This eigth installment of the tutorial series will focus on a feature which will be revolutionary for OSSIM for sure: tight jasperserver integration for custom/periodic reports with the guarantee of a strong BI suite. The upcoming installer release will include both Tomcat as well as JasperServer ready to use and with sample preloaded reports and datasources. (Note: Installer beta2 users can already test some of this out, although no real tight integration until beta4 will be in place).

If you haven't heard about JasperServer nor iReport you can them check out JasperServer and iReport for some background. Quoting those two pages:

"JasperServer is a high-performance business intelligence platform and report server designed for developers and businesses. Deploy JasperServer when end-users need to create their own ad hoc queries, reports, charts, crosstabs, dashboards, or it becomes necessary to secure, store, schedule, distribute, share, drill-down, or interact with reports."

"iReport is a graphical report tool for report designers, developers, and power-users. iReport provides complete coverage of all the reporting capabilities in JasperReports, JasperServer, and Jasper4Salesforce, including the creation of parameterized reports, pixel-perfect production reports, and remote JasperServer repository management".

I'm no jasperreports expert myself, I used it for report creation and I'm sure there are tons of tips and tricks experts can provide. Any comments and feedback that help improving this article will be greatly appreciated :-)

During this tutorial the following steps will be covered:

• OSSIM - iReport - JasperServer integration
• Assumptions
• iReport download and setup
• OSSIM for iReport setup
• Sample report: top events by risk/ocurrence.
• Uploading this report to jasperserver
• What to do next?
• Tips and Tricks.
• Sharing your work/fun: the Alien Forge.

OSSIM - JasperServer integration

Ok, a couple of notes first. The installer uses JDK6, Tomcat 6.0.18 and JasperServer 3.1. Everything is installed into /var/tomcat/, passwords get adjusted from /etc/ossim/ossim_setup.conf using ossim-reconfig and default login/password is jasperadmin/jasperadmin. Point your browser at http://ossim_ip:8080/jasperserver/ and you're set.

OSSIM will provide a series of default datasources for the most useful databases for reporting, that is, ossim, ocs inventory and snort.

The idea behind this provide strong reporting without having to code it from zero up, but also have a way to share generic reports with other users. That's what we're going to do using the .jrxml formats, be able to share reports with others, creating an amazing amount of custom reports for users to use. More on this on the last section, the Alien Forge ;-)

Warning: the following applies to users of the installer beta versions released on 2009/03 and beyond, don't try this with 1.0.6 or previous versions; you'll end up quite frustrated.

Assumptions

• My IP is 192.168.1.24
• OSSIM is at 192.168.1.22
• User is 'root'
• Password is 'password'
• Jasperserver credentials are 'jasperadmin:jasperadmin'

iReport download and setup

First, get iReport for your platform: Download. Win and mac got an easy installer, for linux I guess it's the .jar file anyway. (Haven't tested it).

OSSIM for iReport setup

In order to enable access from your client you've got to grant it permissions from within mysql and enable mysql to listen on the network.

1. Log into OSSIM via ssh as root.
2. Edit /etc/mysql/my.cnf, search the line bind-address ... and replace 127.0.0.1 with 0.0.0.0. Execute /etc/init.d/mysql restart. This will enable remote connections to your mysql, so please choose a different password for the remote user in case somebody connects using your ip.
3. Execute "ossim-db" (this will read the password from /etc/ossim/ossim_setup.conf and drop you into mysql>)
4. Grant access to your client host. You might need to add another user here for our tutorial if you're reading this before the final release, more on this later: "grant all on *.* to root@192.168.1.24 identified by 'password';"

Note: this is the easiest way of doing it, tighter permissions and separate users for each DB are recommended in high security environments

Next, fire up iReport. We'll start by creating a blank report:

Let's call it "Top20EventReport" for example (although later it will be top 10 and 50, but I had the screenshots done already so at least on my side it will be called like that :P).

Here goes our next screen:

Next we'll add both datasources to our iReport. Click on the "report datasources button" as seen here:

and fill in the OSSIMDS definition with your info: .

Rinse and repeat for snort and you should end up with the following: .

Sample report: top events by risk/ocurrence

Our report will have two sections: - Top 50 events by risk (from acid_event). - Top 10 events by occurrence.

