FUDforum20110302

Subject: ossim-server error : OSSIM-CriticalPosted by thelan on Tue, 25 May 2010 08:11:52 GMTView Forum Message <> Reply to Message

i already installed ossim 2.2.1.

i get this error from /var/log/ossim/server.log

anyone, help me please.

ERROR

Quote:2010-05-25 14:55:36 OSSIM-Critical: sim_container_get_plugin_sid_by_pky: assertion`sid > 0' failed2010-05-25 14:55:36 OSSIM-Message: Event unknown, please insert plugin_id: 1000 andplugin_sid: 0 into DB2010-05-25 14:55:36 OSSIM-Critical: sim_container_get_plugin_sid_by_pky: assertion `sid >0' failed2010-05-25 14:55:36 OSSIM-Message: Event unknown, please insert plugin_id: 1000 andplugin_sid: 0 into DB2010-05-25 14:55:36 OSSIM-Critical: sim_container_get_plugin_sid_by_pky: assertion `sid >0' failed2010-05-25 14:55:36 OSSIM-Message: Event unknown, please insert plugin_id: 1000 andplugin_sid: 0 into DB2010-05-25 14:55:36 OSSIM-Critical: sim_container_get_plugin_sid_by_pky: assertion `sid >0' failed2010-05-25 14:55:36 OSSIM-Message: Event unknown, please insert plugin_id: 1000 andplugin_sid: 0 into DB

I understand what's error mean

but

i dont know Quote:plugin_id: 1000 and plugin_sid: 0

ps. sorry i'm not good at in English.

Subject: Re: ossim-server error : OSSIM-CriticalPosted by thelan on Fri, 25 Jun 2010 06:42:37 GMTView Forum Message <> Reply to Message

Hey everyone, this is an alert

Page 1 of 78 ---- Generated from OSSIM by FUDforum 2.7.7

https://www.alienvault.com/forum/index.php?t=usrinfo&id=627

https://www.alienvault.com/forum/index.php?t=rview&th=2378&goto=6913#msg_6913

https://www.alienvault.com/forum/index.php?t=post&reply_to=6913




https://www.alienvault.com/forum/index.php

2010-06-25 13:37:26 OSSIM-Message: Event received: event id="0" alarm="0" type="detector"fdate="2010-06-25 13:37:25" date="1277447845" tzone="0" plugin_id="1000"src_ip="10.13.173.23" dst_ip="79.112.101.110" sensor="10.15.6.80" interface="eth3"protocol="OTHER" log="Event unknown, please insert plugin_id: 1000 and plugin_sid: 0 intoDB. src:2819506816 dst:2819331536"payload="0A0DAD174F70656E20506F72743A20383130330A"

2010-06-25 13:37:26 OSSIM-Critical: sim_container_get_plugin_sid_by_pky: assertion `sid >0' failed2010-06-25 13:37:26 OSSIM-Message: sim_organizer_reprioritize: No priority/reliability info(Plugin_id 1000, Plugin_Sid 0) Log: Event unknown, please insert plugin_id: 1000 andplugin_sid: 0 into DB. src:2819506816 dst:2819331536

i try to traslate payload

"0A0DAD174F70656E20506F72743A20383130330A"

is

Open Port: 8103

why OSSIM dont know this alert. it come from snort preprocessor.

Subject: Where are the Linux Agents?!Posted by j0zf on Thu, 01 Jul 2010 03:05:59 GMTView Forum Message <> Reply to Message

Amazing set of software here, but where do I find the Linux Agents? The only agent I see fromthe web interface under Tools / Downloads is "OSSIM Agent installer for Windows (2.1)"... Isure hope one exists cuz most of our servers are linux servers. :-/

ossim:~# uname -aLinux ossim 2.6.31.6 #2 SMP Wed Nov 18 09:33:20 CET 2009 x86_64 GNU/Linux

Subject: Ossim update error






Posted by jdorge on Wed, 21 Jul 2010 13:56:16 GMTView Forum Message <> Reply to Message

Hi, today I just ran apt-get clean, apt-get update, apt-get dist-upgrade and apt-get upgrade andit all went smoothly, but now when I try to log into the webUI I get ForbiddenYou don't have permission to access /ossim/ on this server.

I'm not sure how to fix this.

Subject: Re: Ossim update errorPosted by jdorge on Wed, 21 Jul 2010 14:28:24 GMTView Forum Message <> Reply to Message

I Fixed it, it seemed to be a problem with my ossim-framework so I apt-get installossim-framework and then I was able to connect. weird.

Subject: Bug in plugin_wizard.plPosted by aimar on Wed, 28 Jul 2010 11:17:56 GMTView Forum Message <> Reply to Message

plugin_wizard is not working properly. Here's the output:

OSSIM:~# perl /usr/share/ossim/scripts/plugin_wizard.pl -lUnable to open plugin savefile: windows_plugins.ossimUnable to open plugin savefile: windows_plugins.ossim

Subject: ossim-server -- doesn't startPosted by greybrimstone on Thu, 29 Jul 2010 03:18:55 GMTView Forum Message <> Reply to Message

This is the third time that I've completley reinstalled OSSIM after having broke it my makingchanges to the interface that it monitors on. Specifically, if I move from eth0 to eth1 or eth2and change the config, then the ossim-server stops rinning.

Anyone have any idea why?

How can I figure out why?















Subject: ossim-reconfig password errorPosted by urapain on Wed, 04 Aug 2010 22:03:42 GMTView Forum Message <> Reply to Message

after updating I tried to run ossim-reconfig but it fails with error stating only a-z and 0-9 allowedin the password. I had not changed the password. The program changed and now won't allowthe working password I was already using.To verify I removed all the symbols and ossim-reconfig worked.I commented out this code in ossim-reconfig and my old password worked. If this is a bug thatwill be fixed OK but if this is intended behavior, I have a big problem with a security programthat forces you to use simple passwords.

Subject: element rule: validity error : No declaration for attribute XXX of elementrulePosted by Andres on Thu, 05 Aug 2010 08:14:52 GMTView Forum Message <> Reply to Message

Hi,

I have correlation directives that are not working with ossim 2.1 (it works fine with previousversions). I want to correlate using "userdata", "username" fields, but when I restartossim-server, this event is showed:

element rule: validity error : No declaration for attribute username of element rule

element rule: validity error : No declaration for attribute userdata1 of element rule

How can I solve the problem?

Thanks in advanceAndres

Subject: Ossim Management page don't can be accessedPosted by Andy.Li on Thu, 26 Aug 2010 14:01:36 GMTView Forum Message <> Reply to Message

Hello:After I installed properly, and process Ossim log on to the system, and also check andapache2 launched, also can be the ping general web access, is not the osssim managementpage。I don't know whether it is because of the firewall opened, it is very different to ep-red dubbed, Ididn't find the relevant document management syste。This isn't a very strange questions












resart network ,Tip can restart Snort service.

Subject: Email when a ticket is generatedPosted by jwilkinson on Mon, 30 Aug 2010 12:37:35 GMTView Forum Message <> Reply to Message

Anyone know if there a way to automatically send an email to someone when a ticket isgenerated? We're trying to fully automate our vulnerability scanning and management. I've gotthe scans running, tickets generating correctly, but want to email someone when a ticket isgenerated so they don't constantly have to login after scans are run.

I have emails working so when you subscribe to a ticket and the ticket changes an email isgenerated.

Any ideas?

Subject: Installation from USB stickPosted by Blinkiz on Mon, 13 Sep 2010 08:41:53 GMTView Forum Message <> Reply to Message

I used UNetbootin to be able to put the iso content onto a USB stick instead of cdrom. Todaysnew servers do not have cdrom drives. at least not ours.

Booting the installation program goes alright. Problem comes when it tries to access files fromthe cdrom. Is this hard coded?

My question is, is it possible to install from a USB stick?

Subject: Do I really need a DVD drive?Posted by Blinkiz on Mon, 13 Sep 2010 08:59:51 GMTView Forum Message <> Reply to Message

I tried to burn AlienVault v2.3.1 (64bit edition) iso to a CD but it's 710MB so that did not work.

Do I really need to have a DVD drive in my server to be able to install AlienVault?












Subject: Email notificationPosted by dubbsix on Wed, 15 Sep 2010 20:10:11 GMTView Forum Message <> Reply to Message

Newb here and I cant figure out how to get my "all in one" server to send me email notificationswhen new alarms arrive.

I have configured a policy action to email me and I have also configured the avt-feed derivedpolicy to use the policy action i defined.

Can anyone help?

Subject: Re: Email notificationPosted by jwilkinson on Tue, 21 Sep 2010 12:32:14 GMTView Forum Message <> Reply to Message

I don't believe this is working in the latest version. I know my installation isn't sending them andit did prior to one of the more recent updates.

Subject: Re: Email notificationPosted by dubbsix on Tue, 21 Sep 2010 16:35:20 GMTView Forum Message <> Reply to Message

Awe rats. Do the devs know that its not working?

Subject: Re: Email notificationPosted by jwilkinson on Wed, 22 Sep 2010 11:15:20 GMTView Forum Message <> Reply to Message

I emailed them two weeks ago about it.

Subject: Re: Email notificationPosted by metzgers on Mon, 27 Sep 2010 13:36:25 GMTView Forum Message <> Reply to Message

Hi,

updated our ossim installation today (version 2.3.1). After that, the policy action isn't executedanymore. We had a few perl scripts behind our policy action.


















In the ossim framework logfile I can see the following messages:

Action [INFO]: Successful Response with action: <action's name>

But nothing happened, e.g. writing an entry in a file or sending an email?

Any idea what's going wrong?

BrStefan

Subject: Re: Email notificationPosted by jwilkinson on Tue, 28 Sep 2010 11:21:02 GMTView Forum Message <> Reply to Message

I just reinstalled the ossim framework and server and it resolved the issue. I have no idea whatwas causing this. I have done several updates to the server and framework over the last 6weeks and nothing fixed it.

apt-get install --reinstall ossim-frameworkapt-get install --reinstall ossim-server

Now it works.

Subject: Re: Email notificationPosted by metzgers on Wed, 29 Sep 2010 07:21:32 GMTView Forum Message <> Reply to Message

Hi,

thank you for your answer. I tried to reinstall framework and server but w/o success. The policyactions aren't executed my scripts.

Any further debugging possible? Maybe starting the framework in debug mode as e.g. theserver?

BrStefan

Subject: Missing firmware for Broadcom NetXtremeII network adapters.Posted by stephane.millot on Thu, 30 Sep 2010 23:23:08 GMT










View Forum Message <> Reply to Message

Hi all,

Just to let you know that Broadcom NetXtremeII network adapters are not recognized byOSSIM/Debian.

I’ve just received a shiny new HP Proliant DL360 G7. Installation was fine, but afterrebooting, the 4 integrated network interfaces (Broadcom NetXtremeII) were gone.

If anyone encounter similar issue, just download the latest firmware package from Debian:http://packages.debian.org/sid/firmware-bnx2

Then find a way to put the .deb file (firmware-bnx2_0.27_all.deb) on the server (e.g. in/var/tmp/) and install the package with:#dpkg -i firmware-bnx2_0.27_all.deb

After a reboot, network interfaces should be recognized.

Cheers,Stephane

Subject: pxe boot the awesome OSSIMPosted by sukh on Wed, 27 Oct 2010 06:39:25 GMTView Forum Message <> Reply to Message

Sorry if this has been asked a bazillion times before. How can I take the amzing OSSIMinstaller iso and make it so I can deploy it on systems not local to me? i.e. hosts in a remotedatacenter that dont have local cd/dvd roms. I do have a pxe/kickstart environment that I'd beable to leverage if someone has a recipe using that.

Thanking you for your time,

regards,Sukh

Subject: Re: Email notificationPosted by [email protected] on Thu, 04 Nov 2010 18:09:57 GMTView Forum Message <> Reply to Message

I have the same problem here and did the same same fixes, with no true fix.











Did you ever get it working?

Subject: Re: Email notificationPosted by metzgers on Thu, 04 Nov 2010 18:51:15 GMTView Forum Message <> Reply to Message

Hi,

not yet...same issue. If I install the current version of OSSIM, the policy actions aren't executedanymore.I see in the frameworkd.log file under /var/log/ossim/ that the right policy action is taken, butthe script behind the action isn't executed.

Are there any debugging possibilities for the frameworkd?

BrStefan

Subject: Re: Email notificationPosted by [email protected] on Thu, 04 Nov 2010 18:56:32 GMTView Forum Message <> Reply to Message

I don't have any at this point, although I'm thinking the issue may be the way python sends outemails...

So - you do see the policy 'Action' log entry in the framework log?

I have a pretty wide open policy that should be firing off, b/c I see events in the SIEM view andthey are part of the same plugin groups I have for the policy.

If I don't see that Action log entry, that means that the policy isn't firing off, right?

Subject: Re: Email notificationPosted by metzgers on Fri, 05 Nov 2010 09:05:34 GMTView Forum Message <> Reply to Message

Hi,

yes, I see that log entry in frameworkd.log. I think it means, that the policy action is takencorrectly, but the script isn't executed.












If I try running the script on CLI it is executed without any error/warnings, thus I think theOSSIM frameworkd doesn't start the script.

BrStefan

Subject: Re: Email notificationPosted by [email protected] on Fri, 05 Nov 2010 17:45:38 GMTView Forum Message <> Reply to Message

I finally got this working. This is what I stepped through:

When the framework launches, it binds to ip 0.0.0.0 and port 40003. This is important,because there is a python file (Listen.py) that binds here and it needs to. It is responsible forkicking of Action.py, which in turn is responsible for kicking out emails or the actions.

