user part at the end.
Once you're done with this stuff, you'll need to save this into a file, i.e. custom.sql and make
some changes.
At the very least you'll want to change the connection string and set the user id and password
to those you use to connect to your ossim database. You may also want to change
admin.authorizedJIDS to list users, who would be allowed to login into openfire admin console:

--/cut here/--
/* make modifications */
update ofProperty set propValue = 'org.jivesoftware.openfire.auth.JDBCAuthProvider' where

name = 'provider.auth.className';
update ofProperty set propValue = 'org.jivesoftware.openfire.user.JDBCUserProvider' where

name = 'provider.user.className';
/* connection */
insert into ofProperty (name, propValue) values ('jdbcProvider.driver', 'com.mysql.jdbc.Driver');
insert into ofProperty (name, propValue) values ('jdbcProvider.connectionString', '

jdbc:mysql://localhost:3306/ossim?user=root&password=you rpass');
/* authentication */
insert into ofProperty (name, propValue) values ('jdbcAuthProvider.passwordSQL', 'select pass

from users where login=?');
insert into ofProperty (name, propValue) values ('jdbcAuthProvider.passwordType', 'md5');
insert into ofProperty (name, propValue) values ('admin.authorizedJIDs', 'yourleetuser, admin');
/* user */
insert into ofProperty (name, propValue) values ('jdbcUserProvider.loadUserSQL', 'select

name, email from users where login=?');
insert into ofProperty (name, propValue) values ('jdbcUserProvider.userCountSQL', 'select

count(*) from users');
insert into ofProperty (name, propValue) values ('jdbcUserProvider.allUsersSQL', 'select login

from users');
insert into ofProperty (name, propValue) values ('jdbcUserProvider.searchSQL', 'select login

from users where');

insert into ofProperty (name, propValue) values ('jdbcUserProvider.usernameField', 'login');
insert into ofProperty (name, propValue) values ('jdbcUserProvider.nameField', 'name');
insert into ofProperty (name, propValue) values ('jdbcUserProvider.emailField', 'email');
--/cut here/--
once you're done with this stuff, save it and then do something like:
cat custom.sql | mysql -p openfire
then restart your openfire server and you're done ;)
For the agents and stuff, maybe I'll make another post :)
Sources:
http://www.igniterealtime.org/builds/openfire/docs/latest/do cumentation/database.html
http://www.igniterealtime.org/community/thread/38646

Posted by hayfa on Mon, 15 Jun 2009 09:03:52 GMT
hello
can't find /etc/nagios2

i'm sorry for your lost but it is not possible since i can find /etc/nagios2 in my ossim server
did you accidentally removed it?
you can view past command with history

history
you can also try to locate nagios2 folder (though i doubt it'll anywhere else)
updatedb
locate nagios2
best of luck. If all fails, reinstallation isn't that hard.

Posted by rul3z on Tue, 16 Jun 2009 07:51:17 GMT
Hello guys,
I did all the stuff here, but now the big problem is that Nagios and others are not seen through
the ossim, I couldn't manage to do
/home/ossim/dist/reconfig.pl
The perl script is not found on my system.
I have no report server now !!!
Any help shall be appreciated.

Posted by hayfa on Wed, 17 Jun 2009 15:21:15 GMT
hello i have a small problem
i configured a linux host like this tuto
but in the server it's shown never connected !!!!!!!!!!!!!!!!!!!

Posted by gsporter on Wed, 08 Jul 2009 03:34:58 GMT
Modification to allow for the upgrade of Snort to 2.8
Line 4
http://www.snort.org/pub-bin/oinkmaster.cgi/<your oink code

here>/snortrules-snapshot-2.8.tar.gz
Line 5
Change
/usr/share/oinkmaster/makesidex.pl /etc/snort/rules/ >autodisable.conf
to

/usr/share/oinkmaster/makesidex.pl /etc/snort/rules/ >/etc/autodisable.conf
GP

Posted by catchacold on Fri, 10 Jul 2009 11:59:01 GMT
Nevermind
Subject: Method to check and see what OSSEC is logging (without the web gui)
Posted by gsporter on Wed, 22 Jul 2009 23:47:41 GMT
In case you have not had a chance to check it out OSSEC v2.0 added a command-line
"reporting" tool. It is great for checking to see if agents, syslog etc is actually making it into
OSSEC|OSSIM without having to install the web gui on OSSIM.
Note: These commands are from the OSSEC tutorial but I have made a change in the path to
the ossec-reportd binary:
_________________________________________________________
Show all IP addresses/users that logged in during the day
cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -n “Logins

summary” -f group authentication_success
_________________________________________________________
Show all IP addresses/users that logged in during the day and related srcips locations for each
user
cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -n “Logins

summary” -f group authentication_success -r user srcip -r user location
_________________________________________________________
Show all multiple authentication failures (brute force attacks)
cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -n “Failures

summary” -f group authentication_failures

_________________________________________________________
Show a summary for the month (or day) <July 2009>
zcat /var/ossec/logs/alerts/2009/Jul/*.gz | /var/ossec/bin/ossec-reportd -n “Month

Summary”
Referance:
http://www.ossec.net/dcid/?p=153
GP
Subject: OSSIM 1.1 - Configuracion después de la Instalacion

Posted by willians on Tue, 11 Aug 2009 15:02:41 GMT
esta es una pequeña contribucion.
es un manual he instalado muchas veces el ossim y por fin decidi hacer este pequeño manual
que comparto para ustedes.
Willians Herrera.
File Attachments
1) OSSIM 1.1 - Configuracion después de la Instalacionx.pdf,
downloaded 718 times
Subject: HOWTO: Get Snort 2.8.X on Ubuntu feeding to OSSIM

Posted by cringe on Wed, 30 Sep 2009 20:26:32 GMT
So you have a stand-alone snort box that you want to start sending data to your OSSIM server.
You may be in luck. The instructions below are for snort on Ubuntu.
ON SNORT SERVER
1. Install ossim-agent (apt-get install ossim-agent) - You may have to add the repositories. You

can find these on your OSSIM server in /etc/apt/sources.list
2. Download the legacy snort.cfg plugin at

http://os-sim.cvs.sourceforge.net/viewvc/*checkout*/os-sim/a
gent/etc/agent/plugins/snort.cfg?revision=1.7
3. Copy the plugin to your /etc/ossim/agent/plugins folder as snort.cfg
4. Edit your /etc/ossim/agent/config.cfg and
4a. Add this line under [plugins]:

snort=/etc/ossim/agent/plugins/snort.cfg
4b. Point the agent to your ossim server under [output-server]:

ip=<OSSIM SERVER>
5. Edit your /etc/snort/snort.debian.conf
5a. Add the snort option to log to alert file:

DEBIAN_SNORT_OPTIONS="-A full"
6. Restart snort and ossim-agent services
OSSIM Server
1. In the Web Interface - Go to Policy > Sensors
2. Add the stand-alone snort box as a sensor (hostname/IP)
3. Reload sensors
You should be receiving alerts under the SIM Events page now. On the OSSIM server, you
may have to restart ossim-server and/or the ossim-agent. I don't remember if it was necessary
or not. Good Luck!
Subject: Re: Set second OSSIM server as sensor/agent only

Posted by kevint on Mon, 19 Oct 2009 13:42:29 GMT
Thanks for the tutorial here. I'd like to add that in step 7 to remove mysqld from starting at boot
time, the command to remove it is close, but not exactly correct. It should read as:
pgrep mysql | xargs kill -9

update-rc.d mysqld remove -f

Subject: Re: HOWTO: Get Snort 2.8.X on Ubuntu feeding to OSSIM
Posted by last1ghost on Wed, 04 Nov 2009 17:01:45 GMT
Hi Sir,
I do exactly as you said but i got the below error when i start ossim-agent
2009-11-04 19:09:30,129 Conn [ERROR]: (32, 'Broken pipe')
2009-11-04 19:09:31,135 Conn [ERROR]: (104, 'Connection reset by peer')
2009-11-04 19:09:40,178 Conn [ERROR]: Error receiving data from server: (104, 'Connection
reset by peer')
and the ossim-server sensor give me X on my sensor when i remove snort from agent plugin it
works again but of course i still need snort alerts, any recommendation

Posted by jplee3 on Wed, 04 Nov 2009 19:18:48 GMT
Hey guys, will this still work with the latest versions of OSSEC and OSSIM? I was trying to tie
the two together but could not figure it out. I'll have to play around with it more when I have the
time.

Posted by dropadrop on Tue, 10 Nov 2009 20:59:02 GMT
Doesn't monit include mysql as one of the monitored applications? If yes, it should probably be
removed from there too.
Also what about the ossim-server / ossim-framework services, are they needed in such a set
up?