First we start off with the query(s). This might be the hardest part of all, but as said, the idea is that all ossim users share their reports, so there might be those with more SQL knowledge, those with report designing skills and those with a greater security knowledge; combining the three of them will yield great reports.

Our main report will be the one just reporting the 50 events. After that we'll include a sub-report with the events by occurrence.

For the record, the table we're going to use herein is:

acid_event:
----------------------------------------
| Field | Type | Null | Key | Default | Extra |
+-------------------+------------------+------+-----+---------+-------+
| sid | int(10) unsigned | NO | PRI | NULL | |
| cid | int(10) unsigned | NO | PRI | NULL | |
| signature | int(10) unsigned | NO | MUL | NULL | |
| sig_name | varchar(255) | YES | MUL | NULL | |
| sig_class_id | int(10) unsigned | YES | MUL | NULL | |
| sig_priority | int(10) unsigned | YES | MUL | NULL | |
| timestamp | datetime | NO | MUL | NULL | |
| ip_src | int(10) unsigned | YES | MUL | NULL | |
| ip_dst | int(10) unsigned | YES | MUL | NULL | |
| ip_proto | int(11) | YES | MUL | NULL | |
| layer4_sport | int(10) unsigned | YES | MUL | NULL | |
| layer4_dport | int(10) unsigned | YES | MUL | NULL | |
| ossim_type | int(11) | YES | MUL | 1 | |
| ossim_priority | int(11) | YES | MUL | 1 | |
| ossim_reliability | int(11) | YES | MUL | 1 | |
| ossim_asset_src | int(11) | YES | MUL | 1 | |
| ossim_asset_dst | int(11) | YES | MUL | 1 | |
| ossim_risk_c | int(11) | YES | MUL | 1 | |
| ossim_risk_a | int(11) | YES | MUL | 1 | |
------------------------------------------

Everything we need for this report can be found in there.

Our querys would be as follows:

 
select timestamp, sig_name, inet_ntoa(ip_src) as source, layer4_sport, inet_ntoa(ip_dst) as dest, layer4_dport, 
((ossim_risk_c + ossim_risk_a) / 2) as risk from acid_event where timestamp > DATE_SUB(NOW(), INTERVAL 7 DAY) 
order by risk desc limit 50;
 
select sig_name, count(*) as cnt from acid_event where timestamp > DATE_SUB(NOW(), INTERVAL 7 DAY) group by sig_name 
order by cnt desc limit 10;
 

So, first let's select SNORTDB as datasource on top. Then right-click on report name, "Edit Query" and insert our first one and click OK. Edit query location can be found here:

Our first test would be to add some fields to the detail. Click on "Fields" so that you get a list like this:

• timestamp
• sig_name
• source
• layer4_sport
• dest
• layer4_dport
• risk

If we move any of those into the "Detail" (or any other) band, we'll get them into our report. Let's move timestamp, sig_name and risk into it, making the sections shorter and see how it will look. Also, a quick title (using a "Static text" field from the palette into title) and removing unused sections will help. Click on Preview next :-) (Screens below show the final layout and how our first preview should look like:)

There we go ! Some first (ugly :P) results.

Next we'll get the top 10 graph into the report to get some colour into it.

Let's start by generating a sub-report.
Get back to designer view, make the Title bar bigger and drag a sub-report item from palette into it:

Start of with selecting "Create a new report". Next we'll select SNORTDB as datasource, since acid_event is inside SNORTDB:

.

Then paste our sub-query into it:

select sig_name, count(*) as cnt from acid_event where timestamp > DATE_SUB(NOW(), INTERVAL 7 DAY) 
group by sig_name order by cnt desc limit 10;

See the chart widget on the right area ? Drag it right into our blank area and you'll see a popup with the selection.

We'll want a 3D pie first: .

Next we'll set up some common properties. Feel free to try out variations of course :-). Click on our chart and notice that the properties window on the right changes to "3D Pie Chart - Properties". We'll touch some of them in there.

• Find show legend, enable it.
• Find Theme and change it to eye.candy.sixties
• Find legend position, switch it to right.

There we go, our graph is ready. Numbers are a bit crippled but I don't know how to fix this right now, it's a start nonetheless and I'll update when I figure out (or hopefully someone else figures it out and tells me...).

