[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] OSSEC Integration with Other Tools

To: ossec-dev@xxxxxxxxxxxxxxxx
Subject: [ossec-dev] OSSEC Integration with Other Tools
From: Brad Lhotsky <lhotskyb@xxxxxxxxxxxx>
Date: Fri, 14 Sep 2007 11:45:41 -0400
Authentication-results: mx.google.com; spf=pass (google.com: domain of lhotskyb@xxxxxxxxxxxx designates 128.231.90.107 as permitted sender) smtp.mail=lhotskyb@xxxxxxxxxxxx

>From conversations on IRC and the patches being worked it's obvious
there's a strong desire to integrate OSSEC with other Security
Frameworks.  I'm a perl programmer and have been thinking about what a
Perl API to OSSEC might look like.

I hadn't wandered far down that path when I realized that I might be
selfish to request just a Perl API, some Python/Ruby/Java/PHP folks
might also want API's too.  This seemed to me like a lot of work, and
something that would probably take a while to implement, so I've
hesitated asking for it :).

So I started trying to figure out other potentially useful interfaces
for gluing OSSEC to other things.  I think mdmonk suggested just
utilizing the email alert interface and sending alerts through a perl
script via procmail to parse and do whatever you want there.  It's
certainly a possibility, but not exactly pretty.

So I started to look around to see how others might implement something
that allows people to use whatever language they want.  I remembered
that I chose syslog-ng specifically for the way it implemented it's
program additions to syslog streams.

Syslog-ng starts up all the programs specified in the config file at
program start, and then maintains a handle to their STDIN to dispatch
events to.  This of course handles the main problem with interpreted
languages, program startup cost, and the STDIN interface is universal
enough to allow everyone the freedom to use Erlang, Lisp, Fortran, or
COBOL to do their custom scripting against.

Even better, if you can arbitrarily specify the data serialization,
(XML,YAML,JSON,???) you could pretty much guarantee simplified access to
data structures which eliminate the need of the programmer to parse the
alert logs.

Of course it would be nice if there could be some sort of feedback to
OSSEC to trigger active responses on the clients.  This might be through
maintaining a handle on the programs STDOUT.  I'm not sure that's the
best idea though.  If there's interest, we can work on that.

What does everyone think?

-- 
Brad Lhotsky                            <lhotskyb@xxxxxxxxxxxx>
NCTS Computer Specialist                    Phone: 410.558.8006
"Darkness is a state of mind, I can go where you would stumble."
 -Wolfsheim, 'Blind'

Prev by Date: [ossec-dev] [Bug 70] [PATCH] Don't source some files twice
Next by Date: [ossec-dev] Postfix rules
Previous by thread: [ossec-dev] [Bug 73] New: [PATCH] Fix for some memory and descriptors leaks
Next by thread: [ossec-dev] Postfix rules
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.