Posted by dropadrop on Tue, 10 Nov 2009 21:01:33 GMT
I was playing around with oinkmaster today, and it seemed very nice. The big question for me
was that it refused to modify / disable all the sids I wanted it to.
Are part of the rule sets included with ossim such that oinkmaster won't touch them
(community / emerging threats)?
Subject: OSSIM Installation Guide

Posted by juanma on Fri, 27 Nov 2009 16:38:48 GMT
English:
http://ossim.net/dokuwiki/doku.php?id=installation
Spanish:
http://ossim.net/dokuwiki/doku.php?id=installationES
If you want to help translating it to your own language please send an email to jmlorenzo at
alienvault.com.
Juanma
Subject: Instalação do Ossim em Português (Brazilian) - Part I

Posted by jailsonjan on Tue, 15 Dec 2009 14:10:55 GMT
Guia de Instalação do OSSIM (AlienVault Open Source SIM ) – Parte I
Link for JailsonJan Blog:http://www.previsioni.com.br/jailsonjan/?p=147
Introdução
O Ossim (Open Source AlienVault)

é um sistema de segurança detalhado que cobre do nível da deteção até um nível executivo,
gerando métricas e relatórios. OSSIM é oferecido como um produto da segurança que permite
que você integre em um único console todos os dispositivos e ferramentas de segurança
disponíveis em sua rede, assim como a instalação de ferramentas de segurança prestigiadas
de fonte aberta (open source) como Snort, OpenVas, Ntop and OSSEC.
Uma vez que os eventos gerados por ferramentas e por dispositivos diferentes são coletados
pelo OSSIM, o sistema executa uma avaliação de risco para cada evento e a correlação
destes. Durante o processo de correlação, de uma série de testes padrões, o OSSIM gera
novos eventos para detectar ataques ou problemas na sua rede.
Para acessar toda a informação coletada e gerada pelo sistema, o OSSIM inclui uma interface
Web que nós permite configurar todo o sistema e ver o estado total da rede em tempo real.
Antes de começar
OSSIM é um produto constantemente em desenvolvimento.

Por este motivo nós usaremos a versão mais estável do instalador do OSSIM neste guia de
instalação.
As versões as mais novas estão sempre disponíveis na Web no site do projeto OSSIM
– http://www.AlienVault.com
Finalidades deste documento
A finalidade deste documento é fornecer um passo a passo, um guia de como instalar o

OSSIM.
Cobrindo conceitos básicos e uma breve explanação do papel de cada perfil que uma
instalação de OSSIM pode adotar.
Por que um instalador?
OSSIM é um produto que integra mais de 30 ferramentas de Open Source. O sistema

operacional (Linux – Debian) e muitas ferramentas internas foram modificados para
melhorar seu funcionamento dentro do sistema.
Isso ocorre devido ao fato dque para instalar o OSSIM do código fonte exige um pouco mais
de conhecimento e muito tempo para fazer a compilação de mais de 40 ferramentas
diferentes.
Para simplificar o processo complexo de compilação, instalação e configuração todas estas

ferramentas, a equipe de desenvolvimento distribui o instalador de OSSIM que inclui sistema
operacional, todos os componentes e uma configuração poderosa e sistema a atualização.
O instalador de OSSIM é baseado no sistema operacional Debian GNU/Linux e está
disponível em edições de 32 bits e 64-bit, edições 32 Bits vs 64 Bits
Se seu processador é de 64-bits então você pode aproveitar todo desempenho desta
arquitetura.

Em determinadas estruturas (”backbones”), baseado na produção e no número
de eventos, você pode precisar de um “hardware” capaz de suportar grandes
volumes de dados.
A arquitetura 64-bit igualmente permite o uso de uma quantidade maior de memória física.
OSSIM Operações Básicas
Os seguintes processos ocorrem dentro de OSSIM:
1. As aplicações geram eventos da segurança

2. Os eventos são coletados e normalizados
3. Os eventos são enviados a um servidor central
4. Avaliação de risco
5. Correlação do evento
6. Armazenamento dos eventos
7. Acesso aos eventos armazenados
8. Acesso à configuração
9. Alcance as métricas (medidores) e aos relatórios
10. Informação em tempo real do status de sua rede
As aplicações e os dispositivos da rede geram eventos da segurança. Estes eventos são

coletados e normalizados pelo agente do OSSIM, que é o responsável por enviá-los ao
servidor do OSSIM.
Em uma instalação OSSIM pode-se ter quantos agentes forem necessários. Em alguns casos,
se tem um agente em cada posição da rede da empresa, ou um agente dentro do DMZ ou um
outro agente dedicado para coletar todos os registros do “firewall”.
O agente do OSSIM inclui um jogo das ferramentas (Snort, Ntop, Tcptrack, Arpwatch), para
analisar o tráfego de rede à procura dos problemas e das anomalias de segurança. Para
aproveitar-se desta funcionalidade do OSSIM, o agente do OSSIM deve receber todo o
tráfego na rede, usando uma conexão, configurar uma porta espelhada ou usando uma porta
de extensão nos dispositivos da rede.
Todos os agentes de OSSIM enviam seus eventos a um único servidor de OSSIM. Este
servidor carrega a avaliação de risco e a correlação. Uma vez que estes processos ocorreram,
os eventos são armazenados na base de dados de OSSIM.
Para acessar estas informações, o OSSIM inclui uma interface gráfica (web), que pode ser
usada para modificar parâmetros da configuração e para gerar o métricas e os relatórios. A
interface gráfica (web), igualmente, fornecerá o acesso as informações, em tempo real, de um
grande número de aplicações, que analisam o status global de nossa rede (Ntop, Nagios, etc).
Perfis
Uma vez que a instalação terminou, o OSSIM, permite mudar o perfil da instalação . Por

padrão o perfil completo será instalado automaticamente.
Perfil Completo
O perfil completo é uma combinação de todos os perfis em uma única máquina. Inclui a
interface do sensor, um servidor, uma base de dados e uma interface gráfica (web).
O sensor no perfil completo, habilitará o Snort, o OpenVas, o Ntop, o Arpwatch, o P0f e o

Pads.
O perfil completo é o padrão da instalação do Ossim.
Sensor
O Sensor é o responsável pela captura e pela normalização dos eventos. Para permitir a
captura e coleção de todos os registros (log) pelo Sensor, teremos que enviar todos os
eventos ao Sensor usando Syslog, ftp, samba, Snare, etc.
Cada uma destas ferramentas está associada a um “plugin” no OSSIM, que

define como coletar os eventos dos registros de logs. Os eventos normalizados são enviados
ao servidor.
Snort, Ntop, Arpwatch, P0f e Pads são igualmente habilitados no perfil do Sensor somente.
Para fazer estas ferramentas úteis, nós devemos usaar uma conexão, configurar uma porta
espelhada ou usar uma porta de extensão nos dispositivos da rede (geralmente no Switch).
Servidor
O perfil do Servidor é preparar o OSSIM (box) para coletar os registros (logs) de todos os
Sensores OSSIM.
Uma vez que os eventos foram processados, todas as informações são armazenadas na base
de dados. O Servidor incluirá um agente de OSSIM para monitorar a segurança do sistema
(Pam Unix, SSH)
Banco de Dados
O “Servidor de Bancos de Dados”, possui uma base de dados MySQL para

armazenar os eventos, configurações e informações de inventário.
Requirementos
Requirementos de Hardware
As exigências de hardware do OSSIM dependerão basicamente do número de eventos por

segundo e da produção da rede que queremos proteger.

A exigência mínima aconselhad, é ter pelo menos 2GB da ram. É possível que se tenha que
aumentar a memória de RAM disponível, baseada na produção da rede, no número de
eventos que o Servidor OSSIM está processando e na quantidade de dados que precisam de
ser armazenados na base de dados. Para um melhor desempenho é essencial usar somente
as aplicações e componentes que serão úteis em cada caso ou na sua rede.
Em termos de desempenho, há uma diferença enorme entre processadores de 32 bit and 64

bit, se você estiver comprando um novo hardware, escolha o de 64-Bits. A maioria de
componentes do OSSIM suportam “multithreading”, fazendo com que os
servidores que usam os processadores de 64-Bits, obtenham uma grande melhoria no
desempenho.
Ao falar sobre placas de rede, você deve tentar escolher aqueles suportados pelo
“driver” e1000. O modelo do desenvolvimento de Open Source deste
“drive” assegura a boa compatibilidade destas placas com o Debian
GNU/Linux.
As placas de rede de menor desempenho podem ser usadas nos OSSIM (box) para coletar
eventos de outros dispositivos ou como interfaces de gerênciamento.
Requerimentos de Rede
A fim de apresentar o OSSIM corretamente, você deverá ter um grande conhecimento dos
dispositivos da sua rede. Você terá que configurar uma porta espelhada naqueles dispositivos
de rede que suportem esta característica. Para configurar uma porta espelhada corretamente,
você terá que manter na mente que deve evitar estas duas situações:
* Tráfego de rede duplicado: Isto aconteceu quando nós estamos enviando o mesmo tráfego
de rede mais de uma vez em diferentes dispositivos da rede.
* Tráfego de rede criptografado: Em alguns casos não tem nenhum sentido configurar uma
porta espelhada naqueles dispositivos que mostram somente o tráfego criptografado (VPN,
SSH), porque este tráfego não pode ser facilmente analizedo por algumas aplicações.
Ainda sobre porta espelhada, nós precisamos ter endereços de IP prontos para todas os
OSSIM (box). Alguns OSSIM (box), que funcionam como Sensores podem exigir mais de uma
placa de rede, porque o Sensor poderá ter acesso à redes diferentes (Nessus, Nagios, Nmap)
Como exemplo, OpenVas (exploração da vulnerabilidades), terá que ter acesso para alcançar
as “redes alvo”, quando a varredura acontecer. Ao usar OpenVas, Nagios ou
Nmap nós igualmente temos que nos certificar de que nossos “firewalls” estão
configurados corretamente, permitindo o acesso de nossos sensores às redes ou aos
servidores das “redes alvo”.
Os eventos têm que ser normalizados antes de processados pelo Servidor OSSIM, o sensor

do OSSIM exigirá o acesso ao servidor de DNS da rede local .
Fonte Original: http://ossim.net/dokuwiki/doku.php?id=installation

