Rules management
by Meir Michanie
meirm ( at ) riunx dot com
OSSEC rules management Mini Howto
Install base
Install ossec2base
- Install PERL modules perl-DBI and perl-DBD-MySQL
- Copy ossec2based.pl and ossec2base ossec2base_txt.pl to /usr/local/bin
- Copy ossecmysql.pm to a directory inside your PERL library path (i.e. /usr/lib/perl/perl5/)
- edit ossec2base.conf setting your BASE database, dbusername and dbpassword.
- copy ossec2base.conf to
etc and change permission to 0600 owner root
Build signature files for BASE
- Create directory under base webroot for the signatures txt files
/var/ossec# mkdir -p /var/www/html/ossecbase/signatures/
/var/ossec# cat rules/*.xml | perl contrib/ossec2basetxt.pl -e -o /var/www/html/ossecbase/signatures/
Initialize OSSEC BASE database (optional)
- Delete all rows in the signature table. This step can be done later when trying to rebuild signatures.
/var/ossec# echo 'TRUNCATE TABLE `signature` ;' | mysql ossecbase -p
- delete all rows in the sensor table.
/var/ossec# echo 'TRUNCATE TABLE `sensor` ;' | mysql ossecbase -p
- Delete all alerts from base
/var/ossec# echo 'TRUNCATE TABLE `acid_event` ;' | mysql ossecbase -p
/var/ossec# echo 'TRUNCATE TABLE `events` ;' | mysql ossecbase -p
/var/ossec# echo 'TRUNCATE TABLE `data` ;' | mysql ossecbase -p
Run manual feed of events
zcat /var/ossec/logs/alerts/2006/Jul/ossec-alerts-31.log.gz| /home/meirm/ossec/cvs/ossec-ui/base/bin/ossec2base.pl --conf /etc/ossec2base.conf --interface manualfeed
Run Real time feed of events
/usr/local/bin/ossec2based.pl --conf /etc/ossec2base.conf -d --sensor bigbrother
- open your browser to your base site
$ firefox http://localhost/ossecbase