Start with this scenario:Make sure you have an action that creates a simple file on your ossim server. Mine was: touch/tmp/heythere

Now, when your framework starts up, make sure that Listen.py binds properly to 0.0.0.0:40003,the stupid thing is that if this fails, the framework still starts up. I don't understand thatreasoning.

If that starts up OK and you actually do see the Action message for the file - and the file iscreated, you'll need to investigate the email part of python.

I have to admit, I'm less clear on this portion, but I would try creating a simple email script inpython and make sure you can email from the commandline. The two important files at thispoint are ActionMail.py and smtplib.py. The ActionMail is specific for OSSIM, whereas thesmtplib is a python email library. I ended up changing something in the smtplib file. I changeda line near the end from 'localhost' to 127.0.0.1

Everything seems to be running ok now.


Hi,

in my test machine, which is up2date I see in the frameworkd.log that there is an iteration each300 seconds. I think this is the framework restart you mentioned.









Thus, I think, I have the same issue. How can I verify if Listen.py binds properly to0.0.0.0:40003? Which command and what I have to modify, if that doesn't happen?

BrStefan


Hi,

further information:

If I run a

netstat -tulpen |grep 40003

on my test machine, I get the following:

0.0.0.0:40003 0.0.0.0:* LISTEN <pid>/python

But on my productive machine, I get the following

<ip-address>:40003 0.0.0.0:* LISTEN <pid>/python

The value of <ip-address> is the ip address of the machine (where the action is taken asexpected). I think there's the problem? Where can I change this?

BrStefan

Subject: Compaq Proliant OSSIM installation issuePosted by hounddoggy on Mon, 08 Nov 2010 21:14:26 GMTView Forum Message <> Reply to Message

Just installed the latest release of OSSIM 32 BIT on a Compaq Proliant DL360 Pentium III dualcpu. Server has dual 18GB hard drives connected as a RAID 1 mirrored pair to a CompaqSmart array controller.

OSSIM installer properly recognizes the setup and loads root partition to /dev/ida/c0d0p1 ondisks.









After reboot, the Compaq IDA driver is not being loaded.Only the IDE/SCSI pairs are loaded and the only drive seen is the cdrom. It is not a matter ofjust changing the boot device name.

Anyone know of a workaround? Ideally i would like to reboot it with install disk , then break outof installer into a shell after it loads all the required drivers. I would then like to mount the rootpartition and fix the grub boot as required and system module load config files to add incompaq smart array IDA driver to load list.

Also, tried installing OSSIM 32 bit on Dell PC, had same issuewith boot device aka root filesystem not found....

It seems to install systems using correct driver, but not map that relationship appropriately foeafter the reboot. In the case of the dell it switched the device from HDA to SDA after it loadedthe scsi module. The scsci module which seems to over ride and overlay all IDE interfaces aswell as scsi drives. Had to grub boot the SDA version in single user mode and then fix GRUBconfig file as well as all HDA references in /etc/fstab.I noticed some others had the same issue which i believe is an installer issue. Make sure youfix /etc/fstab as well or you wont have a swap partition on the hard drive.

Subject: Re: Email notificationPosted by metzgers on Mon, 22 Nov 2010 14:35:02 GMTView Forum Message <> Reply to Message

Hi all,

maybe anybody could help me. Under /usr/share/ossim-framework/ossimframework/

I found a file named Const.py. There is the listing address specified, which is in my case an ipaddress. If I update to version 2.3.4 this file is overwritten and the listening entry is now 0.0.0.0.

I think that's the reason why no policy action is taken successfully. Anybody could confirm.What I have to change?

BrStefan

Subject: ossim installation






Posted by rezgui on Mon, 22 Nov 2010 14:53:13 GMTView Forum Message <> Reply to Message

Im a student and i would like to compile ossim open source soi installed debin 5.06 then i have problem to find ossim-mysql and ossim-serverhelp me please thanks.

Subject: Re: ossim installation Posted by pcatalina on Mon, 22 Nov 2010 15:52:32 GMTView Forum Message <> Reply to Message

Hi,

OSSIM have lots of patches (like a patched kernel...) so we can't support it.

It's recommended to install ossim on a dedicated machine with the OSSIM CD Installer.

Subject: Re: ossim installation Posted by rezgui on Mon, 22 Nov 2010 15:56:21 GMTView Forum Message <> Reply to Message

I use this documentation

http://www.ossim.net/wiki/doku.php?id=third_party:francais:i nstallation_de_debian


Can you post the error message? An the steps to reproduce it?

Subject: Re: ossim installation Posted by rezgui on Mon, 22 Nov 2010 17:38:02 GMTView Forum Message <> Reply to Message

the erro messageossim-mysql paket not found

also ossim-server paket not found is the same message


















debian:/home/debian# apt-get install ossim-mysqlLecture des listes de paquets... FaitConstruction de l'arbre des dépendances Lecture des informations d'état... FaitE: Impossible de trouver le paquet ossim-mysql


probably, you need to add the ossim package repositories, something like this at/etc/apt/sources.list

deb http://data.alienvault.com/debian/ binary/deb http://www.ossim.net/download/ debian64/deb http://data.alienvault.com/debian_shared/ binary/

deb http://ftp.us.debian.org/debian/ lenny main contribdeb-src http://ftp.us.debian.org/debian/ lenny main contribdeb http://security.debian.org/ lenny/updates main contribdeb-src http://security.debian.org/ lenny/updates main contribdeb http://volatile.debian.org/debian-volatile lenny/volatile maindeb-src http://volatile.debian.org/debian-volatile lenny/volatile main

Later update the repositories and try it again:

root@localhost:~$ apt-get update

if you continue with the problem, please, paste the content of /etc/apt/sources.list and/etc/debian_version, and the result of "uname -a".

Subject: Upgrade to 2.3 error with alienvault-directives-freePosted by cjsampson77 on Mon, 22 Nov 2010 20:04:42 GMTView Forum Message <> Reply to Message

When using apt-get dist-upgrade









I am getting the following error. Any ideas?

Install these packages without verification [y/N]? ytar: ./postinst: time stamp 2010-11-22 17:17:46 is 11836.733318384 s in the futuretar: ./md5sums: time stamp 2010-11-22 17:17:47 is 11837.732985472 s in the futuretar: ./control: time stamp 2010-11-22 17:17:47 is 11837.732907811 s in the futuretar: ./conffiles: time stamp 2010-11-22 17:17:46 is 11836.7328343 s in the futuretar: .: time stamp 2010-11-22 17:17:47 is 11837.73278728 s in the future(Reading database ... 52019 files and directories currently installed.)Unpacking alienvault-directives-free (from .../alienvault-directives-free_1.0-6_all.deb) ...dpkg: error processing /var/cache/apt/archives/alienvault-directives-free_1.0-6_all .deb(--unpack): trying to overwrite `/etc/ossim/server/alienvault-dos.xml', which is also in packagealienvault-directivesdpkg-deb: subprocess paste killed by signal (Broken pipe)Errors were encountered while processing: /var/cache/apt/archives/alienvault-directives-free_1.0-6_all .debE: Sub-process /usr/bin/dpkg returned an error code (1)

Subject: Re: Upgrade to 2.3 error with alienvault-directives-freePosted by cjsampson77 on Mon, 22 Nov 2010 20:22:44 GMTView Forum Message <> Reply to Message

I think I found the solution

dpkg -i --force-overwrite /var/cache/apt/archives/alienvault-directives-free_1.0-6_all .deb

Subject: Add-on for OSSIMPosted by Seb13s on Tue, 23 Nov 2010 08:59:53 GMTView Forum Message <> Reply to Message

Hello everybody,I need your help to solve a problem. After installing an add-on for OSSIM (CACTI) I have aproblem when disconnecting the module cacti. When I disconnect an error message on phpidsappears.Error message in OSSIM when disconnecting from cacti.So Can you help me to solve this problem because I have no idea at this time to allow cacti inphpids..









File Attachments1) 1.JPG, downloaded 248 times

Subject: Re: ossim installation Posted by duke on Tue, 23 Nov 2010 09:01:49 GMTView Forum Message <> Reply to Message

pcatalina wrote on Mon, 22 November 2010 08:52Hi,

OSSIM have lots of patches (like a patched kernel...) so we can't support it.

Can you tell about kernel patches? Now I use standart 2.6.26-2 kernel and seems that thereare no differences.

Subject: Re: Add-on for OSSIMPosted by Seb13s on Tue, 23 Nov 2010 09:01:56 GMTView Forum Message <> Reply to Message


Subject: Re: Add-on for OSSIMPosted by Seb13s on Tue, 23 Nov 2010 09:05:37 GMTView Forum Message <> Reply to Message


Subject: Re: ossim installation Posted by pcatalina on Tue, 23 Nov 2010 10:16:12 GMTView Forum Message <> Reply to Message

If you install ossim from CD, or use the kernel of ossim (at the moment linux-image-2.6.31.6package alienvault+1.8), there are some differences, like the PFRing patch, and someconfigurations that improve the performance of OSSIM.


https://www.alienvault.com/forum/index.php?t=getfile&id=408
















Subject: Re: Compaq Proliant OSSIM installation issuePosted by pcatalina on Tue, 23 Nov 2010 10:30:46 GMTView Forum Message <> Reply to Message

Hi,

Did you tested OSSIM 64bits?

Which Compaq Smart version have you?Which hard disk controller have the Dell computer?


pcatalina wrote on Tue, 23 November 2010 03:16If you install ossim from CD, or use thekernel of ossim (at the moment linux-image-2.6.31.6 package alienvault+1.8), there are somedifferences, like the PFRing patch, and some configurations that improve the performance ofOSSIM.IMHO pf_ring is much more useful on sensors, ossim server itself will not handle hundredsKpps.


Yes, but the kernel of ossim is optimized for all OSSIM profiles (sensor, server, database,framework, allinone).

So the patch of PF_Ring is added to the OSSIM kernel.

Subject: Re: Missing firmware for Broadcom NetXtremeII network adapters.Posted by pcatalina on Tue, 23 Nov 2010 11:13:54 GMTView Forum Message <> Reply to Message

Thank you about the information ;P.

Subject: Re: Do I really need a DVD drive?Posted by pcatalina on Tue, 23 Nov 2010 11:15:05 GMT

















Hi,

we can't compress the packages more, so you need a DVD to burn the OSSIM ISO (64bits).


Unfortunately native vmware tools does not work well with 2.6.31 :(

Subject: installtion ossimPosted by rezgui on Tue, 23 Nov 2010 11:15:21 GMTView Forum Message <> Reply to Message

Hi,i download ossim-2.1 open sorce in this url http://sourceforge.net/projects/os-sim/

but i dont now how to compil on a ditribution debian

help me to install or to compile ossim-2.1 step by stepthanks

Subject: Re: pxe boot the awesome OSSIMPosted by doradito on Tue, 23 Nov 2010 11:20:31 GMTView Forum Message <> Reply to Message

I'm sorry. At this moment we don't support pxe installation

Regards.

Subject: Re: Installation from USB stickPosted by doradito on Tue, 23 Nov 2010 11:21:50 GMTView Forum Message <> Reply to Message

No it's possible to install Ossim via USB

















Regards.

Subject: Re: ossim-server -- doesn't startPosted by doradito on Tue, 23 Nov 2010 11:31:20 GMTView Forum Message <> Reply to Message

You have to make the changes in /etc/ossim/ossim_setup.conf, then you have to make aossim-reconfig to apply it.

Subject: Re: Bug in plugin_wizard.plPosted by doradito on Tue, 23 Nov 2010 11:36:23 GMTView Forum Message <> Reply to Message

In my Ossim installation it's works fine. Check if you have the last version.

Subject: Re: Where are the Linux Agents?!Posted by doradito on Tue, 23 Nov 2010 11:52:00 GMTView Forum Message <> Reply to Message

It is not necessary to put an agent in linux machines, you can use syslog to resend logs toOssim sensor.

Subject: Re: ossim-server error : OSSIM-CriticalPosted by michael7736 on Tue, 23 Nov 2010 11:52:34 GMTView Forum Message <> Reply to Message

Ths same problem ! waiting solution

Subject: Re: Compaq Proliant OSSIM installation issuePosted by pcatalina on Tue, 23 Nov 2010 11:56:57 GMTView Forum Message <> Reply to Message

Other solution is boot with the debian kernel, later download the sources of ossim kernel withapt-get:


















root@ossim:~# apt-get install linux-source-2.6.31.6

After install the sources you must configure it and recompile adding the correct drivers.

AlienVault doesn't add support to Compaq Smart array controller because they can't test it.

Subject: Re: Compaq Proliant OSSIM installation issuePosted by jwilkinson on Tue, 23 Nov 2010 12:49:10 GMTView Forum Message <> Reply to Message

I'm running OSSIM on a HP Proliant 360 G4 with a Raid 5 with no issues. What G rev do youhave?

Subject: Re: installtion ossimPosted by pcatalina on Tue, 23 Nov 2010 15:29:40 GMTView Forum Message <> Reply to Message

Hi,

the version 2.1 is outdated, you can get the latest code from assembla:http://www.assembla.com/spaces/os-sim

Subject: Re: ossim-reconfig password errorPosted by pcatalina on Tue, 23 Nov 2010 16:12:09 GMTView Forum Message <> Reply to Message

Late answer but ...

At the moment OSSIM only permit alphanumeric password for mysql, if you have a differentpassword for root user, you can create a new user with a alphanumeric password and changeit at /etc/ossim/ossim_setup.conf.

Subject: Re: ossim installation Posted by pcatalina on Tue, 23 Nov 2010 16:35:55 GMT














Vmware isn't a good option for a production environment. Sniffing traffic with VMware doesn'twork well because the emulated network card, and the vmware support of "promisc" mode onhost interfaces.

But for a testing environment OSSIM works well on a virtual machine (vmware, qemu,virtualbox).


