Sagan and OSSIM
97 views
Skip to first unread message
Shawn Wiley
Nov 20, 2014, 5:17:37 PM11/20/14
to securit...@googlegroups.com
Is there any value to adding Sagan or OSSIM to my final monitoring solution or does Security Onion have the ability to do event correlation and alerting by itself?
Thanks.
Thanks.
Doug Burks
Nov 21, 2014, 7:30:19 AM11/21/14
to securit...@googlegroups.com
Hi Shawn,
You can do event correlation and alerting using OSSEC and/or ELSA,
both of which are already included in Security Onion.
On Thu, Nov 20, 2014 at 5:17 PM, Shawn Wiley <slw...@gmail.com> wrote:
> Is there any value to adding Sagan or OSSIM to my final monitoring solution or does Security Onion have the ability to do event correlation and alerting by itself?
>
> Thanks.
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
You can do event correlation and alerting using OSSEC and/or ELSA,
both of which are already included in Security Onion.
On Thu, Nov 20, 2014 at 5:17 PM, Shawn Wiley <slw...@gmail.com> wrote:
> Is there any value to adding Sagan or OSSIM to my final monitoring solution or does Security Onion have the ability to do event correlation and alerting by itself?
>
> Thanks.
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Shawn Wiley
Nov 21, 2014, 11:15:54 AM11/21/14
to securit...@googlegroups.com
Is there a good document with examples I can read to learn how to set that functionality up? I'd like to start basic detecting things like vertical and horizontal scans and unauthorized changes to root.
I'm also looking for a good troubleshooting guide for SO/ELSA. I am bringing in checkpoint logs now and have finally gotten ELSA to see them as program=checkpoint and class=CHECKPOINT but the fields dont match up right in the sql database .loc=19390714|time=2014-11-18 14:52:18|action=accept|orig=10.xxx.xxx.10|i/f_dir=inbound|i/f_name=ae101c2|src=10.xxx.xxx.5|s_port=55643|dst=10.xxx.xxx.33|service=53|proto=udp|rule_uid={E3xxx850-0C55-11E4-8xxx-000000005757}host=127.0.0.1 program=checkpoint class=CHECKPOINT number=19390714 srcip=10.xxx.xxx.5 dstip=10.xxx.xxx.33 proto=HOPOPT interface=udp origin=ae101c2 type=10.xxx.xxx10 action=inbound service=accept
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/Dai0YPu4QjU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
Doug Burks
Nov 21, 2014, 7:35:51 PM11/21/14
to securit...@googlegroups.com
Replies inline.
On Fri, Nov 21, 2014 at 11:15 AM, Shawn Wiley <slw...@gmail.com> wrote:
> Is there a good document with examples I can read to learn how to set that
> functionality up? I'd like to start basic detecting things like vertical and
> horizontal scans and unauthorized changes to root.
OSSEC documentation:
http://www.ossec.net/
ELSA documentation:
https://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation
> I'm also looking for a good troubleshooting guide for SO/ELSA. I am bringing
> in checkpoint logs now and have finally gotten ELSA to see them as
> program=checkpoint and class=CHECKPOINT but the fields dont match up right
> in the sql database .
Since this is unrelated to Sagan and OSSIM, please start a new thread
and provide further details including your patterndb parser(s) and any
MySQL schema updates you applied.
On Fri, Nov 21, 2014 at 11:15 AM, Shawn Wiley <slw...@gmail.com> wrote:
> Is there a good document with examples I can read to learn how to set that
> functionality up? I'd like to start basic detecting things like vertical and
> horizontal scans and unauthorized changes to root.
http://www.ossec.net/
ELSA documentation:
https://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation
> I'm also looking for a good troubleshooting guide for SO/ELSA. I am bringing
> in checkpoint logs now and have finally gotten ELSA to see them as
> program=checkpoint and class=CHECKPOINT but the fields dont match up right
> in the sql database .
and provide further details including your patterndb parser(s) and any
MySQL schema updates you applied.
Reply all
Reply to author
Forward
0 new messages