[Oisf-users] Suricata->OSSIM

Pablo pablo.rincon.crespo at gmail.com
Tue Jan 10 19:42:27 UTC 2012 

Hi,
OSSIM does collect logs from unified2 with a native parser for better
performance and to avoid more extra dependencies (like by2).  It
already has a lot of dependencies.

Also, it's not a good idea to overload the syslog plugin at ossim.
Each input plugin (snort or suri, and others) can have it's own thread
at the ossim-agent and each thread can read it's own log files in
parallel to process new events instead of stacking them all at syslog,
and without interrupting each with others by using common files like
/var/log/syslog..

In order to try suricata within an ossim installation, the easiest way
I think right now is to copy the snort plugin of ossim-agent, and
update start/stop commands and paths to log files in order to use suri
instead of snort, since they should share the same sid/cid
identificator numbers of ossim.

Hope that helps.


2012/1/10 Martin Holste <mcholste at gmail.com>:
> Would this be easier to maintain than by2 -> syslog -> OSSIM?
>
> On Tue, Jan 10, 2012 at 1:13 PM, Peter Manev <petermanev at gmail.com> wrote:
>> This is definitely news - at least for me - thanks for the heads up, but i
>> personally have not tried it out, have you? anyone?
>>
>>
>> On Tue, Jan 10, 2012 at 7:49 PM, Dewhirst, Rob <robdewhirst at gmail.com>
>> wrote:
>>>
>>> Since OSSIM supports unified2, you can have suricata reporting to an
>>> OSSIM console, right?
>>>
>>> If so it doesn't seem like many people are doing this.
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>
>>
>>
>> --
>> Peter Manev
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users



-- 

Best regards,

--
Pablo Rincón
CTO at Fortimotion Technologies
emergingthreatspro.com
openinfosecfoundation.org
@PabloForThePPL
------------------------------------

More information about the Oisf-users mailing list