ESX/ESXi works well with promiscuous mode :)

Subject: help to find paketPosted by rezgui on Tue, 23 Nov 2010 17:37:35 GMTView Forum Message <> Reply to Message

i like to install ossim-cd-tools but i dont find ossim-repo-keybecause ossim-cd-tools depend of ossim-repo-key

so help me to find ossim-repo-key paket not foundthanks


So if you can emulate a intel (igb) network card, sniffing with all OSSIM must work fine.

Subject: ossim-server crashedPosted by jiekechoo on Wed, 24 Nov 2010 07:58:20 GMTView Forum Message <> Reply to Message

~# *** glibc detected *** /usr/bin/ossim-server: double free or corruption (!prev):0x0000000002e4a250 ***======= Backtrace: =========/lib/libc.so.6[0x7fe15788c9a8]

















/lib/libc.so.6(cfree+0x76)[0x7fe15788eab6]/usr/bin/ossim-server[0x452c5c]/usr/lib/libglib-2.0.so.0[0x7fe1585da474]/lib/libpthread.so.0[0x7fe157b72fc7]/lib/libc.so.6(clone+0x6d)[0x7fe1578e864d]======= Memory map: ========00400000-00480000 r-xp 00000000 03:41 2262142 /usr/bin/ossim-server0067f000-00681000 rw-p 0007f000 03:41 2262142 /usr/bin/ossim-server00681000-05177000 rw-p 00681000 00:00 0 [heap]40000000-40001000 ---p 40000000 00:00 0 40001000-40801000 rw-p 40001000 00:00 0 40801000-40802000 ---p 40801000 00:00 0 40802000-41002000 rw-p 40802000 00:00 0 41002000-41003000 ---p 41002000 00:00 0 41003000-41803000 rw-p 41003000 00:00 0 41803000-41804000 ---p 41803000 00:00 0 41804000-42004000 rw-p 41804000 00:00 0 42004000-42005000 ---p 42004000 00:00 0 42005000-42805000 rw-p 42005000 00:00 0 42805000-42806000 ---p 42805000 00:00 0 42806000-43006000 rw-p 42806000 00:00 0 43006000-43007000 ---p 43006000 00:00 0 43007000-43807000 rw-p 43007000 00:00 0 43807000-43808000 ---p 43807000 00:00 0 43808000-44008000 rw-p 43808000 00:00 0 44008000-44009000 ---p 44008000 00:00 0 44009000-44809000 rw-p 44009000 00:00 0 44809000-4480a000 ---p 44809000 00:00 0 4480a000-4500a000 rw-p 4480a000 00:00 0 7fe150000000-7fe15009a000 rw-p 7fe150000000 00:00 0 7fe15009a000-7fe154000000 ---p 7fe15009a000 00:00 0 7fe155658000-7fe15566e000 r-xp 00000000 03:41 3096620 /lib/libgcc_s.so.17fe15566e000-7fe15586e000 ---p 00016000 03:41 3096620 /lib/libgcc_s.so.17fe15586e000-7fe15586f000 rw-p 00016000 03:41 3096620 /lib/libgcc_s.so.17fe15586f000-7fe155877000 r-xp 00000000 03:41 3096582 /lib/libcrypt-2.7.so7fe155877000-7fe155a77000 ---p 00008000 03:41 3096582 /lib/libcrypt-2.7.so7fe155a77000-7fe155a79000 rw-p 00008000 03:41 3096582 /lib/libcrypt-2.7.so7fe155a79000-7fe155aa7000 rw-p 7fe155a79000 00:00 0 7fe155aa7000-7fe155c66000 r-xp 00000000 03:41 2243588 /usr/lib/libmysqlclient.so.15.0.07fe155c66000-7fe155e66000 ---p 001bf000 03:41 2243588 /usr/lib/libmysqlclient.so.15.0.07fe155e66000-7fe155eb1000 rw-p 001bf000 03:41 2243588 /usr/lib/libmysqlclient.so.15.0.07fe155eb1000-7fe155eb2000 rw-p 7fe155eb1000 00:00 0 7fe155eb2000-7fe155ebd000 r-xp 00000000 03:41 2294805



/usr/lib/libgda/providers/libgda-mysql.so7fe155ebd000-7fe1560bd000 ---p 0000b000 03:41 2294805 /usr/lib/libgda/providers/libgda-mysql.so7fe1560bd000-7fe1560be000 rw-p 0000b000 03:41 2294805 /usr/lib/libgda/providers/libgda-mysql.so7fe1560be000-7fe1560c8000 r-xp 00000000 03:41 3096596 /lib/libnss_files-2.7.so7fe1560c8000-7fe1562c8000 ---p 0000a000 03:41 3096596 /lib/libnss_files-2.7.so7fe1562c8000-7fe1562ca000 rw-p 0000a000 03:41 3096596 /lib/libnss_files-2.7.so7fe1562ca000-7fe1562d3000 r-xp 00000000 03:41 3096592 /lib/libnss_nis-2.7.so7fe1562d3000-7fe1564d3000 ---p 00009000 03:41 3096592 /lib/libnss_nis-2.7.so7fe1564d3000-7fe1564d5000 rw-p 00009000 03:41 3096592 /lib/libnss_nis-2.7.so7fe1564d5000-7fe1564ea000 r-xp 00000000 03:41 3096584 /lib/libnsl-2.7.so7fe1564ea000-7fe1566e9000 ---p 00015000 03:41 3096584 /lib/libnsl-2.7.so7fe1566e9000-7fe1566eb000 rw-p 00014000 03:41 3096584 /lib/libnsl-2.7.so7fe1566eb000-7fe1566ed000 rw-p 7fe1566eb000 00:00 0 7fe1566ed000-7fe1566f4000 r-xp 00000000 03:41 3096585 /lib/libnss_compat-2.7.so7fe1566f4000-7fe1568f3000 ---p 00007000 03:41 3096585 /lib/libnss_compat-2.7.so7fe1568f30

File Attachments1) server.tar.gz, downloaded 21 times

Subject: Re: Email notificationPosted by metzgers on Wed, 24 Nov 2010 07:59:16 GMTView Forum Message <> Reply to Message

Hi,

I think it works now. After upgrading the ossim-installation with apt-get updateapt-get distupgrade

I recognized an installation error. The package alienvault-directives-free couldn't be installedsuccessfully. I overwrite this file (found command here in the forum) and after that the upgradeinstallation finished successfully.

After running ossim-framework -v I found out, that the policy action is taken successfully, butthe "eval(condition)" inside Action.py is "False"...thus the execution is stopped. I changed this,now the condition evaluation is "True" and the script is executed as expected.







BrStefan

Subject: Re: help to find paketPosted by doradito on Wed, 24 Nov 2010 08:57:26 GMTView Forum Message <> Reply to Message

How are you installing ossim-cd-tools package?

Subject: Re: ossim-server crashedPosted by doradito on Wed, 24 Nov 2010 09:29:12 GMTView Forum Message <> Reply to Message

Can you tell us how to reproduce it?

Subject: Re: ossim-server crashedPosted by jiekechoo on Wed, 24 Nov 2010 09:53:33 GMTView Forum Message <> Reply to Message

I found that ossim agent can not connect to ossim server's 40001 port, so I checked theossim-server.

ossim-server: 64bit

Detected Ossim Version:2.3.4 Detected Schema Version:2.3.4 Detected Database Type:mysql

Linux socserver 2.6.26-2-amd64 #1 SMP Thu Sep 16 15:56:38 UTC 2010 x86_64 GNU/Linux dpkg -l |grep ossimii ossim-agent 1:2.3-19 Open Source Security InformationManagement ii ossim-cd-configs 1.0-18 Configuration file updates for ossim relatedii ossim-cd-tools 1.1-101 OSSIM CD Installer control filesii ossim-compliance 1.1-18 <insert up to 60 chars description>ii ossim-contrib 1:2.3.4-75 Open Source Security InformationManagement ii ossim-database-migration 1.0-13 <insert up to 60 chars description>ii ossim-downloads 1.0-14 <insert up to 60 chars description>ii ossim-framework 1:2.3.4-75 Open Source Security InformationManagement












ii ossim-framework-daemon 1:2.3.4-75 Open Source Security InformationManagement ii ossim-geoip 1.0-15 <insert up to 60 chars description>ii ossim-menu-setup 1.0-23 <insert up to 60 chars description>ii ossim-mysql 1:2.3.4-75 Open Source Security InformationManagement ii ossim-osvdb 1.0-14 OSVDB Databaseii ossim-repo-key 1.0-11 <insert up to 60 chars description>ii ossim-server 1:2.3.4-75 Open Source Security InformationManagement ii ossim-utils 1:2.3.4-75 Open Source Security InformationManagement ii phpgacl 1:3.3.7-5ossim5 PHP Generic Access Control Lists

ossim-agent: 32bitLinux soc-test-agent 2.6.31.6 #1 SMP Wed Jul 14 21:23:56 EDT 2010 i686 GNU/Linux

dpkg -l |grep ossimii ossim-agent 1:2.3-1 Open Source Security InformationManagement ii ossim-cd-configs 1.0-6 Configuration file updates for ossim relatedii ossim-cd-tools 1.1-81 OSSIM CD Installer control filesii ossim-contrib 1:2.3 Open Source Security InformationManagement ii ossim-database-migration 1.0 <insert up to 60 chars description>ii ossim-menu-setup 1.0-10 <insert up to 60 chars description>ii ossim-repo-key 1.0 <insert up to 60 chars description>ii ossim-utils 1:2.3 Open Source Security Information Management

ossim-server -D6

*** glibc detected *** ossim-server: double free or corruption (!prev): 0x0000000003481200 ***======= Backtrace: =========/lib/libc.so.6[0x7f3a204a89a8]/lib/libc.so.6(cfree+0x76)[0x7f3a204aaab6]ossim-server[0x452c5c]/usr/lib/libglib-2.0.so.0[0x7f3a211f6474]/lib/libpthread.so.0[0x7f3a2078efc7]/lib/libc.so.6(clone+0x6d)[0x7f3a2050464d]======= Memory map: ========00400000-00480000 r-xp 00000000 03:41 2262142 /usr/bin/ossim-server0067f000-00681000 rw-p 0007f000 03:41 2262142 /usr/bin/ossim-server00681000-05178000 rw-p 00681000 00:00 0 [heap]40000000-40001000 ---p 40000000 00:00 0



40001000-40801000 rw-p 40001000 00:00 0 40801000-40802000 ---p 40801000 00:00 0 40802000-41002000 rw-p 40802000 00:00 0 41002000-41003000 ---p 41002000 00:00 0 41003000-41803000 rw-p 41003000 00:00 0 41803000-41804000 ---p 41803000 00:00 0 41804000-42004000 rw-p 41804000 00:00 0 42004000-42005000 ---p 42004000 00:00 0 42005000-42805000 rw-p 42005000 00:00 0 42805000-42806000 ---p 42805000 00:00 0 42806000-43006000 rw-p 42806000 00:00 0 43006000-43007000 ---p 43006000 00:00 0 43007000-43807000 rw-p 43007000 00:00 0 7f3a18000000-7f3a18021000 rw-p 7f3a18000000 00:00 0 7f3a18021000-7f3a1c000000 ---p 7f3a18021000 00:00 0 7f3a1e274000-7f3a1e28a000 r-xp 00000000 03:41 3096620 /lib/libgcc_s.so.17f3a1e28a000-7f3a1e48a000 ---p 00016000 03:41 3096620 /lib/libgcc_s.so.17f3a1e48a000-7f3a1e48b000 rw-p 00016000 03:41 3096620 /lib/libgcc_s.so.17f3a1e48b000-7f3a1e493000 r-xp 00000000 03:41 3096582 /lib/libcrypt-2.7.so7f3a1e493000-7f3a1e693000 ---p 00008000 03:41 3096582 /lib/libcrypt-2.7.so7f3a1e693000-7f3a1e695000 rw-p 00008000 03:41 3096582 /lib/libcrypt-2.7.so7f3a1e695000-7f3a1e6c3000 rw-p 7f3a1e695000 00:00 0 7f3a1e6c3000-7f3a1e882000 r-xp 00000000 03:41 2243588 /usr/lib/libmysqlclient.so.15.0.07f3a1e882000-7f3a1ea82000 ---p 001bf000 03:41 2243588 /usr/lib/libmysqlclient.so.15.0.07f3a1ea82000-7f3a1eacd000 rw-p 001bf000 03:41 2243588 /usr/lib/libmysqlclient.so.15.0.07f3a1eacd000-7f3a1eace000 rw-p 7f3a1eacd000 00:00 0 7f3a1eace000-7f3a1ead9000 r-xp 00000000 03:41 2294805 /usr/lib/libgda/providers/libgda-mysql.so7f3a1ead9000-7f3a1ecd9000 ---p 0000b000 03:41 2294805 /usr/lib/libgda/providers/libgda-mysql.so7f3a1ecd9000-7f3a1ecda000 rw-p 0000b000 03:41 2294805 /usr/lib/libgda/providers/libgda-mysql.so7f3a1ecda000-7f3a1ece4000 r-xp 00000000 03:41 3096596 /lib/libnss_files-2.7.so7f3a1ece4000-7f3a1eee4000 ---p 0000a000 03:41 3096596 /lib/libnss_files-2.7.so7f3a1eee4000-7f3a1eee6000 rw-p 0000a000 03:41 3096596 /lib/libnss_files-2.7.so7f3a1eee6000-7f3a1eeef000 r-xp 00000000 03:41 3096592 /lib/libnss_nis-2.7.so7f3a1eeef000-7f3a1f0ef000 ---p 00009000 03:41 3096592 /lib/libnss_nis-2.7.so7f3a1f0ef000-7f3a1f0f1000 rw-p 00009000 03:41 3096592 /lib/libnss_nis-2.7.so7f3a1f0f1000-7f3a1f106000 r-xp 00000000 03:41 3096584 /lib/libnsl-2.7.so7f3a1f106000-7f3a1f305000 ---p 00015000 03:41 3096584 /lib/libnsl-2.7.so7f3a1f305000-7f3a1f307000 rw-p 00014000 03:41 3096584 /lib/libnsl-2.7.so7f3a1f307000-7f3a1f309000 rw-p 7f3a1f307000 00:00 0



7f3a1f309000-7f3a1f310000 r-xp 00000000 03:41 3096585 /lib/libnss_compat-2.7.so7f3a1f310000-7f3a1f50f000 ---p 00007000 03:41 3096585 /lib/libnss_compat-2.7.so7f3a1f50f000-7f3a1f511000 rw-p 00006000 03:41 3096585 /lib/libnss_compat-2.7.so7f3a1f511000-7f3a1f539000 r-xp 00000000 03:41 2240720 /usr/lib/libpcre.so.3.12.17f3a1f539000-7f3a1f738000 ---p 00028000 03:41 2240720 /usr/l


Can you put here the file /etc/apt/source.list?


more /etc/apt/sources.list

deb cdrom:[Debian GNU/Linux 5.0.4 _Lenny_ - Unofficial amd64 DVD Binary-120100810-18:01]/ lenny contrib main non-freedeb http://data.alienvault.com/debian/ binary/deb http://www.ossim.net/download/ debian64/deb http://data.alienvault.com/debian_shared/ binary/deb http://ftp.us.debian.org/debian/ lenny main contribdeb-src http://ftp.us.debian.org/debian/ lenny main contribdeb http://security.debian.org/ lenny/updates main contribdeb-src http://security.debian.org/ lenny/updates main contribdeb http://volatile.debian.org/debian-volatile lenny/volatile maindeb-src http://volatile.debian.org/debian-volatile lenny/volatile main


I think that the version:2.3.1 has some problems.