Artigo Original: Juan Manuel Lorenzo (jmlorenzo at AlienVault dot com)
Tradução e complementos: Jailson Jan (jailsonjan at yahoo dot com dot br / jailsonjan at
previsioni dot com dot br)
Jailson Jan é o tradutor do Ossim para o português do Brasil (pt_BR)
Subject: Instalação do Ossim em Português (Brazilian) - Part II

Guia de Instalação do OSSIM (AlienVault Open Source SIM ) – Parte II
Fonte: Jailson Jan Blog (http://www.previsioni.com.br/jailsonjan/?p=153)
Visão geral da instalação
1- Você terá que certificar-se de que seu computador pode ser inicializado pelo CDROM/DVD
(boot). Procure pela documentação do sistema para mais informações. Isto pode exigir a
alteração das configurações do BIOS. Para começar o programa de instalação, inicialize o
computador e aguarde o boot pelo CDROM.
Atenção: O instalador APAGARÁ todos os dados armazenados em seu disco rígido.
2-Escolha a língua usada para o processo de instalação. A língua escolhida será usada
também para o sistema instalado.
3-Escolha sua localização
4-Escolha o layout de teclado
5-Neste ponto você terá que configurar a placa de rede. Se você tem mais de uma placa de
rede, terá que escolher qual será usada como a interface de gerenciamento. Em caso de ter
múltiplas placas de rede, o instalador perguntará que placa de rede deverá ser usada como a
interface de gerenciamento. Esta interface deve ter acesso à Internet durante o processo da
instalação.
Entre com o endereço IP para continuar
6-Insira a máscara do endereço

7-Insira o endereço IP do gateway. Todo tráfego que vai para fora da sua LAN será enviado
através desta rota.
8-Entre com os endereços IP dos servidores de nomes (DNS), separados por espaços. Se
você tem um servidor de nomes (DNS) local em sua rede deverá ser o primeira nesta
configuração. Você pode entrar com quantos servidores de nomes (DNS) que desejar.
9-Entre com um nome para o servidor do OSSIM (hostname)
10-If you are using a domain name in the computers of your network, enter the domain name
10-Se você está usando um servidores de nomes (DNS) nos computadores de sua rede, entre
com as informações do servidores de nomes (DNS)
11-Selecione o fuso horário (timezone)
12-Ocorre neste momento o particionamento do disco. Selecione a primeira opção: Usar o

disco inteiro.
13-Selecione “Guiado: Use a partição inteira do disco”, isto apagará todos os

dados armazenados em seu disco rígido.
14 -Neste momento você escolhe se deseja armazenar tudos os arquivos da instalação em

uma só partição ou em partições separadas. Selecione todos os arquivos em uma só partição.
15-Agora o instalador mostrará a partição sugerida. Aplique as mudanças e continue.
16-Todos os pacotes do software serão configurados agora. O Postfix (software de correio

eletrônico) perguntará sobre a configuração do servidor de email, configure-o conforme as
suas necessidades.
Se você não tem um servidor de email na sua rede ou se você deseja ter um próprio no
OSSIM Box, selecionamos “Site de Internet”.
Se você já tem um servidor de email na sua rede, pode selecionar o “Sistema
Satélite”.
17-Aceite o contrato de licência de Java.
18-Uma vez que todo o software esteja instalado e configurado (isto poderá demorar alguns
minutos), o sistema pedirá a senha da raiz (senha de root). Você terá que digitar duas vezes a
senha da raiz (senha de root).
19-Antes de terminar o processo de instalação, o sistema Ossim verificará se há novas

versões do software disponíveis ou novas correções. É muito importante que você tenha uma
conexão com a internet durante o processo de instalação, para que seu sistema possa ser
atualizado.

A máquina será recarregada automaticamente (rebotada). Uma vez iniciado, o sistema
carregará todas as aplicações que estarão configuradas de acordo com os ajustes padrões.
Para terminar o processo de instalação, espere a carga automática da Ossim. Uma vez que
você termina o processo de carga, poderá prosseguir, configurando todas as aplicações de
acordo com os ajustes necessários para a sua rede e conforme a suas vontades.
Fonte original: http://ossim.net/dokuwiki/doku.php?id=installation

Subject: Guia de Instalação do OSSIM – Parte III (Brazilian)

Posted by jailsonjan on Mon, 21 Dec 2009 15:22:21 GMT
Guia de Instalação do OSSIM (AlienVault Open Source SIM ) – Parte III
Configuração do Sistema
Para simplificar a configuração do grande número de ferramentas incluídas no OSSIM, a

configuração é centralizada em um único arquivo.
Cada vez que você modificar esta configuração, deverá rodar um comando para atualizá-la,
atualizando assim, a configuração de cada aplicação baseada na configuração centralizada
(principal).
A configuração centralizada é armazenada na seguinte arquivo:
/etc/ossim/ossim_setup.conf
Nós podemos editar este arquivo usando um editor de texto (vim, nano, pico, kate). os
usuários inexperimentes devem usar o seguinte comando para editar este arquivo:
ossim-setup
Para aplicar a configuração centralizada em um arquivo de configuração você terá rodar o

seguinte comando:
ossim-reconfig

Trocando o perfil
Todos os perfis são habilitados por padrão, após ter funcionado o instalador. Você poderá
mudar o perfil usando o “ossim-setup” (script de configuração) da instalação do
Ossim, selecionando a segunda opção (”Trocar Configurações do
Perfil”/”Change Profile Settings”)
Baseado no perfil escolhido você terá que configurar diferentes parâmetros de configuração:
completo
* Escolha interfaces: Entre com todas as interfaces (separadas pela vírgula) que estão
recebendo todo o tráfego da sua rede.
* Perfil de redes: Entre com as redes (redes locais) no formato CIDR, separado por vírgula,
estas redes são as que o Sensor poderá ver (acessar) em sua interface de escuta (por
exemplo: 192.168.0.0 /24, 10.0.0.0 /8)
* Nome do Sensor do OSSIM: Dê um nome para o Sensor instalado na máquina.
* Escolha os plugins: Selecione aqueles plugins que devem ser habilitados neste Sensor. Os
plugins do monitor somente serão habilitados sob pedidos (requisições) do Servidor do
OSSIM, durante a correlação. Os plugins do detetor estarão coletando eventos em tempo real
dos arquivos, bases de dados e soquetes.
Sensores
* Nome do Sensor do OSSIM: Dê um nome para o Sensor instalado na máquina.
* Escolha interfaces: Entre com todas as interfaces (separadas pela vírgula) que estão
recebendo todo o tráfego da sua rede.
* Perfil de Redes: Entre com as redes (redes locais) no formato CIDR, separado por vírgula,
estas redes são as que o Sensor poderá ver (acessar) em sua interface de escuta (por
exemplo: 192.168.0.0 /24, 10.0.0.0 /8)
* Endereço IP do Servidor do OSSIM: Entre com o Endereço IP do Servidor do OSSIM está

escutando.
* Escolha os plugins: Selecione aqueles plugins que devem ser habilitados neste Sensor. Os
plugins do monitor somente serão habilitados sob pedidos (requisições) do Servidor do
OSSIM, durante a correlação. Os plugins do detetor estarão coletando eventos em tempo real
dos arquivos, bases de dados e soquetes.
Servidor

* Endereço IP do servidor de banco de dados do OSSIM (Mysql): Entre com o Endereço IP do
Servidor OSSIM que está rodando a base de dados (servidor MySql). Certifique-se de que
você tem as permissão corretas para acessar o servidor da base de dados e que pode
conectar de uma máquina do remota.
* Porta do servidor de banco de dados do MySql: Porta de escuta para o MySql. (A porta
padrão é 3306)
* Usuário do servidor de banco de dados do MySql: O padrão no Ossim é o

