Friday, January 7, 2011

Security Onion 20110101: OSSEC and Sguil

Security Onion 20110101 includes OSSEC 2.5.1.  OSSEC is a Host Intrusion Detection System (HIDS) and it monitors system logs for signs of intrusions.  When it sees something that looks like an intrusion, it writes an alert to /var/ossec/logs/alerts/alerts.log.  Security Onion 20110101 also includes the OSSEC Agent for Sguil, which takes any alerts from /var/ossec/logs/alerts/alerts.log and sends it to Sguil.

In this first screenshot, I have launched the Sguil client and entered my username and password.  Sguil then allows me to select which networks to monitor (eth0 and/or ossec).  I click the "Select All" button and then click "Start SGUIL".


After clicking "Start SGUIL", the Sguil console appears and I see my OSSEC alerts:

4 comments:

Anonymous said...

Really awesome work on this Doug- Congrats!!

David M. Zendzian (dmz) said...

Perfect timing; I was looking for a central tool for all of my snort/ossec events!!

Oscar said...

Hi,
I'm an University student and I'm trying to make sguil work together with OSSEC. In previous installation of my security system, I could make ossec_agent.tcl work fine, however now I'm getting some errors. The sguil server is running on Ubuntu server 10.10. Can you take a quick look and maybe give some clue? There is the error message, it appears to be a problem when an alert is triggered and it's trying to get hostname:
--------------------------------
wrong # args: should be “regsub ?switches? exp string subSpec varName”
while executing
“regsub {(?x)
^::ffff:
} $retVal “”"
(procedure “ResolveHostname” line 16)
invoked from within
“ResolveHostname $agent”
(procedure “ProcessData” line 112)
invoked from within
“ProcessData $line”
(procedure “ReadFile” line 13)
invoked from within
“ReadFile $fileID”
(procedure “InitAgent” line 43)
invoked from within
“InitAgent”
(file “./ossec_agent.tcl” line 684)
-------------------------------
many thanks and keep the good work!
This onion seems fresh!

Doug Burks said...

Hi Oscar,

Thanks for the kind words.

My quick and dirty hack for this issue was to comment out those three lines in ossec_agent.tcl. For reference, that file can be found in the following location in Security Onion:
/etc/nsm/ossec/ossec_agent.tcl

Thanks,
Doug