Subject: Re: help to find paketPosted by rezgui on Wed, 24 Nov 2010 10:46:46 GMTView Forum Message <> Reply to Message

no because ossin-cd-tools depends to install ossim-repo-key

installation ossim-repo-key is before ossin-cd-tools

Subject: Re: help to find paketPosted by doradito on Wed, 24 Nov 2010 11:35:05 GMTView Forum Message <> Reply to Message

what repositories you are using


Can you execute and send me a lshw command?


socserver description: Computer product: HVM domU vendor: Xen version: 3.3.1 serial: 19b57654-d7e0-ea39-4a0f-7fe9a2b71409 width: 64 bits capabilities: smbios-2.4 dmi-2.4 vsyscall64 vsyscall32 configuration: boot=normal uuid=19B57654-D7E0-EA39-4A0F-7FE9A2B71409 *-core description: Motherboard physical id: 0 *-firmware:0 description: BIOS vendor: Xen physical id: 0















version: 3.3.1 (10/13/2009) size: 96KiB capabilities: pci edd *-cpu:0 description: CPU product: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz vendor: Intel Corp. physical id: 1 bus info: cpu@0 slot: CPU 1 size: 2GHz capacity: 2GHz width: 64 bits capabilities: fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pgemca cmov pat clflush mmx fxsr sse sse2 syscall x86-64 constant_tsc rep_good pni ssse3 cx16sse4_1 sse4_2 lahf_lm *-cpu:1 description: CPU product: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz vendor: Intel Corp. physical id: 2 bus info: cpu@1 slot: CPU 2 size: 2GHz capacity: 2GHz width: 64 bits capabilities: fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pgemca cmov pat clflush mmx fxsr sse sse2 syscall x86-64 constant_tsc rep_good pni ssse3 cx16sse4_1 sse4_2 lahf_lm *-cpu:2 description: CPU product: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz vendor: Intel Corp. physical id: 3 bus info: cpu@2 slot: CPU 3 size: 2GHz capacity: 2GHz width: 64 bits capabilities: fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pgemca cmov pat clflush mmx fxsr sse sse2 syscall x86-64 constant_tsc rep_good pni ssse3 cx16sse4_1 sse4_2 lahf_lm *-cpu:3 description: CPU product: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz vendor: Intel Corp.



physical id: 4 bus info: cpu@3 slot: CPU 4 size: 2GHz capacity: 2GHz width: 64 bits capabilities: fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pgemca cmov pat clflush mmx fxsr sse sse2 syscall x86-64 constant_tsc rep_good pni ssse3 cx16sse4_1 sse4_2 lahf_lm *-memory:0 description: System Memory physical id: 5 *-bank:0 description: DIMM RAM physical id: 0 slot: DIMM 0 size: 4GiB width: 64 bits *-bank:1 description: DIMM RAM physical id: 1 slot: DIMM 0 size: 4GiB width: 64 bits *-firmware:1 description: BIOS vendor: Xen physical id: 6 version: 3.3.1 (10/13/2009) size: 96KiB capabilities: pci edd *-cpu:4 description: CPU vendor: Intel physical id: 7 bus info: cpu@4 slot: CPU 1 size: 2GHz capacity: 2GHz *-cpu:5 description: CPU vendor: Intel physical id: 8 bus info: cpu@5 slot: CPU 2 size: 2GHz



capacity: 2GHz *-cpu:6 description: CPU vendor: Intel physical id: 9 bus info: cpu@6 slot: CPU 3 size: 2GHz capacity: 2GHz *-cpu:7 description: CPU vendor: Intel physical id: a bus info: cpu@7 slot: CPU 4 size: 2GHz capacity: 2GHz *-memory:1 description: System Memory physical id: b *-memory:2 UNCLAIMED physical id: c *-memory:3 UNCLAIMED physical id: d *-pci description: Host bridge product: 440FX - 82441FX PMC [Natoma] vendor: Intel Corporation physical id: 100 bus info: pci@0000:00:00.0 version: 02 width: 32 bits clock: 33MHz *-isa description: ISA bridge product: 82371SB PIIX3 ISA [Natoma/Triton II] vendor: Intel Corporation physical id: 1 bus info: pci@0000:00:01.0 version: 00 width: 32 bits clock: 33MHz capabilities: isa bus_master configuration: latency=0 *-ide description: IDE interface



product: 82371SB PIIX3 IDE [Natoma/Triton II] vendor: Intel Corporation physical id: 1.1 bus info: pci@0000:00:01.1 version: 00 width: 32 bits clock: 33MHz capabilities: ide bus_master configuration: driver=PIIX_IDE latency=64 module=piix *-ide:0 description: IDE Channel 0 physical id: 0 bus info: ide@0 logical name: ide0 clock: 33MHz *-disk description: ATA Disk product: QEMU HARDDISK physical id: 1 bus info: [email protected] logical name: /dev/hdb version: 0.9.1 serial: QM00002 size: 50GiB (53GB) capacity: 50GiB (53GB) capabilities: ata dma lba iordy partitioned partitioned:dos configuration: signature=000d642b *-volume:0 description: EXT3 volume vendor: Linux physical id: 1 bus info: [email protected],1 logical name: /dev/hdb1 logical name: / version: 1.0 serial: b9f3c9cb-43cb-44d2-b64a-eecd13c83fc1 size: 47GiB capacity: 47GiB capabilities: primary bootable journaled extended_attributes large_fileshuge_files recover ext3 ext2 initialized configuration: created=2010-11-20 17:10:11 filesystem=ext3modified=2010-11-24 18:52:30 mount.fstype=ext3mount.options=rw,errors=remount-ro,data=ordered mounted=2010-11-21 16:00:33state=mounted *-volume:1 description: Extended partition



physical id: 2 bus info: [email protected],2 logical name: /dev/hdb2 size: 2141MiB capacity: 2141MiB capabilities: primary extended partitioned partitioned:extended *-logicalvolume description: Linux swap / Solaris partition physical id: 5 logical name: /dev/hdb5 capacity: 2141MiB capabilities: nofs *-ide:1 description: IDE Channel 1 physical id: 1 bus info: ide@1 logical name: ide1 clock: 33MHz *-cdrom description: IDE CD-ROM product: QEMU DVD-ROM physical id: 1 bus info: [email protected] logical name: /dev/hdd version: 0.9.1 serial: QM00004 capabilities: packet atapi cdrom removable nonmagnetic dma lba configuration: status=ready *-medium physical id: 0 logical name: /dev/hdd *-usb description: USB Controller product: 82371SB PIIX3 USB [Natoma/Triton II] vendor: Intel Corporation physical id: 1.2 bus info: pci@0000:00:01.2 version: 01 width: 32 bits clock: 33MHz capabilities: uhci bus_master configuration: driver=uhci_hcd latency=64 module=uhci_hcd *-usbhost product: UHCI Host Controller vendor: Linux 2.6.26-2-amd64 uhci_hcd physical id: 1



bus info: usb@1 logical name: usb1 version: 2.06 capabilities: usb-1.10 configuration: driver=hub slots=2 speed=12.0MB/s *-usb description: Mouse product: QEMU USB Tablet vendor: QEMU 0.9.1 physical id: 2 bus info: usb@1:2 version: 0.00 serial: 1 capabilities: usb-1.00 configuration: driver=usbhid maxpower=100mA speed=12.0MB/s *-bridge UNCLAIMED description: Bridge product: 82371AB/EB/MB PIIX4 ACPI vendor: Intel Corporation physical id: 1.3 bus info: pci@0000:00:01.3 version: 01 width: 32 bits clock: 33MHz capabilities: bridge configuration: latency=0 *-display UNCLAIMED description: VGA compatible controller product: GD 5446 vendor: Cirrus Logic physical id: 2 bus info: pci@0000:00:02.0 version: 00 width: 32 bits clock: 33MHz capabilities: vga_controller configuration: latency=0 *-scsi UNCLAIMED description: SCSI storage controller product: Xen Platform Device vendor: XenSource, Inc. physical id: 3 bus info: pci@0000:00:03.0 version: 01 width: 32 bits clock: 33MHz



capabilities: scsi configuration: latency=0 *-network description: Ethernet interface product: RTL-8139/8139C/8139C+ vendor: Realtek Semiconductor Co., Ltd. physical id: 4 bus info: pci@0000:00:04.0 logical name: eth0 version: 20 serial: 52:67:2b:a1:6d:6c size: 100MB/s capacity: 100MB/s width: 32 bits clock: 33MHz capabilities: bus_master ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fdautonegotiation configuration: autonegotiation=on broadcast=yes driver=8139cp driverversion=1.3duplex=full ip=192.168.10.88 latency=64 link=yes module=8139cp multicast=yes port=MIIpromiscuous=yes speed=100MB/s


You have a good machine, check if your hard disk is full with df -h command


It's a new machine.

socserver:~# df -hFilesystem Size Used Avail Use% Mounted on/dev/hdb1 48G 6.3G 39G 14% /tmpfs 2.0G 0 2.0G 0% /lib/init/rwudev 10M 624K 9.4M 7% /devtmpfs 2.0G 0 2.0G 0% /dev/shm










I'd like to update to a new version. But it doesn't work. 8o


You used the last alienvault iso version to install your machine or you installed over an existingdebian


doradito wrote on Wed, 24 November 2010 05:06You used the last alienvault iso version toinstall your machine or you installed over an existing debian

I used the version 2.3.1 (32bit or 64bit) iso to install, and then update to new version.


It is very rare, because we tested yesterday the new update with 64bits alienvault version. Andit is running fine. Try to reinstall the server

apt-get install --reinstall ossim-serverossim-reconfig


System->System-> I'd like to disable any plugin in the webui, there is problem:


















Warning: socket_connect() [function.socket-connect]: unable to connect [111]: Connectionrefused in /usr/share/ossim/www/sensor/sensor_plugins.php on line 133

Warning: socket_write() [function.socket-write]: unable to write to socket [32]: Broken pipe in/usr/share/ossim/www/sensor/sensor_plugins.php on line 141

Warning: socket_read() [function.socket-read]: unable to read from socket [107]: Transportendpoint is not connected in /usr/share/ossim/www/sensor/sensor_plugins.php on line 142

Bad response from server


check /var/log/ossim/agent.log and /var/log/ossim/server.log


please check the server.log

File Attachments1) server.log, downloaded 14 times

Subject: Re: ossim-server crashedPosted by juanma on Wed, 24 Nov 2010 17:44:03 GMTView Forum Message <> Reply to Message

Did you run ossim-reconfig after updating your box?

Subject: Re: Upgrade to 2.3 error with alienvault-directives-freePosted by paul_psmith on Wed, 24 Nov 2010 20:03:35 GMTView Forum Message <> Reply to Message

Had the same problem on a 32bit system. Was running an update on an older all-in-one box.Have not run an upgrade on this box for probably six+ months. Seemed to stop after a bit.

Ran apt-get dist-upgrade again after that and had another failure where dpkg exited
















unexpectedly.

"E: Sub-process /usr/bin/dpkg exited unexpectedly"

Had to run "dpkg --configure -a"

ossim-reconfig and now seems like it may be ok. Will know after a bit.

My 64bit all-in-one seemed to upgrade ok today. But it was last update maybe a month ago.

Thanks!!PS

Subject: Re: Upgrade to 2.3 error with alienvault-directives-freePosted by paul_psmith on Wed, 24 Nov 2010 20:19:57 GMTView Forum Message <> Reply to Message

Hmmmm...now i can't get to webgui. Says forbidden.

Doing a ls on /usr/share/ossim/www only shows 8 subfolders.

On my working 64bit box I have maybe 30 and some files. None of the files are there either.Looks like my whole box might be hosed...sigh.

Thanks

Subject: Re: Ossim update errorPosted by paul_psmith on Wed, 24 Nov 2010 20:25:24 GMTView Forum Message <> Reply to Message

Same problem. Tried your suggestion. Got unmet dependency errors. Went up the tree...seebelow.