“root” (usuário principal)
* Senha do servidor de banco de dados do MySql: Senha para o “root” (usuário

principal) no servidor de banco de dados do Mysql.
Danco de Dados
* Senha do servidor de banco de dados do MySql: Senha para o usuário “root”

do servidor de banco de dados do Mysql.
Se você precisar somente reconfigurar o perfil em uso, selecione-o e você será questionado à
entrar com os parâmetros da configuração.
Para aplicar as alterações que você selecionou, clique em “aplique e salve todas as
mudanças / Apply and save all changes” ou rode o comando da reconfiguração do
Ossim “ossim-reconfig”.
Configuração de Rede
Aquelas máquinas que rodam o OSSIM exigem um cuidado especial ao configurar a rede.
Those machines running OSSIM require special care when configuring networking.
A configuração de rede é definida no seguinte arquivo:
/etc/network/interfaces
Se a configuração de rede foi modificada, para aplicar-lhe as mudanças use o seguinte

comando:
/etc/init.d/networking restart
Cada OSSIM Box deve ter pelo menos um endereço IP estático, assim os componentes
diferentes do OSSIM podem comunicar-se entre si e o administrador pode ter o acesso
remoto às máquinas.
Cada interface (placa de rede) com um endereço IP válido, deve ter uma entrada no arquivo
/etc/network/interfaces usando o seguinte esquema:

allow-hotplug eth0
iface eth0 inet static
address 192.168.1.133
netmask 255.255.0.0
network 192.168.0.0
broadcast 192.168.255.255
gateway 192.168.1.1
dns-nameservers 192.168.1.100
Aquelas interface (placa de rede) usadas para coletar todo o tráfego de rede nunca devem ter
um endereço IP. As interface (placa de rede) em modo promíscuos (promiscuous mode) não
exigem nenhuma configuração especial no arquivo de configuração da rede.
Atualizando o OSSIM
Os seguintes comandos atualizarão o sistema OSSIM:
apt-get update; apt-get dist-upgrade;
O software que atualiza o sistema, usado no instalador do OSSIM, foi projetado para
assegurar-se que as versões corretas sejam usadas. Permite aos colaboradores de OSSIM
bloquearem ou forçar atualizações de determinado software no sistema. Por este motivo, você
nunca deve incluir repositórios de software novos em seu /etc/apt/sources.list. Esta
informação é muito importante.
Fonte: http://ossim.net/dokuwiki/doku.php?id=installation
http://www.previsioni.com.br/jailsonjan/
Subject: Guia de Instalação do OSSIM – Parte IV

Guia de Instalação do OSSIM (AlienVault Open Source SIM ) – Parte IV

Ossim na versão profissional
Além de conduzir o desenvolvimento de OSSIM, a AlienVault está desenvolvendo uma versão

profissional “AlienVault Professional SIEM” que oferece importantes recursos
para ambientes de muita demanda.
A versão comercial, possui:
* SEM: armazenamento de alto volume

* Escalabilidade: distribuídas, hierárquicas
* Desempenho: performance 30 vezes maior
* Confiabilidade: Redundância e alta disponibilidade
Recomendações Gerais
* Em ambientes de produção é recomendado sempre usar arquiteturas de 64-bit, já que há

uma grande diferença em termos de desempenho se comparados com a versão de 32 bits.
* Nunca instale um Sensor de OSSIM em um ambiente virtualizado se este sensor está indo
coletar enormes quantidades de tráfego de rede. Por causa da maneira que estas ferramentas
da virtualização controlam as interfaces de rede virtual, uma grande quantidade do tráfego da
rede é perdido, sem ser analisada.
* Nunca instale softwares no OSSIM Box, que necessitem de alteração dos repositórios de
Debian no arquivo “/etc/apt/sources.list”.
* O OSSIM sempre terá suporte para a versão mais estável do Debian GNU/Linux. Quando
uma versão nova de Debian for liberada os colaboradores fornecerão um guia em como
atualizar o o Ossim instalado para a versão mais nova.
* Não há nenhuma limitação de instalação de software que possa ser instalado nas máquinas
(desde que estejam no sources.list original do Ossim), mas lembre-se que um elevado
consumo de memória ou de processador (cpu) de algumas aplicações, podem prejudicar a
performance da mesma.
Como exemplo, você nunca deve instalar um ambiente desktop nas máquinas OSSIM.
Blog: http://www.previsioni.com.br/jailsonjan/

Subject: Ossim - Perfis
Geralmente, uma distribuição típica do ossim consiste:
* Um servidor de banco de banco de dados (normalmente MySql).
* Um servidor que hospede o motor da avaliação de correlação, da qualificação e do risco.
* Os N servidores dos agentes fazem a coleta de informação e que se encarregam de um

número de dispositivos.
Para uma lista de “plugins” veja em:
http://www.alienvault.com/community.php?section=Plugins
* Um controle automático (daemon), que faça algum trabalho de manutenção e anexe

algumas partes. Isto é chamado de “frameworkd”.
* O frontend (interface), baseado em web, unificando toda a informação recolhida, fornecendo

a habilidade de controlar cada um dos componentes.
Blog: http://www.previsioni.com.br/jailsonjan/
Subject: Sensor do OSSIM - Os agentes - Parte I

Sensor do OSSIM - Os agentes - Parte I
Subject: Sensor do OSSIM – Os agentes – Parte II


Sensor do OSSIM – Os agentes – Parte II
(Brazilian portuguese and English)
Subject: Ossim – Configuração Principal do Ossim – Parte I

Ossim – Configuração Principal do Ossim – Parte I
(Brazilian portuguese and English)

Posted by TMG1980 on Wed, 13 Jan 2010 18:03:41 GMT
You can always use the following command to find the tomcat-users.xml file which contains the
default pwd for admin and manager:
$ find / -name 'tomcat-users.xml'
Once you find the file path and navigate to it, you can use an editor(i.e. pico) to open and edit
the file.
Cheers
Subject: Ossim - Incidentes (brazilian portuguese)

Posted by jailsonjan on Thu, 14 Jan 2010 12:24:59 GMT
Translation for the Brasilian Portuguese and Complements, for Jailson Jan (translating of the
Ossim for pt_BR)

http://www.previsioni.com.br/jailsonjan/?p=278

Posted by jlambrecht on Fri, 15 Jan 2010 17:11:41 GMT
my set-up is ossim (oss) image running
centos with snort configured, logging to mysql
Since so far i did not have time to delve into ossim-configuration and set-up i'm a bit lost.
Is there a simple way to have ossim read the mysql-db on the centos-snort machine ? Since
this set-up is experimental i assumed this would be read by setting the db in the
configuration(advanced) but no luck.
Please advise as the support mailbox does not answer at all.
tnx

Posted by punkrokk on Thu, 21 Jan 2010 19:29:21 GMT
FYI -- I just did this with OSSEC 2.3 on a win 2k3 machine and the windows instructions
worked great.
jplee3 wrote on Wed, 04 November 2009 12:18Hey guys, will this still work with the latest
versions of OSSEC and OSSIM? I was trying to tie the two together but could not figure it out.
I'll have to play around with it more when I have the time.

Posted by kristian_paul on Mon, 25 Jan 2010 15:01:21 GMT
I think that for non-patech snort on the wild, ossec could help to get those logs and then send it
back to ossim
Or you can patch snort to work with ossim agen using the unified stuff and get better speed if is
needed

regards

Posted by punkrokk on Fri, 29 Jan 2010 19:05:23 GMT
I have made a cron job out of this:
#/bin/sh

oinkmaster -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /etc/snort/rules
perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules
/etc/init.d/ossim-server restart
Works great, run once every 24 hours or whatever. :d

Posted by rossonr on Mon, 01 Feb 2010 16:00:29 GMT
Wouldn't this also need to be piped to mysql to update the database?

Posted by punkrokk on Mon, 01 Feb 2010 16:03:09 GMT
Nope, (at least not that I can tell)
The line:
runs an OSSIM script that updates the db and correlates everything.

Posted by juanma on Mon, 01 Feb 2010 16:09:35 GMT

create-sidmap.pl updates the database, is oinkmaster restarting snort?
If not, you should also have to restart snort.
juanma

Posted by rossonr on Mon, 01 Feb 2010 16:47:48 GMT
I am using pulledpork. :) which can be reconfigured to restart snort

Posted by punkrokk on Mon, 01 Feb 2010 18:21:29 GMT
Just to make sure, I added /etc/init.d/snort restart to the end of my script.
Leaving me with:
#/bin/sh

oinkmaster -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /etc/snort/rules
/etc/init.d/snort restart
/etc/init.d/ossim-server restart
Note that if you subscribe to the snort rules your oinkmaster.conf path to grab the snort rules
will be different.
Here's some reading on the oinkmaster in debian topic:

http://www.cyberarmy.net/library/article/1728
Now to figure out how to get Nessus to auto update :)

Posted by rossonr on Tue, 02 Feb 2010 13:13:46 GMT

I have this in a script that I execute from cron
/usr/local/bin/alienvault-feed-sync openvas
/etc/init.d/openvas-server restart
P.S. For restart to work for openvas you need to edit /etc/init.d/openvas-server script to add the
path for start-stop-daemon

Posted by punkrokk on Tue, 02 Feb 2010 21:34:37 GMT
Is this required for OpenVAS correlation?
rossonr wrote on Tue, 02 February 2010 06:13I have this in a script that I execute from cron
/usr/local/bin/alienvault-feed-sync openvas
/etc/init.d/openvas-server restart
P.S. For restart to work for openvas you need to edit /etc/init.d/openvas-server script to add the
path for start-stop-daemon

Posted by rossonr on Wed, 03 Feb 2010 12:52:58 GMT
After the execution of this "/usr/local/bin/alienvault-feed-sync openvas" it tells you the
openvasd needs to be restarted.

