[Oisf-users] Suricata->OSSIM
Dewhirst, Rob
robdewhirst at gmail.com
Wed Jan 11 16:39:18 UTC 2012
I got a copy of the ossim-agent running on one of my suricata sensors
and I got it connecting back to the OSSIM server, but it's not sending
any events. I pointed it at the directory that suricata is currently
writing out unified logs for barnyard2.
It would help if there was a walkthrough of setting up a remote snort
sensor and ossim-agent (ie. not running on the ossim server itself).
I had to strip out a bunch of configuration details because the
ossim-agent assumed it needed to look for and keep a snort process
running. Like I said before, not many people seem to be doing this.
On Tue, Jan 10, 2012 at 1:42 PM, Pablo <pablo.rincon.crespo at gmail.com> wrote:
> Hi,
> OSSIM does collect logs from unified2 with a native parser for better
> performance and to avoid more extra dependencies (like by2). It
> already has a lot of dependencies.
>
> Also, it's not a good idea to overload the syslog plugin at ossim.
> Each input plugin (snort or suri, and others) can have it's own thread
> at the ossim-agent and each thread can read it's own log files in
> parallel to process new events instead of stacking them all at syslog,
> and without interrupting each with others by using common files like
> /var/log/syslog..
>
> In order to try suricata within an ossim installation, the easiest way
> I think right now is to copy the snort plugin of ossim-agent, and
> update start/stop commands and paths to log files in order to use suri
> instead of snort, since they should share the same sid/cid
> identificator numbers of ossim.
>
> Hope that helps.
>
>
> 2012/1/10 Martin Holste <mcholste at gmail.com>:
>> Would this be easier to maintain than by2 -> syslog -> OSSIM?
>>
>> On Tue, Jan 10, 2012 at 1:13 PM, Peter Manev <petermanev at gmail.com> wrote:
>>> This is definitely news - at least for me - thanks for the heads up, but i
>>> personally have not tried it out, have you? anyone?
>>>
>>>
>>> On Tue, Jan 10, 2012 at 7:49 PM, Dewhirst, Rob <robdewhirst at gmail.com>
>>> wrote:
>>>>
>>>> Since OSSIM supports unified2, you can have suricata reporting to an
>>>> OSSIM console, right?
>>>>
>>>> If so it doesn't seem like many people are doing this.
>>>> _______________________________________________
>>>> Oisf-users mailing list
>>>> Oisf-users at openinfosecfoundation.org
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>>
>>>
>>>
>>> --
>>> Peter Manev
>>>
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
>
> --
>
> Best regards,
>
> --
> Pablo Rincón
> CTO at Fortimotion Technologies
> emergingthreatspro.com
> openinfosecfoundation.org
> @PabloForThePPL
> ------------------------------------
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
More information about the Oisf-users
mailing list