ALl sorts of stuff broken...

soknse21:~# apt-get install ossim-frameworkReading package lists... DoneBuilding dependency treeReading state information... DoneSome packages could not be installed. This may mean that you have









requested an impossible situation or if you are using the unstabledistribution that some required packages have not yet been createdor been moved out of Incoming.The following information may help to resolve the situation:

The following packages have unmet dependencies: ossim-framework: Depends: alienvault-dummy-framework but it is not going to be installedE: Broken packagessoknse21:~#soknse21:~#soknse21:~#soknse21:~#soknse21:~#soknse21:~#soknse21:~# apt-get install alienvault-dummy-frameworkReading package lists... DoneBuilding dependency treeReading state information... DoneSome packages could not be installed. This may mean that you haverequested an impossible situation or if you are using the unstabledistribution that some required packages have not yet been createdor been moved out of Incoming.The following information may help to resolve the situation:

The following packages have unmet dependencies: alienvault-dummy-framework: Depends: nagios3 but it is not going to be installedE: Broken packagessoknse21:~# apt-get install nagios3Reading package lists... DoneBuilding dependency treeReading state information... DoneSome packages could not be installed. This may mean that you haverequested an impossible situation or if you are using the unstabledistribution that some required packages have not yet been createdor been moved out of Incoming.The following information may help to resolve the situation:

The following packages have unmet dependencies: nagios3: Depends: nagios3-common (= 3.0.6-4~lenny2) but 1:3.0.6-7 is to be installedE: Broken packagessoknse21:~# apt-get install nagios3-commonReading package lists... DoneBuilding dependency treeReading state information... Donenagios3-common is already the newest version.nagios3-common set to manually installed.



The following packages were automatically installed and are no longer required: alienvault-directives libdns45 libisccc40 liblwres40 libbind9-40 libisccfg40 libisc45Use 'apt-get autoremove' to remove them.0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.

Subject: Re: ossim-server crashedPosted by jiekechoo on Thu, 25 Nov 2010 01:02:03 GMTView Forum Message <> Reply to Message

yes. I did.

Subject: Re: help to find paketPosted by rezgui on Thu, 25 Nov 2010 05:49:55 GMTView Forum Message <> Reply to Message

i use these



Subject: Re: help to find paketPosted by doradito on Thu, 25 Nov 2010 08:17:37 GMTView Forum Message <> Reply to Message

You can do

apt-get updateapt-get -d install ossim-cd-tools

This download ossim-cd-tools and its dependences












Or

apt-get updateapt-get -d install ossim-repo-key

This only download ossim-repo-key

I have tried both and its runs ok

Subject: Re: ossim-server crashedPosted by doradito on Thu, 25 Nov 2010 08:26:49 GMTView Forum Message <> Reply to Message

Can you paste here your /etc/ossim/ossim_setup.conf?

Subject: Re: Email when a ticket is generatedPosted by doradito on Thu, 25 Nov 2010 08:35:47 GMTView Forum Message <> Reply to Message

Ossim not have that option yet. I will open a request to implement it.

Subject: Re: element rule: validity error : No declaration for attribute XXX ofelement rulePosted by doradito on Thu, 25 Nov 2010 08:40:46 GMTView Forum Message <> Reply to Message

Can you put your directives here?


socserver:~# more /etc/ossim/ossim_setup.confadmin_ip=192.168.10.88domain=email_notify=system@alienvault.comfirst_init=nohostname=socserverinterface=eth0















language=enprofile=Database, Server, Framework, Sensorupgrade=noversion=1.2

[database]acl_db=ossim_acldb_ip=127.0.0.1db_port=3306event_db=snortocs_db=ocswebossim_db=ossimosvdb_db=osvdbpass=xxxxxxxxrebuild_database=notype=mysqluser=root

[expert]profile=server

[firewall]active=yes

[framework]framework_https=yesframework_ip=192.168.10.88framework_port=40003

[sensor]detectors=nagios, ossim-agent, pam_unix, snare, snortunified, sshinterfaces=eth0ip=monitors=nmap-monitor, ntop-monitor, ossim-monitor, ping-monitor, tcptrack-monitorname=ossimnetflow=yesnetworks=192.168.0.0/16pci_express=yesrsyslog_dnslookups_disable=yes

[server]server_ip=127.0.0.1server_license=noserver_plugins=osiris, pam_unix, ssh, snare, sudoserver_port=40001



server_pro=no

[snmp]community=publicsnmpd=nosnmptrap=no

[vpn]vpn_infraestructure=yesvpn_net=10.67.68vpn_port=33800

Subject: Re: ossim-server crashedPosted by doradito on Thu, 25 Nov 2010 08:54:40 GMTView Forum Message <> Reply to Message

Your server.log its ok, witch is exactly your problem with the server


I found that the agent has two processes connected to the server , and then killed all, restartedagent.

Subject: Re: Ossim Management page don't can be accessedPosted by pcatalina on Thu, 25 Nov 2010 11:27:31 GMTView Forum Message <> Reply to Message

Sorry, I can't understand you, can you explain it better? Or Can you be more specific?

Subject: Re: help to find paketPosted by rezgui on Thu, 25 Nov 2010 12:38:23 GMTView Forum Message <> Reply to Message

can you show me your repositories

Subject: Re: Email when a ticket is generated















Posted by gsporter on Thu, 25 Nov 2010 16:20:25 GMTView Forum Message <> Reply to Message

You should be able to get this to work with the current release.I can only give you some general sugguestions since I am in the process of doing a MS SBSmigration which required a IP and topology change so I can't hit my OSSIM machine. Have tolove some of MS's little quirks.

1. Check to be sure postfix is running correctly on the OSSIM server. I used my ISP'ssmarthost as a relay. You may have to setup some local email aliases in postfix. Create sometest email to be sure it is working.

2. Create a Policy /Action (your email)

I will try and post more specifics when I get my box back online.

GP

Subject: Problem after default update [SOLVED]Posted by mtoloko on Fri, 26 Nov 2010 10:25:27 GMTView Forum Message <> Reply to Message

Hi!

I've installed OSSIM OpenSource yesterday and after I perform update commands and go toMenu->Monitors->System I receive the follow message:Quote:socket error: Is OSSIM server running at 127.0.0.1:40001?

There aren't any sensors connected to OSSIM server

What is wrong with update ?

I use to update:apt-get updateapt-get dist-upgradeossim-reconfig

Thanks in advance!!

Subject: Re: Problem after default update









Posted by doradito on Fri, 26 Nov 2010 11:55:22 GMTView Forum Message <> Reply to Message

It's posible that you have had problems doing ossim-reconfig. Do it again and check all isalright

Subject: ossim--Server using 100% of processor.Posted by pboniface on Fri, 26 Nov 2010 14:03:21 GMTView Forum Message <> Reply to Message

started doing it a few updates ago...

several updates later.. still doing it...

server.log shows..

2010-11-26 14:01:45 OSSIM-Message: New Session remote IP: 10.81.16.612010-11-26 14:01:45 OSSIM-Message: New session2010-11-26 14:01:45 OSSIM-Message: Session Append2010-11-26 14:01:45 OSSIM-Message: New Session remote IP: 10.81.16.612010-11-26 14:01:45 OSSIM-Message: New session2010-11-26 14:01:45 OSSIM-Message: Session Append2010-11-26 14:02:32 OSSIM-Message: Starting OSSIM Server engine. Version: 2.3.3.0012010-11-26 14:02:32 OSSIM-Message: Please be patient; This will take a while. Depending onyour plugin_sid list and your system, may be some minutes...

constantly.... about three events get processed, then it does it all again.

Is there any troubleshooting/debugging/extended logs that any member of the DEV teamwould like me to run to isolate whats causing this.

Subject: Re: Problem after default updatePosted by mtoloko on Fri, 26 Nov 2010 16:51:04 GMTView Forum Message <> Reply to Message

I performed ossim-reconfig again, but see below what is showed in agent.log:

Quote:2010-11-26 14:49:34,666 Conn [ERROR]: [sid=1] Error connecting to server 127.0.0.1,port 40001: (111, 'Connection refused')2010-11-26 14:49:34,667 Conn [INFO]: Can't connect to server, retrying in 10 seconds

And I go to Menu->Monitors->System and have the same wrong error message repeated












times.

Subject: compilation ossim Posted by rezgui on Fri, 26 Nov 2010 18:43:19 GMTView Forum Message <> Reply to Message

i would like to know how compil ossim open source on debianthanks

Subject: Re: Problem after default updatePosted by doradito on Sat, 27 Nov 2010 11:35:45 GMTView Forum Message <> Reply to Message

Can you check how many Ossim processes you have running?

ps -aux | grep ossim-

Subject: Error Creating New PolicyPosted by gsporter on Sat, 27 Nov 2010 17:12:16 GMTView Forum Message <> Reply to Message

I recently had to change my network topology/IP addressing to comply with some MS migrationrequirements, so I decided to go ahead and do a clean install of OSSIM

OSSIM 2.3.1 (amd64) with all current updatesapt-get updateapt-get dist-upgradeossim-reconfig

Everything appears to be working fine, till I start trying to create a policy. I can work thru thesteps and everything shows up in the display bar at the bottom. However when I get to thepoint of creating the policy I get:

Error!At least one Destination IP, Host group,Net or Net group required

Any sugguestions?

GP












Subject: HOw do we update OSVDB ?Posted by BAKERNET on Sun, 28 Nov 2010 16:29:20 GMTView Forum Message <> Reply to Message

Can anyone provide UPDATED information on how to update the OSVDB in OSSIm ?

Many thanks !!!

Subject: Re: HOw do we update OSVDB ?Posted by doradito on Mon, 29 Nov 2010 08:26:30 GMTView Forum Message <> Reply to Message

Hi BAKERNETThe OSVDB database is updated with the OSSIM reposotories so if you do the updateprocess:

apt-get updateapt-get dist-upgradeossim-reconfig

You will have the latest avaliable version of OSVDB database installed.

Subject: Re: Error Creating New PolicyPosted by doradito on Mon, 29 Nov 2010 08:38:25 GMTView Forum Message <> Reply to Message

Can you put here a screenshot of how you create the policy and a screenshot of yourAssets->Assets->Networks windows?

Subject: Re: ossim--Server using 100% of processor.Posted by pcatalina on Mon, 29 Nov 2010 10:43:02 GMTView Forum Message <> Reply to Message

Hi,

root@ossim:~# ossim-server --helpOSSIM Server Options:-c config_file Default config file is /etc/ossim/server/config.xml-d Run as daemon-DLevel Run in debug mode (level 6 is very useful)















-i ip IP address of the interface connected to the agents (where the server shouldlisten)-p port The port the server will listen on

Alienvault Open Source SIM version: 2.3.3.001

So you can extend the logs with debug info using -D option, for example -D6.

Subject: Re: Problem after default updatePosted by mtoloko on Mon, 29 Nov 2010 12:26:46 GMTView Forum Message <> Reply to Message

Hey doradito, look..

Quote:opensourcesim:/var/log# ps -ef | grep ossim-root 3134 1 0 Nov26 ? 00:03:05 /usr/bin/python -OOt /usr/bin/ossim-agent -droot 25299 1 1 09:42 ? 00:00:30 /usr/bin/python -OOt /usr/bin/ossim-agent -droot 30148 1 35 10:17 pts/1 00:00:26 /usr/bin/ossim-server -c/etc/ossim/server/config.xml -droot 30170 1 0 10:17 pts/1 00:00:00 /usr/bin/python -OOt /usr/bin/ossim-framework -s300 -droot 30580 1 1 10:18 ? 00:00:00 /usr/bin/python -OOt /usr/bin/ossim-agent -d

I was performed new update now and ossim-reconfig after 5 minutes the service it's OK andconnected again.

See agent.log below:

Quote:2010-11-29 10:24:52,854 Conn [INFO]: Connected to server!2010-11-29 10:24:52,858 Output [INFO]: Added Server output

But I see my plugins duplicated like the attachment image.

Thanks for all support!!Cheers!!

File Attachments1) plugin_duplicated.jpg, downloaded 24 times







Subject: Re: Problem after default updatePosted by doradito on Mon, 29 Nov 2010 12:41:42 GMTView Forum Message <> Reply to Message

It's normally because you have more than one agent proccess running. Kill all ossim-agentprocess and run it again with /etc/init.d/ossim-agent start

Subject: Re: Problem after default updatePosted by mtoloko on Mon, 29 Nov 2010 12:50:29 GMTView Forum Message <> Reply to Message

Hey doradito, i do this and it's OK!

Thanks for all support!!

Now I'll to another forum section(Plugins).

Cheers man!!

Subject: Re: Error Creating New PolicyPosted by paul_psmith on Mon, 29 Nov 2010 20:12:34 GMTView Forum Message <> Reply to Message

Getting the same thing on existing policies as well as new ones. This is after applying updateslast week so at most recent versions. Ran all the required updates, reconfig, setups, etc...

the difference is that with existing policies, I can add the Network to the source or destinationlists, but it shows up just as "NETWORK:"

If I click OK, it seems to finish, but it does not show the new network in the policy list.

I've attached a sanitized ss of my networks tab. Any particular thing you are looking for?

When I create policies, I select new or an existing one. If existing I highlight it and click modify.Then i drill down on the src and dest networks. They show correctly in the select from window.They seem to appear in the selected list, but like I said, it just shows "NETWORK:"

ThanksPS

File Attachments1) ossim_networks.jpg, downloaded 30 times













Subject: Re: HOw do we update OSVDB ?Posted by BAKERNET on Tue, 30 Nov 2010 02:10:50 GMTView Forum Message <> Reply to Message

Many thanks for your reply.