Posted by s00pcan on Wed, 03 Feb 2010 19:04:43 GMT
On an ubuntu agent:
root@ubuntu-vm:/var/ossec/bin# ./ossec-control start
...
2010/02/03 14:46:48 ossec-agentd(4105): ERROR: No valid server IP found.
2010/02/03 14:46:48 ossec-agentd(1215): ERROR: No client configured. Exiting.

How do I configure the server IP then?

Posted by dropadrop on Sat, 06 Feb 2010 20:14:54 GMT
Maybe a silly question, but would'nt it be easier to just install a second apache in front as a
proxy?

Posted by juanma on Sun, 07 Feb 2010 12:53:45 GMT
This will come by default in OSSIM 2.2

Posted by dropadrop on Tue, 09 Feb 2010 08:29:02 GMT
Great, then I won't waste time configuring it now. :)
Subject: how to set ossim server and ossim sensor

Posted by manean on Fri, 12 Feb 2010 18:12:56 GMT
Hi,
Kindly give me an guidance and steps for to implement ossim server and ossim sensor.
Mainly how to connect and use the database .
Early help is appreciated.
Thanks in advance. :p
with regards.,
manean.kvs.

Posted by nokster on Fri, 12 Feb 2010 19:55:37 GMT
punkrokk wrote on Mon, 01 February 2010 13:21
Now to figure out how to get Nessus to auto update :)
"usr/local/bin/alienvault-feed-sync" apparently also accepts nessus as a parameter? tried it out

and I'm not sure if it works though because it ends with an error...
thanks for the cron script.

Posted by punkrokk on Fri, 12 Feb 2010 20:07:39 GMT
haha, you're welcome! :)

Posted by pettiet on Wed, 17 Feb 2010 14:07:10 GMT
I'm new to OSSIM and just made a proof of concept intall yesterday. As recommended, I reset
the Admin password but was unable to login today. How can the Admin password be reset if
you cannot log in? Thanks for the help.

Posted by TMG1980 on Wed, 17 Feb 2010 14:37:04 GMT
Default uid and pwd is Admin Admin when you login on the frontend (use the IP you assigned
to OSSIM). Try that first.

Yes, that is what worked after installing yesterday. However, I thought I changed the password
but it does not work today. Any suggestions for resetting a lost Admin password without

having to reinstall everything?

Posted by TMG1980 on Wed, 17 Feb 2010 15:32:40 GMT
ssh or logon to the OSSIM box as root.
find the tomcat-users.xml file and edit that file. There should be a line that contains the Admin
and Manger accounts. Change the pwd there.
Quick way to find the file:
$ find / -name 'tomcat-users.xml'

Thanks, got it going now. I appreciate the help.

Posted by stlist on Thu, 04 Mar 2010 21:41:42 GMT
Juanma,
OSSIM 2.2 is out. I don't see any straightforward way to setup https for the OSSIM webpages.
Could you point us to the right direction?
Thanks,
Sam

Posted by TrevorBenson on Thu, 18 Mar 2010 01:15:01 GMT
In step three it says:Quote:Check on sensor ossim_setup.conf so it will act as sensor
In my file I have:ocs_db=ocsweb
ossim_db=ossim

osvdb_db=osvdb
pass=<something>
type=mysql
user=root
[expert]
profile=server
[sensor]
detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, pam_unix, rrd,
sudo, iptables, nagios
interfaces=eth0
ip=
monitors=nmap-monitor, ntop-monitor, ossim-monitor
name=ossim
priority=5
[server]
server_ip=
server_plugins=osiris, pam_unix, ssh, snare, sudo
server_port=40001
Does this refer to changing the expert profile setting to sensor instead of server? Not really
sure what it means to 'check on sensor', if eth0 is the configuration in the
/etc/network/interfaces, then would this ossim_setup.conf already be a working configuration?
Also mentioned in step 4: Quote: Check sensor's interface(s) in /etc/network/interfaces so it's

configuration is consistent with /etc/ossim/ossim_setup.conf, one as default, other set in
promiscuous mode if it have more than 1 interface
I assume this means if you have 2 interfaces in the same network, use 1 as default
management and 1 as promiscuous for snort etc.? Otherwise if you have multiple interfaces in
different subnets wouldn't you want it promiscuous on all interfaces?
Thanks,
Trevor
Subject: Re: Method to check and see what OSSEC is logging (without the web
gui)
Posted by kristian_paul on Thu, 25 Mar 2010 19:32:52 GMT
I used to activay temporally logall option in the ossec config so i can debug what are logs are

been received from agents
Subject: Guide: Nessus 4.0.2 on OSSIM 2.2.1

Posted by fable on Wed, 31 Mar 2010 06:51:31 GMT
I have been trying to Make NESSUS work on OSSIM 2.2.1 for a few days now and I have to
admit it was hell! From what I discovered it OSSIM will most likeley not work with NESSUS
4.2.x and a HomeFeed (as I posted here too:
https://www.alienvault.com/forum/index.php?t=msg&th=2107
&start=0&S=dbf97230c72cc76508327ff1afae4e76). That was not the only problem though. I
made this guide to collecting what I found in the forum and what I discovered myself.
Use this a step-by-step guide to make NESSUS 4.0.2 work on a fresh OSSIM 2.2.1 install.
1. Download version 4.0.2
Navigate to http://www.nessus.org/download/. Go the the bottom of the page, there is a link

there. While you are there you can register for a Feed Code as well.
Upload the file to your OSSIM server using SCP.I uploaded it to the /home directory.
2. Update OSSIM
run:
/ossim-update. Answer "yes" to all questions
3. Disable the firewall
run:
ossim-setup go to Change General Setting --> Configure Firewall. Highlight "No" and hit space.
Hit OK and then "Save $ Exit". This step is not necessarily needed if you have correctly
configured your firewall.
4. Install NESSUS
run:
dpkg -i /home/Nessus-4.0.2-debian5_i386
5. Update Plugins
run /opt/nessus/bin/nessus-fetch --register <code>. Replace <code> with your HomeFeed or

ProfessionalFeed code.

6. Configure the OSSIM database for NESSUS
(From "DK's" post on this thread)
run:
ossim-db
TRUNCATE `vuln_nessus_category`;
TRUNCATE `vuln_nessus_family`;
TRUNCATE `vuln_nessus_plugins`;
TRUNCATE `vuln_nessus_preferences`;
TRUNCATE `vuln_nessus_preferences_defaults`;
TRUNCATE `vuln_nessus_settings`;
TRUNCATE `vuln_nessus_settings_category`;
TRUNCATE `vuln_nessus_settings_family`;
TRUNCATE `vuln_nessus_settings_plugins`;
exit
7. Configure NESSUS
a. Change Listening IP:
run:
nano /opt/nessus/etc/nessus/nessusd.conf and change the "listening ip" to your local IP.
ATTENTION: This is the IP assigned to your NIC (e.g. 192.168.1.1), NOT LOCALHOST
b. Create a user
run:
/opt/nessus/sbin/nessus-adduser. Use pass instead of cert and make user an admin
c. Create a cert
run:
/opt/nessus/sbin/nessus-mkcert. Choose all the defaults
8. Configure OSSIM
a. Edit the web interface
go to Configuration-->Main-->Advanced-->Vulnerability Scanner. Enter the user name and

password of the user you just created. For IP enter the IP assigned to your NIC (the one you
entered on step 7a). Port: 1241, location: /opt/nessus/bin/nessus
9. Start NESSUS

run:
/opt/nessus/sbin/nessus-service . Wait until you get the All plugins loaded message. Leave this
window open and start a new ssh session to your OSSIM server. (I haven't found a way to
make this run in the background yet)
10. Configure the OSSIM database
Run:
cd /usr/share/ossim/scripts/vulnmeter/
./updateplugins.pl
cd /usr/share/ossim/scripts/vulnmeter/
./update_nessus_ids.pl
Your NESSUS setup is now completed!
You can initiate new scans by going to OSSIM's web interface under
Analysis-->Vulnerabilities-->Scan Jobs
Subject: Re: Guide: Nessus 4.0.2 on OSSIM 2.2.1

Posted by jmalbarracin on Wed, 31 Mar 2010 07:47:45 GMT
Hi,
Please
TRUNCATE `vuln_nessus_settings_preferences`;
TRUNCATE `vuln_settings`;
Not necesary!!
Thx

hello jmalbarracin,
thanx for your input, but could you briefly explain why? I merely copy-pasted those lines from
DK's post, don't know much about their functionality other than they change settings in the
database.
fable

Posted by jmalbarracin on Wed, 31 Mar 2010 08:20:34 GMT
I know, but updateplugins.pl doesn't modify those tables.
Analisys->Vulnerabilities->Settings
Thx

gotcha! I updated the guide. Thank you!
gui)
Posted by link on Wed, 31 Mar 2010 10:55:57 GMT
I see all the logs of my devices in ossec.log but when I go to check this logs in SIEM gui, I can't
see all these logs.
Where is the problem if ossec receive all logs correctly?
gui)
Posted by juanma on Wed, 31 Mar 2010 11:01:49 GMT
hi link,
please use the support forum and open a new thread for that issue.

