Suricata with OSSIM¶

OSSIM is a widely used Open Source SIEM.
You can download OSSIM from here - http://communities.alienvault.com/community/

After you install OSSIM , you would need to do a Suricata installation the usual way.
Make sure you have unified2 and http.log enabled:
Edit /etc/suricata/suricata.yaml :

  - unified2-alert:
      enabled: yes

  - http-log:
      enabled: yes
      filename: http.log
      append: yes
      extended: yes

After that I followed the guide (suricata-install.txt) with the files provided here -
http://code.google.com/p/alienvault-labs-garage/downloads/list

and it worked without a problem.

Basically what you have to do is (once you download the files, from the link provided above) -

cp suricata-http.cfg /etc/ossim/agent/plugins/
cp suricata.cfg /etc/ossim/agent/plugins/
cp ParserUtils.py /usar/share/ossim/agent/ossim_agent/
ossim-db < suricata-http.sql

Edit /etc/ossim/agetn/config.cfg and add the following lines:

suricata=/etc/ossim/agent/plugins/suricata.cfg
suricata-http=/etc/ossim/agent/plugins/suricata-http.cfg
/etc/init.d/ossim-agent restart

Files (0)

Project

General

Profile

Suricata

Wiki

Suricata with OSSIM¶