I did perform the suggested update. If I go under Analysis-->>>Vulnerabilities----> Threatdatabase, the total number of threaths is still 10527

Is this normal that the update did not change the threat database info ?

Cheers

BAKERNET

Subject: Re: HOw do we update OSVDB ?Posted by doradito on Tue, 30 Nov 2010 08:55:19 GMTView Forum Message <> Reply to Message

You want to update the Openvas DB. Follow this steps:

openvas-nvt-sync --wget /etc/init.d/openvas-scanner restart/usr/share/ossim/scripts/vulnmeter/updateplugins.pl migrate

When you restart openvas-scanner is normally it takes a while

Other way is going to Analysis->Vulnerabilities->Settings and click op Update Scanner DB.

In any case the latest version have 10527 vulnerabilities

Regards.

Subject: Re: Error Creating New PolicyPosted by doradito on Tue, 30 Nov 2010 11:52:25 GMTView Forum Message <> Reply to Message

I try it and you have reason, I open a ticket to dev team

Thanx.












Subject: Re: Error Creating New PolicyPosted by paul_psmith on Tue, 30 Nov 2010 14:50:09 GMTView Forum Message <> Reply to Message

Here you go. The first one in the list was there as part of an existing policy from before theupgrade.

The second one is one I just tried to add. I click on the selection from the right pane and itappears in the left pane as you see it.

ThanksPS

File Attachments1) ossim_policy_networks.jpg, downloaded 28 times

Subject: Re: Error Creating New PolicyPosted by doradito on Tue, 30 Nov 2010 15:24:29 GMTView Forum Message <> Reply to Message

In the next week, it will be fixed.

Thx.

Subject: Re: HOw do we update OSVDB ?Posted by G3n3t1c5 on Tue, 30 Nov 2010 18:06:39 GMTView Forum Message <> Reply to Message

I just updated this morning and I have 19551 Nessus plugins available.

Subject: Re: Error Creating New PolicyPosted by paul_psmith on Tue, 30 Nov 2010 20:48:32 GMTView Forum Message <> Reply to Message

Thanks for the update.

Also something that may be part of this is that anywhere I am using the networks for policy,those policies are not working. I have many filters to reduce noise and those events are notgetting filtered out.

I figured I would post this in case it was not noticed.
















ThanksPS

Subject: Re: HOw do we update OSVDB ?Posted by doradito on Wed, 01 Dec 2010 08:13:51 GMTView Forum Message <> Reply to Message

Finally whith method you used

Subject: Re: Add-on for OSSIMPosted by Seb13s on Wed, 01 Dec 2010 16:46:43 GMTView Forum Message <> Reply to Message

I answer to myself. I solved the problem by adding exceptions in file php-ids.ini:"Exceptions [] = REQUEST.ClickedFolder""Exceptions [] = COOKIE.ClickedFolder"

Subject: files not foundPosted by rezgui on Thu, 02 Dec 2010 11:11:20 GMTView Forum Message <> Reply to Message

hi i dont find two files control_panel.py and the file config.xmlfor agentcan you give me the two files thanks

Subject: Re: ossim--Server using 100% of processor.Posted by regio on Thu, 09 Dec 2010 16:19:49 GMTView Forum Message <> Reply to Message

Did anabody solve that issue?

My ossim-server is constantly with 98% processing when events are sent and it shows "Can'tconnect to server, retrying in 10 seconds". Many events aren't send alert by e-mail when ithappen.

Information about my server:Processor:Intel(R) Xeon(R) CPU E7450 @ 2.40GHzMemory: 2.0 GB















Disk: 100.0 GB /var and /tmp are dedicated partition

Subject: Re: Add-on for OSSIMPosted by madwin on Fri, 10 Dec 2010 00:00:06 GMTView Forum Message <> Reply to Message

Hi Seb13s

Pardon my ignorance here, but how did you manage to install Cacti on OSSIM? do you have aprocedure for this?

I really appreciate the help

thanks and regards,

Subject: Uploading risk mapsPosted by madwin on Fri, 10 Dec 2010 00:07:03 GMTView Forum Message <> Reply to Message

Hi

Is there a bug for uploading Risk Maps? i tried to upload a .jpg file for a map i made of mynetwork, but it doesn't upload

regards,

Subject: Bad display of ICMP redirectsPosted by jsanchez on Fri, 10 Dec 2010 11:41:09 GMTView Forum Message <> Reply to Message

Display of ICMP redirects in forensics is not correct, the following change improves the result:

--- /usr/share/ossim/www/forensics/base_qry_alert.php.orig 2010-12-09












18:30:36.000000000 -0500+++ /usr/share/ossim/www/forensics/base_qry_alert.php 2010-12-09 18:40:54.000000000-0500@@ -728,7 +728,8 @@ */ else if (($ICMPitype == "3") && ($ICMPicode == "4")) $offset+= 8; if ($ICMPitype == "5") {- $gateway = hexdec($work[16 + $offset] . $work[17 + $offset]) . "." .hexdec($work[18 + $offset] . $work[19 + $offset]) . "." . hexdec($work[20 + $offset] . $work[20+ $offset]) . "." . hexdec($work[22 + $offset] . $work[23 + $offset]);+ $gateway = hexdec($work[0 + $offset] . $work[1 + $offset]) . "." . hexdec($work[2 +$offset] . $work[3 + $offset]) . "." . hexdec($work[4 + $offset] . $work[5 + $offset]) . "." .hexdec($work[6 + $offset] . $work[7 + $offset]);+ $offset+=8; } $icmp_src = hexdec($work[24 + $offset] . $work[25 + $offset]) . "." . hexdec($work[26+ $offset] . $work[27 + $offset]) . "." . hexdec($work[28 + $offset] . $work[29 + $offset]) . "." .hexdec($work[30 + $offset] . $work[31 + $offset]); $icmp_dst = hexdec($work[32 + $offset] . $work[33 + $offset]) . "." . hexdec($work[34+ $offset] . $work[35 + $offset]) . "." . hexdec($work[36 + $offset] . $work[37 + $offset]) . "." .hexdec($work[38 + $offset] . $work[39 + $offset]);

Subject: Re: ossim--Server using 100% of processor.Posted by pboniface on Fri, 10 Dec 2010 15:59:16 GMTView Forum Message <> Reply to Message

Ive gone back to a fresh install of 2.1

Its not as pretty, but its stable and currently running at 2% CPU

Subject: Re: ossim--Server using 100% of processor.Posted by pcatalina on Fri, 10 Dec 2010 16:25:36 GMTView Forum Message <> Reply to Message

Hi,

How much events per second are you sending to the ossim-server?

Can you stop the ossim-server and launch it again with -D6 option to extend the logs.









Subject: Re: ossim--Server using 100% of processor.Posted by regio on Fri, 10 Dec 2010 16:32:58 GMTView Forum Message <> Reply to Message

Hi,

I'm sending few events one per second. I'm implementing the solution and i'm formating the logfiles.

When i sent more one events per second the ossim-server crashes.

"*** glibc detected *** /usr/bin/ossim-server: double free or corruption (!prev):0x00000000017b39f0 ***"

I've used below script./send_log.sh "127.0.0.1 sias;SystemXXX;Payment;UserX;Elvis John;156000;SI"/var/log/sias.log

where "send_log.sh" is a script like:

#!/bin/sh

data="$(date | cut -d" " -f 2-5)"

echo $data $1 >> $2

Subject: Re: Add-on for OSSIMPosted by Seb13s on Fri, 10 Dec 2010 20:59:19 GMTView Forum Message <> Reply to Message

Hello MadWin,

To integrate cacti in OSSIM.1. Installing cacti on the OSSIM server:a. Download the latest version of cacti on htt://www.cacti.net/ in /var/www.b. Unpack the archive:# tar -xzf cacti-x.x.x.tar.gzc. Rename the folder:# mv cacti-x.x.x.tar.gz cactid. Configure the database cacti:# mysqladmin -u root-p create cactie. Insert tables in the cacti database:# mysql -u root -p cacti </var/www/cacti/cacti.sqlf. Create the user "cacti" and give full rights to user "cacti" on the cacti database:









# mysq l-u root -p cactimysql> grant all on cacti.* to cactiuser@localhost identified by 'cactiuser';g. Restart MySQL:mysql> flush privileges;mysql> exit;h. Then it is necessary to change the settings for connecting mysql in/var/www/cacti/include/config.php:$ Database_type = "mysql";$ Database_default = "cacti";$ Database_hostname = "localhost";$ Database_username = "cactiuser";$ Database_password = "cactiuser";$ Database_port = "3306";i. create the user to start cacti, that user can not run shell command:# useradd cacti -d /var/www/cacti/ -s /bin/falsej. Give Rights:# chown -R cacti /var/www/cacti/k. Create the cron to run the script every five minutes poller.php:# crontab -e -u cacti */5**** php5/var/www/cacti/poller.php> /dev/null 2>&1l. Restart the Apache server:# /etc/init.d/apache2 restartm. Cacti is now accessible via the url: http://xxx.xxx.xxx.xxx/cacti/xxx.xxx.xxx.xxx> Ip of the server where cacti is installed login: adminpass: admin

2. Integrating OSSIM with cacti:a. Edit the file menu_options.php in the directory /usr/share/ossim/www/ and add the followingcode at line 1041:

$hmenu["Availability "][]= array ( "name" => gettext ("Cacti") "id" => "Cacti" "target" => "main" "url" => "../../../ cacti / index.php ");

Cacti now be accessed in the web interface of OSSIM (Monitors => Availability)

Hope this can help you

Subject: OpenVas Scans slowing now not completingPosted by gsporter on Sat, 11 Dec 2010 05:08:08 GMTView Forum Message <> Reply to Message






A couple of weeks ago I did a clean install of v2.3.1 (64bit edition) did the updates/reconfig. Ihave tried to leave everything stock other than dist-upgrades just to see if the base installstayed stable.

Openvas scans were running fine. Scans on a class C subnet, live host only with only 3-4 livehost reporting 17-19 vuln.

I let that run four days and did a "Update Scanner DB" It ran fine with an increase in vuln inthe 316-348 and a increase in scan time of @30mins in keeping with my expectations.

Sometime after 12-3-2010 scans stopped running and timed out at over 400 mins.

Back with version 2.x of openvas I could see the signatures in openvas that were hanging withps aux and disable them (I would have to check my notes as to the exact rule but they onlyhung on a MS SBS box I have.)

I have been unable to come up with a method of doing the same thing with versin 3 of openvasand would appreaciate any sugguestions as where to look to determine the issue.

Scan History ( I deleted the scans that did not complete)

GP

Schedule SCHEDULED - Daily InternalOwner: adminServer: xxx.xxx.xxx.xxxJob ID: 19Profile: DefaultFailed attempts: 0Targets:Internal (xxx.xxx.xxx.0/24)2010-12-10 22:00:09 -DeleteRunning testOwner: adminServer: xxx.xxx.xxx.xxxJob ID: 18Profile: DefaultFailed attempts: 0Targets:Internal (xxx.xxx.xxx.0/24)2010-12-10 17:55:39 2010-12-10 17:56:06 RUN..>266 mins-Completed SCHEDULED - Daily InternalOwner: adminServer: xxx.xxx.xxx.xxx



Job ID: 9Profile: DefaultFailed attempts: 0Targets:Internal (xxx.xxx.xxx.0/24)2010-12-03 22:00:06 2010-12-03 22:00:06 2010-12-03 22:32:0531 mins- (316)Completed SCHEDULED - Daily Internal2010-12-02 22:00:07 2010-12-02 22:00:07 2010-12-02 22:29:2729 mins- (340)Completed SCHEDULED - Daily Internal2010-12-01 22:00:07 2010-12-01 22:00:07 2010-12-01 22:29:5829 mins- (348)Completed SCHEDULED - Daily Internal2010-11-30 22:00:07 2010-11-30 22:00:07 2010-11-30 22:01:551 mins- (19)Completed SCHEDULED - Daily Internal2010-11-29 22:00:06 2010-11-29 22:00:07 2010-11-29 22:02:152 mins- (19)Completed SCHEDULED - Daily Internal2010-11-28 22:00:06 2010-11-28 22:00:06 2010-11-28 22:01:511 mins- (19)Completed SCHEDULED - Daily Internal2010-11-27 22:00:07 2010-11-27 22:00:07 2010-11-27 22:02:122 mins- (17)Completed SCHEDULED - Daily Internal2010-11-26 22:00:07 2010-11-26 22:00:07 2010-11-26 22:02:372 mins

P.S.This is a list of the apt-get packages added/updated and removed for the same time period

ossim:~# apt-log --changes 2010-11-26

Since 2010-11-26 at 00:00:00:

Installed(95):==============adduser apt apt-log apt-utils aptitude base-files base-passwd bsdmainutils cpio cpp cpp-4.3cron dbus dbus-x11 debconf debian-archive-keyring dhcp3-client dhcp3-common dmidecodeed gconf2 gconf2-common gksu gnome-keyring gnupg gpgv groff-base ifupdown info iprouteiptables iputils-ping libasound2 libbz2-1.0 libc6 libconsole libcwidget3 libdbus-1-3 libdns58libept0 libgconf2-4 libgcrypt11 libgdbm3 libgksu2-0 libglade2-0 libgmp3c2 libgnome-keyring0libgnutls26 libgpg-error0 libgtop2-7 libgtop2-common libhal-storage1 libhal1 libidl0 libisc50libmpfr1ldbl libncursesw5 libnewt0.52 liborbit2 libpam-gnome-keyring libpopt0 libportaudio2libreadline5 libsasl2-2 libsigc++-2.0-0c2a libssl0.9.8 libstartup-notification0 libtasn1-3libusb-0.1-4 libwrap0 libxapian15 libxmuu1 locales logrotate man-db manpagesmodule-init-tools nano net-tools netbase netcat-traditional perl-base readline-common rsyslogtasksel tasksel-data tcpd traceroute update-inetd vim-common vim-tiny wget whiptail wiresharkxauth

Removed(2):===========



libdns55 libisc52ossim:~#

Subject: Re: OpenVas Scans slowing now not completingPosted by gsporter on Sun, 12 Dec 2010 22:36:04 GMTView Forum Message <> Reply to Message

Not sure if the scanning is as effective but is now completing in @21 mins.