Posted by whitehat on Thu, 01 Apr 2010 08:24:44 GMT

I've removed old nessus by running
apt-get remove nessus nessusd nessus-plugins
and followed your manual - and now all works great! Thank You!

Posted by jchristmas on Mon, 05 Apr 2010 16:40:52 GMT
Great tutorial I am going to try it out now with my server and settings but I have a few quick
questions for everyone if they have time to think about it.
I have a nessus system thats not a part of ossim at all... I want to use this system to scan. My
environment is a bit different. I have 1 dedicated manager no sensors on it and 2 dedicated
sensors no manager on them.
My question is do I need to install nessus 4.x on the manager in order to use my external
nessus machine? Or will the client on the nessus system work just the same to connect and
pull the data over?

To answer my own question for my custom setup to get the update scripts for plugins working I
needed to install at least the client for nessus 4.0.2 on my system so I uninstalled nessus
nessusd etc... and installed the nessus client package from the site.
Seems to be loading the plugins correctly now.

Found a minor bug in all of this or at least an issue I am having. After updating the plugins they
all show they are Serious level vulnerabilities. There are 2 lows and the rest of serious...
Did something fail?

Posted by fable on Tue, 06 Apr 2010 04:48:19 GMT

Hello jchristmas,
Thank you for your comments. I run this tutorial on a clean OSSIM 2.2.1 install and I noticed
something similar to what you did. If I run a scan job and try to open the report that appears
next to my scan under the "scan jobs" tab, I have a much different report from the one under
the "vulnerabilities" tab. The "scan jobs" tab report though is the same as the one under the
"reports" tab.
The report under "vulnerabilities" tab didn't have nearly as many vulnerabilities as the one
under "scan jobs" and "reports" tab, which were much more spread out (serious,
high,medium,info etc).
My guess is that the reports under the "scan jobs" and "reports" tabs are actually the "raw"
Nessus scans with just the Alienvault logo in them. The report under "vulnerabilities" tab
though, are processed by OSSIM. Over there OSSIM actually presents what vulnerabilities it
thinks were present (based on the way it processes Nessus reports).
What's weird though is that OSSIM is generating as many tickets as vulnerabilities found in the
report under "scan jobs".
Can you check to see if there are any differences on the various reports available?
Also, could you run a credentiated scan towards an unpatched pc (e.g. windows xp) just so
you know you will normal get a lengthy report.

Posted by fable on Tue, 06 Apr 2010 07:27:49 GMT
I actually just noticed that when I go to "assets-->assets" and click on the host I just scanned
(OSSIM ganerates the "general report") in the "vulnerabilities" "window" OSSIM reports "No
vulnerabilities found for <host_ip>". This is very ironic because a few windows over there is a
bunch of tickets oppened that say "Vulnerability:Unknown".
Could someone shed some light on why OSSIM isn't actually intergratting the NESSUS scans?
Because the way I see it right now, it NESSUS is just a way to generate reports. Something
that I can do by installing nessus on a windows xp machine and run the scan from there?
I think the vulnerability management capability of OSSIM is very important to its general
purpose as a Security Information Management System.
fable

Posted by traz on Wed, 07 Apr 2010 10:29:07 GMT
stlist wrote on Thu, 04 March 2010 14:41Juanma,
OSSIM 2.2 is out. I don't see any straightforward way to setup https for the OSSIM webpages.
Could you point us to the right direction?
Thanks,
Sam
truth

Posted by jchristmas on Wed, 07 Apr 2010 17:28:24 GMT
So let me clarify a few things and also say something else. I am trying to use a nessus 4
professional feed on a ubuntu box that I installed the ossim agent on.
If I click in the vulnerabilities tab and select threat database I show almost all the vulnerabilities
listed under critical... Tried to update the plugins again and didnt fix it.
The new problem I just started to notice is that even though I updated the settings to point to
the new nessus scanner it does not want to show up as an option to scan with. So I checked
things out in the database and sure enough in the vuln_nessus_servers the new server isnt
showing up.
I could add it manually I suppose but I wanted to know where it was suppose to be added from
i.e. script or web interface that inserts it into the mysql table.
I am actually thinking I will rebuild all my systems soon and re-install them all virtually on each
box so that I can make snapshots as well as have another group of "testing servers" that I can
use before upgrading to production. But I want to make sure that before I do that everything
else is in good working order. I also can't do it until roughly may due to some project
obligations I have.
So DK or Jamie or anyone else have any idea why its not inserting the nessus server in there
and also any idea why its not doing what I am expecting? I can work with you more outside of
the forums if you guys like.
Thanks,

Posted by portstats on Fri, 16 Apr 2010 16:02:43 GMT

Any update on this ?

Posted by manulpz on Mon, 03 May 2010 19:22:53 GMT
I need reset de password to acces via web. but i edit the archive - ossim
(/etc/ossim/framework/ossim.conf)
but no take effect.
the user is admin by the password no can reset.
thanks.

Posted by bvand on Mon, 17 May 2010 09:36:47 GMT
The password to access ossim web interface is not in "/etc/ossim/framework/ossim.conf"
You can access the web interface by
login admim
password admin

Posted by bvand on Wed, 26 May 2010 15:01:11 GMT
Hi,
I tried to update snort rules with the current version of snort in OSSIM (2.8.5.2) so with the url :
url = http://www.snort.org/pub-bin/oinkmaster.cgi/MY-oinkcode/snor
trules-snapshot-2852.tar.gz
But the file doesn't exist
The url :
url = http://www.snort.org/pub-bin/oinkmaster.cgi/MY-oinkcode/snor trules-snapshot-2.8.tar.gz

Doesn't work either...
Can I update snort to the official version, or is it another way to update the rules ?
Regards
Subject: ossec&asterisk
Posted by jabi on Fri, 28 May 2010 09:43:15 GMT
I've written two posts about protecting Asterisk with OSSEC.
http://sysbrain.wordpress.com/2010/04/22/asterisk-ossec-part -1/
http://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part -ii/
I hope it will help you and if you see any error or improvement, tell me.

Posted by temon on Fri, 11 Jun 2010 08:04:03 GMT
Hello,
I'm new in OSSIM and now i'm curious with OSSIM and NESSUS. I've installed Nessus 4.0.2
and yes I got same problems like any of you got there. Here's the problems :
1. Threats Database is showing Serious risk there (value == 7)

2. Cross Correlation with SNORT is not working because of some issue that i'll explain below.
3. Assets info shows no vulnerabilities there.
The positive issue is scan jobs and results (at vulnerability --> scan jobs) show us actual info :)
About the problems, here I try to find out why (from updateplugins.pl) :
1. Risk level value is 7 (all serious) is caused by this :

if ( !defined( $plugin_crisk ) || $plugin_crisk eq "" ) { $plugin_crisk = "NULL"; }
my $risk=7;
$risk=1 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*Serious/s);

$risk=1 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*Critical/s);
$risk=2 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*High/s);
$risk=3 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*Medium/s);
$risk=4 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*Medium\/Low/s);
$risk=5 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*Low\/Medium/s);
$risk=6 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*Low/s);
$risk=7 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*Info/s);
$risk=7 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*[nN]one/s);
not really sure about that..but by default the risk will set to 7 if..bla bla bla..and if risk factor
value is NONE then it will set to 7 :d. From another thread of openVAS, the problem looks like
not happened, i'll check the scripts later (openVAS is terribly slower than NESSUS) :(
2. next..about cross correlation and customation there not working, why? Here i try to find out :
mysql> select * from host_plugin_sid where plugin_id='3001';

+------------+-----------+------------+
| host_ip | plugin_id | plugin_sid |
+------------+-----------+------------+
| 2886731465 | 3001 | 10114 |
| 2886731465 | 3001 | 10150 |
| 2886731465 | 3001 | 10287 |
| 2886731465 | 3001 | 10394 |
| 2886731465 | 3001 | 10395 |
| 2886731465 | 3001 | 10397 |
-----------------skip-------------------
178 rows in set (0.00 sec)
Here's the place where NESSUS store IP and its Vulnerabilities (from scanning result).
mysql> select * from plugin_sid where plugin_id='3001';