Under > Profile | Plugins |Port scanner family

I disabled

80002 Simple TCP portscan in NASL

and enabled

10333 OpenVAS TCP Scanner

P.S.After manually update openvas, I am getting descriptions in the ticket titles rather than just"Vulnerability - Unknown detail"

openvas-nvt-sync --wget /etc/init.d/openvas-scanner restart/usr/share/ossim/scripts/vulnmeter/updateplugins.pl migrate

GP

Subject: Re: Uploading risk mapsPosted by doradito on Mon, 13 Dec 2010 08:54:52 GMTView Forum Message <> Reply to Message

Hi

I try it and it is a bug. I opened a ticket to solve it









Thx

Subject: Interactive Host ReportPosted by jwelters on Tue, 14 Dec 2010 20:42:09 GMTView Forum Message <> Reply to Message

I found a report that is very useful and I can't seem to find a good way to get at it for all myhosts.

I found it by going to risk metrics then clicking on a hostname listed. The page then saysGeneral Data: 'myhostname' and displays all pertinent interactive data. The link to the pagerefers to host_report.php?hostname

Is there a way to list my hosts and have the ability to pull up this report by the hostname Ichoose. Or to type a hostname and have it pull up the data. There has got to be a way, it'sdriving me nuts trying to find this specific feature.

Everything else is working really well, this is a great tool !

Subject: Re: Interactive Host ReportPosted by jwelters on Tue, 14 Dec 2010 20:47:49 GMTView Forum Message <> Reply to Message

Just figured it out, for anyone else that didn't think about it disable all of the anti scriptingsoftware running in your browser and right click ! Things are a lot slicker that way.

Subject: ossim as central syslog Posted by olovka on Wed, 15 Dec 2010 08:03:39 GMTView Forum Message <> Reply to Message

Hi all,

I am new in OSSIM but have experience with open source tools. I want to replace my current php-syslog-ng with OSSIM. OSSIM truly have tons of advantagesover php-syslog-ng.

My problem is that I can not find all messages I send from my servers to OSSIM. Example:

syslog settings at my FTP server: vi /etc/syslog.conf...












*.* @OSSIM_IP ------------------------When I type on FTP server: [root@ftpsrv ~]# logger "hello world"------------------------On OSSIM instantly I receive:opensourcesim:~# tail -f /var/log/messages | grep helloDec 15 08:41:58 FTP_IP_ADDRESS root: hello world

---------------------But I can not find this event in OSSIM web interface. I am go on analysis-SIEM-real time page.Try to search by IP but I can not find this hello world event. I have other more serious thingsbut not this hello world event.

I am try to follow: Tutorial 2: Syslog data mining with attached md5sum. AKA "Store 100% ofdata". http://www.alienvault.com/blog/dk/ossim/tutorials/tut2_syslo g.html

but I am found that this tutorial is from Thu, 06 Dec 2007 and already integrated in OSSIM. Iwant to store ALL events from my network. This is small network with cca 20 syslog enabledevice. Can you please advise me how to continue? Maybe I am make mistake in my logic? Maybe this log is somewhere else?

I am using AlienVault Open Source SIEM Installer 2.3.1.

Subject: Re: ossim as central syslog Posted by doradito on Wed, 15 Dec 2010 15:41:30 GMTView Forum Message <> Reply to Message

Ossim is more than a central syslog system.

The best practice is to use a plugin for each application that send logs via syslog. But if youwant to show in the web all the syslog lines you have to activate syslog plugin.

You can find it in /etc/ossim/agent/plugins/syslog.cfg

To activate it:

1. run ossim-setup2. Select Change Sensor Settings3. Select Detector plugins4. Activate syslog5. Save & Exit6. Run ossim-reconfig






Regardas

Subject: alienvault on HYPER-VPosted by voxhel on Wed, 15 Dec 2010 15:45:34 GMTView Forum Message <> Reply to Message

Hello,

I have created a vm on a Windows server 2008 R2 and installed alienvault the last version onit.

Even after update & dist-update & ossim-reconfig i get several errors msg about apache2 andnagios.

Has a result i dont have 80tcp port opened and i cant access the admin web site.

Need some help here.

I know that this is litle info but fell free to ask me for more detailed one, just refer it.

Best Regards.vox

Subject: Problems upgrading OSSIM Posted by crisnel on Wed, 15 Dec 2010 20:04:27 GMTView Forum Message <> Reply to Message

Hello, I'm having problems while I'm trying to upgrade OSSIM.I read other forums and I didn't find anything that helps me."Estoy teniendo problemas cuando trato de actualizar mi versión de OSSIM. He leído variostópicos del foro y no he encontrado la solución".

I made apt-get clean / apt-get update / apt-get dist-upgrade / apt-get upgrade / apt-get -f installand I couldn't upgrade it at all."Usé todos los comandos arriba mencionados y no he podido actualizar y bajar todo"

I'm receiving this message:"Estoy recibiendo este mensaje":

ossimpzo01:~# apt-get -f installLeyendo lista de paquetes... HechoCreando árbol de dependencias









Leyendo la información de estado... HechoCorrigiendo dependencias... ListoSe instalaron de forma automática los siguientes paquetes y ya no son necesarios. odbcinst1debian1 java-common unixodbcUtilice «apt-get autoremove» para eliminarlos.Se instalarán los siguientes paquetes extras: alienvault-dummy-database alienvault-policies libmysqlclient16 mysql-client-5.1 mysql-common mysql-server-5.1 smbfsPaquetes sugeridos: tinycaLos siguientes paquetes se ELIMINARÁN: mysql-client-5.0 mysql-server mysql-server-5.0 sun-java6-bin sun-java6-jdk sun-java6-jreSe instalarán los siguientes paquetes NUEVOS: alienvault-dummy-database alienvault-policies libmysqlclient16 mysql-client-5.1 mysql-server-5.1Se actualizarán los siguientes paquetes: mysql-common smbfs2 actualizados, 5 se instalarán, 6 para eliminar y 89 no actualizados.2 no instalados del todo o eliminados.Se necesita descargar 8639kB/24,1MB de archivos.Se liberarán 200MB después de esta operación.¿Desea continuar [S/n]? sAVISO: ¡No se han podido autenticar los siguientes paquetes! mysql-common libmysqlclient16 mysql-client-5.1 mysql-server-5.1 alienvault-policies alienvault-dummy-database¿Instalar estos paquetes sin verificación [s/N]? sErr http://data.alienvault.com binary/ mysql-client-5.1 5.1.41-1.dotdeb.1 Fallo la conexiónImposible obtener http://data.alienvault.com/debian/binary/mysql-client-5.1_5.1.41-1.dotdeb.1_amd64.deb Fallo la conexiónE: No se pudieron obtener algunos archivos, ¿quizás deba ejecutarapt-get update o deba intentarlo de nuevo con --fix-missing?

I was also trying to install each dependency by itself and I couldn't. Please, if someone canhelp me, I would really apreciate it. :("Estuve tratando de instalar cada dependencia por separado y tampoco las instala. Por favor,si alguien me puede ayudar, realmente lo agradeceré".

Best regards,Cris



Subject: Re: Problems upgrading OSSIM Posted by doradito on Thu, 16 Dec 2010 08:16:44 GMTView Forum Message <> Reply to Message

It's possible you have connection problems, I try to download manually from http://data.alienvault.com/debian/binary/mysql-client-5.1_5. 1.41-1.dotdeb.1_amd64.debAnd it run fine.

Can you test your internet connection?

Puede ser que tengas problemas de conexión, me lo he descargado a mano de http://data.alienvault.com/debian/binary/mysql-client-5.1_5. 1.41-1.dotdeb.1_amd64.debY a funcionado.

¿Puedes comprobar tu conexion de internet?

Subject: Re: alienvault on HYPER-VPosted by doradito on Thu, 16 Dec 2010 08:22:04 GMTView Forum Message <> Reply to Message

What resources you put into your vm?

Subject: Re: ossim as central syslog Posted by olovka on Thu, 16 Dec 2010 08:37:38 GMTView Forum Message <> Reply to Message

Hi, I am try to follow your instructions but I have some problems

doradito wrote on Wed, 15 December 2010 16:41To activate it:

1. run ossim-setup2. Select Change Sensor Settings3. Select Detector plugins4. Activate syslog5. Save & Exit6. Run ossim-reconfig

After I run ossim-reconfig I get error as on picture ossim_reconfig.jpg in attachment.












Is this normal output or it is indicate some error?

When I run ossim-setup again, I can see that syslog is enabled but when I go tomonitor/system I can not see syslog plugin. You can see this at picture monitor-system.jpg inattachment.

doradito wrote on Wed, 15 December 2010 16:41You can find it in /etc/ossim/agent/plugins/syslog.cfg

Should I change something in /etc/ossim/agent/plugins/syslog.cfg?

# Enable syslog to log everything to one file. Add it to log rotation also.# echo "*.* /var/log/all.log" >> /etc/syslog.conf; killall -HUP syslogd#location=/var/log/all.loglocation=/var/log/syslog.log

I suspect that I should apply this echo line, but currently there is no /etc/syslog.conf file...

When I run: opensourcesim:~# ps -ef | grep syslogroot 2149 1 0 08:25 ? 00:00:00 /usr/sbin/rsyslogd -c3 -xroot 13113 3264 0 09:34 pts/0 00:00:00 grep syslog

I can see that syslog demon is rsyslog and rsyslog use /etc/rsyslog.conf... I am not shure whatwill happen if I execute echo "*.* /var/log/all.log" >> /etc/syslog.conf; killall -HUP syslogd

Could you please paste your syslog.cfg?

File Attachments1) ossim_reconfig.jpg, downloaded 417 times

Subject: Re: ossim as central syslog Posted by olovka on Thu, 16 Dec 2010 08:47:59 GMTView Forum Message <> Reply to Message







I am forget to attach monitor-system.jpg... :blush:

File Attachments1) monitor-system.jpg, downloaded 382 times

Subject: Re: Problems upgrading OSSIM Posted by crisnel on Thu, 16 Dec 2010 15:15:08 GMTView Forum Message <> Reply to Message

Hola doradito, gracias por tu respuesta.

Te comento que pensaba lo mismo, pero he hecho la prueba con varios proxys y el resultadoes el mismo, sin embargo, desde el mismo proxy hago la descarga manual de esos archivossin problema y cuando trato de instalarlos en el OSSIM me da error.

Hoy cambié a un proxy que usamos sólo para actualizaciones que es muy rápido y el error fueel mismo:

ossimpzo01:/# apt-get -f installLeyendo lista de paquetes... HechoCreando árbol de dependencias Leyendo la información de estado... HechoCorrigiendo dependencias... ListoSe instalaron de forma automática los siguientes paquetes y ya no son necesarios. odbcinst1debian1 java-common unixodbcUtilice «apt-get autoremove» para eliminarlos.Se instalarán los siguientes paquetes extras: alienvault-dummy-database alienvault-policies libmysqlclient16 mysql-client-5.1mysql-common mysql-server-5.1 smbfsPaquetes sugeridos: tinycaLos siguientes paquetes se ELIMINARÁN: mysql-client-5.0 mysql-server mysql-server-5.0 sun-java6-bin sun-java6-jdk sun-java6-jreSe instalarán los siguientes paquetes NUEVOS: alienvault-dummy-database alienvault-policies libmysqlclient16 mysql-client-5.1mysql-server-5.1Se actualizarán los siguientes paquetes: mysql-common smbfs2 actualizados, 5 se instalarán, 6 para eliminar y 89 no actualizados.2 no instalados del todo o eliminados.Se necesita descargar 8639kB/24,1MB de archivos.Se liberarán 200MB después de esta operación.







¿Desea continuar [S/n]? sAVISO: ¡No se han podido autenticar los siguientes paquetes! mysql-common libmysqlclient16 mysql-client-5.1 mysql-server-5.1 alienvault-policiesalienvault-dummy-database¿Instalar estos paquetes sin verificación [s/N]? sErr http://data.alienvault.com binary/ mysql-client-5.1 5.1.41-1.dotdeb.1 502 OKImposible obtener http://data.alienvault.com/debian/binary/mysql-client-5.1_5.1.41-1.dotdeb.1_amd64.deb 502 OKE: No se pudieron obtener algunos archivos, ¿quizás deba ejecutarapt-get update o deba intentarlo de nuevo con --fix-missing?

No sé si tenga algo que ver que el año pasado el servicio de OSSIM fue instalado por unaempresa de Mexico y les pagabamos soporte y este año decidimos quedarnos sin soportepara hacernos cargo de la herramienta por nuestros propios medios, y de alguna manera nosestén bloqueando las actualizaciones. :?

ossimpzo01:/# apt-get upgradeLeyendo lista de paquetes... HechoCreando árbol de dependencias Leyendo la información de estado... HechoTal vez quiera ejecutar `apt-get -f install' para corregirlo.Los siguientes paquetes tienen dependencias incumplidas: ossim-mysql: Depende: alienvault-policies pero no está instalado Depende: alienvault-dummy-database pero no está instalado smbfs: Depende: samba-common (= 2:3.2.5-4lenny6) pero 2:3.2.5-4lenny13 está instalado sun-java6-bin: Depende: sun-java6-jre (= 6-12-1) pero 6-22-0lenny1 está instalado Recomienda: libasound2 pero no está instalado Recomienda: libxtst6 pero no está instalado Recomienda: libnss-mdns pero no está instalado sun-java6-jre: Depende: sun-java6-bin (= 6-22-0lenny1) pero 6-12-1 está instalado o ia32-sun-java6-bin (= 6-22-0lenny1) pero no es instalable Recomienda: gsfonts-x11 pero no está instaladoE: Dependencias incumplidas. Pruebe de nuevo usando -f.