+-----------+-------+-------------+----------+-------------+----------+-------------------------------------------------
-----------------------+--------+
| plugin_id | sid | category_id | class_id | reliability | priority | name
| aro |
+-----------+-------+-------------+----------+-------------+----------+-------------------------------------------------
-----------------------+--------+
| 3001 | 10048 | NULL | NULL | 2| 7 | nessus: CommuniGate Pro HTTP
Configuration Port Remote Overflow | 0.0000 |
| 3001 | 11351 | NULL | NULL | 2| 7 | nessus: Sendmail < 8.10.0
mail.local Newline Handling Remote DoS | 0.0000 |
| 3001 | 11458 | NULL | NULL | 2| 7 | nessus: SMB Registry : Dial In
Enabled | 0.0000 |
| 3001 | 11606 | NULL | NULL | 2| 7 | nessus: WebLogic Crafted GET
Request Hostname Disclosure | 0.0000 |
| 3001 | 14446 | NULL | NULL | 2| 7 | nessus: [GLSA-200402-02] XFree86

Font Information File Buffer Overflow | 0.0000 |
| 3001 | 16468 | NULL | NULL | 2| 7 | nessus: Sami HTTP Server Multiple
Remote Vulnerabilities | 0.0000 |
| 3001 | 29898 | NULL | NULL | 2| 7 | nessus: Novell Client nicm.sys Local
Privilege Escalation | 0.0000 |
| 3001 | 35388 | NULL | NULL | 2| 7 | nessus: Fedora 9 2009-0059: xterm
| 0.0000 |
| 3001 | 35391 | NULL | NULL | 2| 7 | nessus: Fedora 8 2009-0154: xterm
| 0.0000 |
| 3001 | 36641 | NULL | NULL | 2| 7 | nessus: Fedora 10 2009-0091:
xterm | 0.0000 |
| 3001 | 42468 | NULL | NULL | 2| 7 | nessus: CUPS < 1.4.2 kerberos
Parameter XSS | 0.0000 |
+-----------+-------+-------------+----------+-------------+----------+-------------------------------------------------
-----------------------+--------+
mine just showing 11 results there..hehehe..and still don't know why..if we trace back from
update_nessus_ids.pl :
--snip--
$query = "INSERT INTO plugin_sid(plugin_id, sid, category_id, class_id, reliability, priority,

name) VALUES ";
if(keys %plugin_rel_hash){
print "Updating...\n";
foreach $key (keys %plugin_rel_hash){
print "$key:$plugin_rel_hash{$key}:$plugin_prio_hash{$key}\n";
#$plugin_rel_hash{$key} =~ s/'/''/;
$plugin_rel_hash{$key} =~ s/'/\\'/gs;
$plugin_rel_hash{$key} =~ s/"/\\"/gs;
my $sid = $key;
if ($key =~ /\./){
my @tmp = split(/\./, $key);
$sid = $tmp[$#tmp];
}
$query .= "(3001, $sid, NULL, NULL, $plugin_prio_hash{$key}, 7, 'nessus:

$plugin_rel_hash{$key}'),";
}

--snip--
it must be load data from somewhere, process, then insert to this table :(
Next about 'plugin_reference' table (used for correlate with another plugins by default) :
mysql> select * from plugin_reference where reference_id='3001';

+-----------+------------+--------------+---------------+
| plugin_id | plugin_sid | reference_id | reference_sid |
+-----------+------------+--------------+---------------+
| 1001 | 103 | 3001 | 10024 |
| 1001 | 103 | 3001 | 10409 |
| 1001 | 107 | 3001 | 10024 |
| 1001 | 107 | 3001 | 10409 |
------------------------skip-----------------------------
Another tables which need to be checked is 'vuln_nessus_plugins' that shows complete

information of those plugins:
mysql> select count(*) from vuln_nessus_plugins;

+----------+
| count(*) |
+----------+
| 35979 |
+----------+
1 row in set (0.00 sec)
Now we try to manually correlate both of them :)
1. We try to find out one result (nessus plugin sid) from scanning activity :
mysql> select inet_ntoa('2886731465');

+-------------------------+
| inet_ntoa('2886731465') |
+-------------------------+
| 172.16.6.201 |
+-------------------------+
mysql> select * from host_plugin_sid where plugin_id='3001' and host_ip='2886731465' limit

1,5;

+------------+-----------+------------+
+------------+-----------+------------+
| 2886731465 | 3001 | 10150 |
| 2886731465 | 3001 | 10287 |
| 2886731465 | 3001 | 10394 |
| 2886731465 | 3001 | 10395 |
| 2886731465 | 3001 | 10397 |
+------------+-----------+------------+
mysql> select id,name from vuln_nessus_plugins where id='10150';

+-------+----------------------------------------------------------+
| id | name |
+-------+----------------------------------------------------------+
| 10150 | Windows NetBIOS / SMB Remote Host Information Disclosure |
+-------+----------------------------------------------------------+

+-------+------------------------+
| id | name |
+-------+------------------------+
| 10287 | Traceroute Information |
+-------+------------------------+

+-------+---------------------+
| id | name |
+-------+---------------------+
| 10394 | SMB Log In Possible |
+-------+---------------------+

+-------+------------------------+
| id | name |
+-------+------------------------+
| 10395 | SMB Shares Enumeration |
+-------+------------------------+

+-------+-------------------------------------------+
| id | name |

+-------+-------------------------------------------+
| 10397 | SMB LanMan Pipe Server Listing Disclosure |
+-------+-------------------------------------------+
mysql> select id,name,description from vuln_nessus_plugins where id='10150';

+-------+----------------------------------------------------------+--------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------+
| id | name | description
|
+-------+----------------------------------------------------------+--------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------+
| 10150 | Windows NetBIOS / SMB Remote Host Information Disclosure | ;Synopsis :;;It is
possible to obtain the network name of the remote host.;;Description :;;The remote host listens
on UDP port 137 or TCP port 445 and replies to ;NetBIOS nbtscan or SMB requests.;;Note that
this plugin gathers information to be used in other vuln_plugins;but does not itself generate a
report.;;Solution :;;n/a;;Risk factor :;;None;; |
+-------+----------------------------------------------------------+--------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------+
mysql>
enough for the first part, i try to lookup the vulnerability information from 'host_plugin_sid' then
try to find out what is the vulnerability shown there (show by plugin_sid) at
'vuln_nessus_plugins' in 'id' field.
next try to find out the plugin_sid at correlation tables (plugin_reference and plugin_sid) :

1,5;
+------------+-----------+------------+
+------------+-----------+------------+
| 2886731465 | 3001 | 10150 |
| 2886731465 | 3001 | 10287 |
| 2886731465 | 3001 | 10394 |
| 2886731465 | 3001 | 10395 |
| 2886731465 | 3001 | 10397 |

+------------+-----------+------------+
mysql> select * from plugin_reference where reference_sid='10150';

Empty set (0.00 sec)




can't find the correlation between snort and nessus sid there, so i have to
customize/define/create it first :p need to check another table :

1,5;
+------------+-----------+------------+
+------------+-----------+------------+
| 2886731465 | 3001 | 10150 |
| 2886731465 | 3001 | 10287 |
| 2886731465 | 3001 | 10394 |
| 2886731465 | 3001 | 10395 |
| 2886731465 | 3001 | 10397 |
+------------+-----------+------------+





see, just like what i've said at first..in this table, i just got 11 (eleven) entries, so i can do
nothing except manually insert reference from vuln_nessus_plugins to this plugin_sid :( (which
should've be done by script "update_nessus_ids.pl".
Any info from developers? Oh I forgot, I also realized about the "alienvault_feed_sync.sh"
script, have tried it but failed. Looks like alienvault rsync server is now down.
siem:/usr/share/ossim/scripts/vulnmeter# ../alienvault-feed-sync.sh nessus

AlienVault NVT Feed Sync
Configured Scanner: nessus

Configured NVT Feed: rsync://feed.alienvault.com:/nvt-feed
Synchronized into: /opt/nessus/lib/nessus/plugins/
Searching for required system tools ...