Lo cierto es que estoy desesperada por lograr la actualización, para reconfigurarabsolutamente todo porque desde que estamos usando esta aplicación NO recoge loseventos que debería y lo que muestra son sólo alarmas falsas que a diario dejan en 0% elnivel del servicio :( . (Creo que solo le funciona el SNORT q está súper desactualizado y norecoge NADA del SNARE)

He leído que si la herramienta se configura bien, resulta ser de mucha ayuda en áreas demonitoreo y de seguridad, pero para ser sincera, desde que nos fue instalada en nuestraempresa, la herramienta no la tomamos en cuenta para nada por la razón expuesta



anteriormente, no arroja nada importante y útil :(

Saludos cordiales,Cris

Subject: Re: Problems upgrading OSSIM Posted by doradito on Fri, 17 Dec 2010 07:47:15 GMTView Forum Message <> Reply to Message

Pon aqui tu fichero /etc/apt/sources.list

¿Qué versión tienes la profesional o la libre?

Saludos

Subject: Re: ossim as central syslog Posted by doradito on Fri, 17 Dec 2010 08:33:18 GMTView Forum Message <> Reply to Message

Is not normal your problem with ossim-reconfig

You can launch the verbose mode to show your error? ossim-reconfig -v

When you do the steps in the other post and activate the syslog plugin you can see inmonitor->system this:

To configure syslog plugin you can add a new config file in/etc/rsyslog.d/

For example syslog.conf

And in this file you can put something like:

# Log all

*.* /var/log/syslog.log & ~

This config file makes that rsyslog save all logs in /var/log/syslog.log and then discard it.

RSyslog first load the rules into /etc/rsyslog.d/ and then the file /etc/rsyslog.conf









Regards

File Attachments1) a.jpg, downloaded 369 times

Subject: Re: ossim as central syslog Posted by olovka on Fri, 17 Dec 2010 09:54:26 GMTView Forum Message <> Reply to Message

Let's document this for all other who will have same error in futere. Current error:

ossim-reconfig -v

Fri Dec 17 10:42:00 2010 + Framework Profile: Update ocs ddbbFri Dec 17 10:42:00 2010 + Framework Profile: Updating Ossim-agent windows installer serveripFri Dec 17 10:42:04 2010 + Framework Profile: Skip Uncompress Openvas cacheFri Dec 17 10:42:04 2010 + Framework Profile: Add server host in host tableFri Dec 17 10:42:04 2010 + Framework Profile: Update plugins vulnerabilitiesFri Dec 17 10:42:05 2010 + Framework Profile: Rebuild nfsend hierarchyTerminated

Full output is in attached txt file. I will go and try with rsyslog changes.

File Attachments1) ossim-reconfig-v.txt, downloaded 22 times

Subject: Re: ossim as central syslog Posted by doradito on Fri, 17 Dec 2010 10:52:27 GMTView Forum Message <> Reply to Message

Launch ossim-reconfig with debug modeossim-reconfig -v -d











Subject: Re: Problems upgrading OSSIM Posted by crisnel on Fri, 17 Dec 2010 12:50:52 GMTView Forum Message <> Reply to Message

Hola doradito, tengo la versión 2.1, pero cómo sé si es la profesional o la libre?? Sé quepagamos muchísimo dinero por la implementación y suministraron 2 servidores (Uno paraconsola y el otro como sensor).

Este es el source.list (lo que está comentado es como estaba originalmente, pero la semanapasada vi uno de los posts que daba esos repositorios de abajo e intenté con esos)

-----

# deb-src ftp://ftp.ch.debian.org/debian/ lenny main# deb-src ftp://security.debian.org/debian-security/ lenny/updates main contrib# deb-src http://www.ossim.net/download/ lenny/

# deb http://ftp.us.debian.org/debian/ lenny main contrib non-free# deb http://security.debian.org/debian-security/ lenny/updates main contrib non-free# deb http://data.alienvault.com/debian/ binary/# deb http://data.alienvault.com/debian_shared/ binary/

# deb http://download.webmin.com/download/repository sarge contrib



----

Y este es el Ossim_setup.conf

interface=eth0language=enprofile=all-in-oneversion=2.1

[database]acl_db=ossim_acl






db_ip=db_port=3306event_db=snortocs_db=ocswebossim_db=ossimosvdb_db=osvdbpass=clYCSQCEmiMtype=mysqluser=root

[expert]profile=server

[sensor] detectors=arpwatch,iptables,nagios,osiris,p0f,pam_unix,rrd,snare,snortunified,ssh,sudo,sysloginterfaces=eth0ip=monitors=nmap-monitor,ossim-monitorname=ossimpzo01networks=172.100.0.0/16priority=5

[server]server_ip=server_plugins=osiris, pam_unix, ssh, snare, sudoserver_port=40001

---Saludos

Subject: Re: Bad display of ICMP redirectsPosted by juanma on Mon, 20 Dec 2010 14:02:35 GMTView Forum Message <> Reply to Message

thanks a lot, we will take a look

Subject: Failed auth (pam_unix plugin) to crash ossim-serverPosted by stephane.millot on Tue, 21 Dec 2010 03:53:43 GMTView Forum Message <> Reply to Message

Hi all,









The pam_unix plugin causes failed authentication to crashes ossim-server.

Every time I authenticate to the ossim server and put a wrong password, ossim-server crashes(segmentation fault) and restarts.

Running ossim-server (version: 2.3.3.001) in debug mode (ossim-server –D6) does notgive any additional clues.

All is fine when the pam_unix plugin is disabled.

So as a temporary fix I’ve modified the plugin_sid number 2 in pam_unix.cfg, and it isok now.

Here it is:

event_type=eventregexp=(\S+\s+\d+\s+\d+:\d+:\d+)\s+(?P<sensor>\S+).*pam_unix.*authentication\s+failure.*tty=(?P <tty>\S+).*ruser.*rhost=(?P<rhost>\S+).*user=(?P<user>\S+)plugin_sid=2sensor={resolv($sensor)}dst_ip={resolv($sensor)}date={normalize_date($1)}username={$user}src_ip={resolv($rhost)}userdata2={$tty}

Note:It does not detect local failed authentication, as local (login:auth) and remote (sshd:auth) logevents are slightly different:Dec 21 10:46:10 ossim-server login[14868]: pam_unix(login:auth): authentication failure;logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=Dec 21 10:50:00 ossim-server sshd[20582]: pam_unix(sshd:auth): authentication failure;logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.2.2 user=fakeuser

A dedicated sid will be required to catch local auth failures (through the console).

But now another issue occurs when inserting the log into the DB (see below).It seems that the “;” character is not escaped and is interpreted by mysql.

Extract from server.log:2010-12-21 13:44:00 OSSIM-Message: Event received: event id="0" alarm="0" type="detector"fdate="2010-12-21 13:43:51" date="1292899431" tzone="0" plugin_id="4004" plugin_sid="2"



src_ip="10.2.2.2" dst_ip="10.1.1.1" sensor="10.1.1.1" interface="eth3" protocol="TCP"asset_src="2" asset_dst="2" log="Dec 21 13:43:51 ossim-server sshd[11255]:pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=rhost=10.2.2.2 user=fakeuser" username="fakeuser" userdata2="ssh"

2010-12-21 13:44:00 OSSIM-Message: ERROR INSERT IGNORE INTO extra_data (sid, cid,filename, username, password, userdata1, userdata2, userdata3, userdata4, userdata5,userdata6, userdata7, userdata8, userdata9, data_payload) VALUES (1,108,'','fakeuser','','','ssh','','','','','','','','Dec 21 13:43:51 ossim-server sshd[11255]:pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=rhost=10.2.2.2 user=fakeuser fakeuser ssh ') 1064: You have an error in your SQLsyntax; check the manual that corresponds to your MySQL server version for the right syntaxto use near ''Dec 21 13:43:51 ossim-server sshd[11255]: pam_unix(sshd:auth): authenticationf' at line 1

Anyone has an idea?Thanks,Stephane

Subject: Re: Failed auth (pam_unix plugin) to crash ossim-serverPosted by doradito on Tue, 21 Dec 2010 08:38:05 GMTView Forum Message <> Reply to Message

We have some problems with events that incluide semicolon events. We expect to have itresolved soon

Subject: lots of filtered eventsPosted by paul_psmith on Wed, 22 Dec 2010 17:07:17 GMTView Forum Message <> Reply to Message

Ok. It's been awhile since I asked about this.

Filtering at the sensor.

I have an OSSIM setup with an Ossim server/database and it has no sensor set up on it. It is adual core, dual CPU, 64 bit, with 6 gig of RAM, and four SCSI HD's with a hardware raid 5.

There are 5 sensors. Each is monitoring a different area of the network in our local facility. Wehave one remote sensor so far. I don't want to implement more sensors for the reason I amabout to describe.









Our busiest sensor is in front of about 200 Windows servers and 40 UNIX servers. From snortand Arpwatch alone on this one sensor, it generates about 750,000 events per day.

I've done some serious filtering in policy (and actually some in snort using threshold.conf andremoving things from rules files).

Out of all the events that are sent to the Ossim server from this sensor, I have managed to getit down to about 15,000 that actually show up in the SIEM. including all of the other sensors, Ihave about 30,000 to 40,000 events per day that I don't filter.

The biggest problem I have is that after time Ossim gets progressively further behind inprocessing the events as they come in. Right now after running like this for about 20 hours, Iam now 6 hours behind.

Also, with all the events that are sent to the Ossim server to be filtered, that is a lot of packetsflying across the network. BW issues....

It would be nice to be able to filter all the events at the sensor and not have this noise suckingBW.

Any ideas from the devs?

Thanks!PS

Subject: Re: lots of filtered eventsPosted by loyd on Wed, 22 Dec 2010 21:38:26 GMTView Forum Message <> Reply to Message

You did not say what plugins you were using on windows. I use OSSEC and just tossingmachine account logins cut the traffic a lot. Here is my local rule.<rule id="100205" level="0"> <if_sid>18104, 18107, 18149</if_sid> <id>4634|4624|4646|4769</id> <regex>\$</regex> <description>Windows machine logins (ignored).</description> </rule>I also don't care about logoff events so:<rule id="100208" level="0"> <if_sid>18149</if_sid> <id>4634</id>






<description>Ignore all windows logoff events</description> </rule>

Subject: http://localhost/ossim/setup/ossim_acl.phpPosted by rezgui on Thu, 23 Dec 2010 06:15:37 GMTView Forum Message <> Reply to Message

when i tape this linkhttp://localhost/ossim/setup/ossim_acl.php

or other link underhttp://localhost/ossim/

/ossim/==/opt/ossim/wwww

i have white page is nothing

but in create a page in opt/ossim/wwww named test.html

i tapedhttp://localhost/ossim/test.htmlis right i show the contain

help me please

Subject: login page for ossimPosted by rezgui on Fri, 24 Dec 2010 19:55:08 GMTView Forum Message <> Reply to Message

hi

i compille ossim2.1 open source

how to acced to login page for ossim

which ip adress and thanks









Subject: phpgaclPosted by rezgui on Sat, 25 Dec 2010 09:08:21 GMTView Forum Message <> Reply to Message

Hi

how to configure phpgacl

to acced login page ossim

when i tape

http://loclhost/ossim

i have this page

and this messagehttp://127.0.0.1/ossim/session/login.php

You need to configure phpGACLRemember to setup the database connection at phpGACL config files!Click here to enter setup

You need to configure phpGACL thanks

Subject: Re: Failed auth (pam_unix plugin) to crash ossim-serverPosted by [email protected] on Mon, 27 Dec 2010 17:51:26 GMTView Forum Message <> Reply to Message

I noticed today (12/27/2010) that there were available updates (just prior to Christmas, I hadupdated the systems, so this was new), I applied those, but it didn't fix the semicolon problem. Was that fix pushed out yet, or are we still waiting on it?

Unfortunately, Nagios and Snare alerts are the biggest things I use with OSSIM, so I'm reallydead in the water right now, without the information being pushed into the 'extra_data' table.

Subject: config panel filePosted by rezgui on Tue, 28 Dec 2010 12:43:51 GMTView Forum Message <> Reply to Message

hi












i cant find config panel file in /etc/ossim/framework/panel/configs

because i have two warnings

Warning: Error reading configuration: panel_plugins_dir is not setWarning: Error reading configuration: panel_configs_dir is not setDirectory for panel config files does not exists.You can configure the panel configs directory at 'Configuration -> Main -> Executive Panel ->panel_configs_dir''

help me please

Subject: Re: lots of filtered eventsPosted by paul_psmith on Tue, 28 Dec 2010 17:18:55 GMTView Forum Message <> Reply to Message

Hey Loyd,

Not using any plugins for Windows or anything else. T

his is just snort and arpwatch.

Thanks!

Subject: Re: config panel filePosted by pcatalina on Fri, 31 Dec 2010 10:40:11 GMTView Forum Message <> Reply to Message

Which version of OSSIM are you using?

Subject: Re: phpgaclPosted by pcatalina on Fri, 31 Dec 2010 10:40:41 GMTView Forum Message <> Reply to Message

Which version of OSSIM are you using?

Subject: Re: login page for ossimPosted by pcatalina on Fri, 31 Dec 2010 10:42:25 GMT














Hi,

the Ip address for OSSIM must be the same of the machine where you have installed OSSIM.





Documents

FUDforum20110302