Synchonizing NVTs via RSYNC ...
rsync: failed to connect to feed.alienvault.com: Connection refused (111)
rsync error: error in socket IO (code 10) at clientserver.c(122) [receiver=3.0.3]
Error: rsync failed. Your NVT collection might be broken now.
siem:/usr/share/ossim/scripts/vulnmeter# cat /etc/services | grep rsync
rsync873/tcp
rsync873/udp
siem:/usr/share/ossim/scripts/vulnmeter# telnet feed.alienvault.com rsync
Trying 207.158.15.208...
telnet: Unable to connect to remote host: Connection refused
siem:/usr/share/ossim/scripts/vulnmeter# telnet feed.alienvault.com 873
Trying 207.158.15.208...
telnet: Unable to connect to remote host: Connection refused
siem:/usr/share/ossim/scripts/vulnmeter#
Any advance? Thank you before :)

just want to update
after waiting for several days and got no reply here, so i tried to find out the problems and now
it's all fixed..next step is to make sure that snort <-> nessus correlation will work :d
1. Analysis --> Vulnerabilities --> Threats Database Problem, all vulnerabilities/plugins have
'serious' risk factor.
2. Intelligence --> Cross Correlation --> Correlation Rules, nessus plugins not loaded/inserted
well into ossim.plugin_sid table in database.
Here the new scripts to fix the problems (rename it to .pl, run updateplugins.pl first then
update_nessus_ids.pl):
1. http://temon.banget.de/ossim/updateplugins.txt
2. http://temon.banget.de/ossim/update_nessus_ids.txt
thx to fabe for update_nessus_ids.pl patch :)

Toggle Spoiler https://www.alienvault.com/forum/index.php?t=msg&S=739e3
1dbae2442b0334ec6e41e5d8d3e&th=1973&goto=6712#msg_67 12

Posted by whitehat on Fri, 18 Jun 2010 10:13:37 GMT
temon wrote on Fri, 18 June 2010 07:48
1. http://temon.banget.de/ossim/updateplugins.txt
2. http://temon.banget.de/ossim/update_nessus_ids.txt
Can You please upload theese files to another server? Or to this forum?

try to attach those files here... :d
File Attachments
1) ossim_nessus_dbupdate.tar.gz, downloaded 36 times

Posted by Lorax on Fri, 18 Jun 2010 12:59:44 GMT
Look inside ossec.conf in /var/ossec/etc/ and edit the server IP at the top:
<ossec_config>
<client>
<server-ip>10.1.1.8</server-ip>
</client>
<syscheck>

<frequency>79200</frequency>
Subject: OSSIM integration with an existing OCS Inventory install

Posted by westie5017 on Mon, 21 Jun 2010 16:37:05 GMT
Good Afternoon,
I hope you are well.
We have an existing OCS Inventory install that has data on all of our existing assets. It is also
integrated with our CMDB System (CMDBuild) and ITSM system.
I'm wanting to deploy an OSSIM server (initially in a development lab) so I can test the system
and prepare it for a production environment.
Is it possible to integrate OSSIM with an existing OCS Inventory installation? Be it via an API,
Database synchronisation or by simply point the OSSIM to the existing build?

Any assistance would be greatly appreciated...as I'm keen to demonstrate the ROI on this
system and get the project off the ground.
Kind Regards
Harry West

Posted by bcarty on Tue, 22 Jun 2010 20:15:28 GMT
I can not connect to port 1241 with both OSSIM and the Nessus Client (for giggles) which led
me to do the google. Here is a link to the forum I found it in. The thread started back in
December of 2009
https://discussions.nessus.org/message/4293#4293
Thoughts?

have you checked that nessus is running and port 1241 is opened? 1241 is NTP that used to
communicate between nessus-client and nessus-scanner (server).
netstat -plant | grep nessus

ps ax | grep nessus
if port 1241 opened, then try to connect to port 1241 using telnet from another machine
telnet machine-running-nessus-server 1241
if you get connection refused, try to flush iptables first
iptables -F ; iptables -X
try to telnet again, if you get escape character is ^] means you've successfully connected and
try to connect using nessus-client again. Don't forget to allow port 1241 on ossim-firewall.
NOTE : Nessus 4.2 is not support NTP (port 1241) for homefeed, only professional feed

support NTP, that's why in here we use nessus 4.0 for our env ;)
Subject: Re: OSSIM integration with an existing OCS Inventory install

Posted by NicoArias on Tue, 29 Jun 2010 16:37:57 GMT
you should edit these 2 files in order to use the already populated database:
/etc/apache2/conf.d/ocsinventory.conf
/usr/share/ossim/www/ocsreports/dbconfig.inc.php

Posted by mattspierce on Wed, 30 Jun 2010 14:23:19 GMT
I've locked myself out of the admin interface for the website. Modifying the tomcat users file
doesn't do anything to help as the password there is set to admin:admin. From the tutorial I
figured the password is stored in the ossim.users table and sure enough I see the string. I'v
tried nulling that value to get back in but no such luck. I'm guessing that the salt is being
applied to the null value. Is there anyway to determine what the salt is? Better yet, is there a
way to reset the web admin password?
What I did:
logged into mysql
mysql -p
used password extracted via the first post.
use ossim;
update users set pass=NULL where login='admin';
*Another thread pointed out the fix*

update users set pass='21232f297a57a5a743894a0e4a801fc3' where login='admin'
This sets the password back to admin:admin

Posted by nhirst100 on Fri, 02 Jul 2010 22:11:35 GMT

This has not worked for me. I followed the steps listed above and then when I try to connect to
the server over https I receive the following error in firefox
(Error code: ssl_error_rx_record_too_long)
I am running OSSIM 2.2.1
TIA,
Nathan

Posted by aimar on Wed, 07 Jul 2010 10:39:44 GMT
hidoa wrote on Fri, 13 February 2009 23:03I followed the instructions and I get the error below
when I try to browse to the site....
My step 5 was
not
ossec:x:1002:www-data.
Not sure if that matters or not...

Then do the following:

# nano /etc/group
..
From:
ossec:x:109:
To:
Worked for me :p (OSSIM 2.2.4)
Subject: Re: Osiris - Quick Guide

Posted by aimar on Thu, 08 Jul 2010 10:06:03 GMT
With my OSSIM 2.2, I needed to run the following command before playing around with osiris:

apt-get install osiris osirismd
Otherwise, very nice tutorial, cheers ;)

Posted by nhirst100 on Mon, 19 Jul 2010 18:35:19 GMT
It looks like this can be done in version 2.2.1 by running
a2ensite default-ssl
a2dissite default
/etc/init.d/apache2 reload

Ossec

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Ossec

Transféré par

Droits d'auteur :

Formats disponibles

Subject: Use HTTPS instead of HTTP

Posted by phishphreek on Thu, 22 May 2008 19:46:05 GMT

Enable ssl support for apache

Turn on SSL for the default site.

Tell apache2 to use HTTPS instead HTTP

Page 1 of 123 ---- Generated from OSSIM by FUDforum 2.7.7

Copy the apache.pem certificate to the ntop config folder.

Configure NTOP to use HTTPS

Go to the admin tab and choose startup options.

Change the HTTP Server (-w) field from 3000 to 0.

Change the OSSIM configuration to point to the new ssl site.

Run the reconfig.pl script

Page 2 of 123 ---- Generated from OSSIM by FUDforum 2.7.7

# chmod 770 tmp/

You can access the interface thru

Subject: Re: Use HTTPS instead of HTTP

Page 3 of 123 ---- Generated from OSSIM by FUDforum 2.7.7

Subject: Re: Use HTTPS instead of HTTP

Subject: Re: Use HTTPS instead of HTTP

The panel config files are located in /etc/framework/panel/configs

The main dashboard page is /etc/framework/panel/configs/admin_1

The dashboard page with the ntop data is /etc/framework/panel/configs/admin_5_1

Page 4 of 123 ---- Generated from OSSIM by FUDforum 2.7.7

Subject: Re: Use HTTPS instead of HTTP

Change from /nagios2/ to https://serverip/nagios2/

Or, edit /etc/ossim/framework/ossim.conf and change the link to nagios.

Then run /home/ossim/dist/reconfig.pl

Sorry about that!

Subject: Re: Use HTTPS instead of HTTP

Figured it would be help others as well so i posted the question here.

Once Again thanks

Subject: NagiosQL Walktrough

Page 5 of 123 ---- Generated from OSSIM by FUDforum 2.7.7

After that download the latest NagiosQL from

cd into the extracted directory

Create mysql database

put these into Apache2 config file: httpd.conf

then edit setting.ini and change value in it accordingly

then try browsing to: server_IP/nagiosql-directory/testQL.php

if you got permission read/write error, chmod -R 777 it

Don't forget to import config files: Tools > Data Import

Corrections are most welcome :)

Subject: Re: NagiosQL Walktrough

Page 6 of 123 ---- Generated from OSSIM by FUDforum 2.7.7

Subject: Re: NagiosQL Walktrough

Subject: Re: NagiosQL Walktrough

Subject: Re: NagiosQL Walktrough

Its there after adjusting the value -- thanks jvblanco!

Subject: Re: NagiosQL Walktrough

Page 7 of 123 ---- Generated from OSSIM by FUDforum 2.7.7

Subject: Re: NagiosQL Walktrough

Subject: Re: NagiosQL Walktrough

Subject: Re: NagiosQL Walktrough

Subject: Re: Installing the OSSEC Web Interface on OSSIM

Page 8 of 123 ---- Generated from OSSIM by FUDforum 2.7.7

Subject: Re: NagiosQL Walktrough

Subject: OSSIM: Configuration steps

Subject: Re: OSSIM: Configuration steps

Page 9 of 123 ---- Generated from OSSIM by FUDforum 2.7.7

Subject: Re: OSSIM: Configuration steps

Subject: Re: OSSIM: Configuration steps

couse i never did it :cry: , so far ;)