Now let's get back to the main report (look at the tabs on top). Adjust the graph to content and align it to the left of our doc.



Just a quick preview and... voilá, (hopefully) you're seeing your shiny new report.

Uploading this report to jasperserver

Now we want to get this onto our server, see that we can generate it there whenever we want and schedule reports so they get sent out to the manager(s) every once in a while. (Note: don't send them out this way, add some corporate logos, adjust styles, include more info and all that of course :-))
So, we start selecting the item "JasperServer Repository" from the "Window" menu: .

This will open up a new tab on the left side of the screen.
There we'll click on "Add new server" so we can connect to our running jasperserver and fill in our jasperserver configuration:




adding the right ip, removing the "-pro" behind jasperserver and entering credentials (jasperadmin:jasperadmin by default):




Next comes a fork in the tutorial. If you click on your server and got OSSIMDS and SNORTDS as datasources, then your installed version is later than beta2 and you can skip below to the "Add report unit" part. Otherwise you'll need to define the two datasources.
First get back into ossim at console, enter "ossim-db" and create a user for local reporting access (as said before, it's recommended to limit the permissions on production environments, but this is easier to debug):

grant all on *.* to reports@127.0.0.1 identified by 'report_password';
grant all on *.* to reports@localhost identified by 'report_password';

If you click on your server, you should now have two datasources (I've got no idea how the "Add new server" label got on top of OSSIMDS, but trust me, it's there) defined.
So now we can add a report unit (the combined report we just created) by right clicking again and selecting it.

.

We'll give it a name (names can't contain spaces I believe), a label, a description and continue.

.

Next we'll select "locally defined" and load our main report .jrxml file into it (not the subreport one). .

After that we'll get asked for the datasource. Since we're reading from snort, we'll select SNORTDS from the repository. .

Go ahead and it will prompt about a missing subreport and wether it shall be included too. Of course it should, so just accept: .

There we go, our report ready to be used along with two datasources.

Let's see if it worked. Point your browser at http://your_ip:8080/jasperserver/ and log in using jasperadmin/jasperadmin. As you (hopefully will) see, there is our report. Let's generate it by clicking on the name :-)

Aaah, there it is . And in flash, which is prettier:

Lastly I'd suggest getting back to iReport and upload the .jrxml reports files as backup, so next time you can fetch them from there and you can share it with co-workers:

What to do next?

Well, next steps would be scheduling reports to run on a daily/weekly/monthly basis as well as getting those reports into the executive panel for real-time visualization.

Tips and Tricks

The next list is intended to be a quick lifesaver guide for those into jasperserver. I'm sure I'll need it in 6 months :-)

• Jasper is at /var/tomcat/. (easy one :P)
• Main logs are at /var/tomcat/logs/catalina.out.
• DB passwords get stored at three places: /var/tomcat/conf/Catalina/localhost/jasper... (verify) (add other two).
• If in trouble, get the latest jasperserver .war, undeploy, deploy and reconfig.
• Don't try to move elements among document spaces (detail, title, group header, etc...), it will fail.
• Create subreports if unsure, they're easy to maintain.
• If you want to include a report into executive panel, schedule it to overwrite itself, grab the url and add "j_username and j_password" to it's url, as in < img src="http://192.168.1.22:8080/jasperserver/fileview/fileview/Reports/Report1.html_files/img_0_0_0?j_username=jasperadmin&j_password=jasperadmin" >
• If you're generating a report for management, use as many colours as possible; they love it!
• No need to save, every preview Saves. (I hope nobody gets offended, but this phrase just reminded me too much of Jesus saves... after each level he passes.

Sharing your work/fun: The Alien Forge

Why do I call this work/fun? My reasoning behind this whole article/post is as following: I'll do a sample report and share it with all the fellow ossim users. This report might look like shit and be of a limited use, but I hope to get something moving. This report just shows a weekly top 50 events by risk and a top 10 events by raw event count. The design is horrible and the usefulness is limited, but what if...

1. somebody took this one, added some nice column layout, some colors, tweaked a couple of things and uploaded it to the forge again ?
2. somebody took the next one, added a listing for top 10 hosts for each of those events to the report including a name resolve?
3. someone else took the previous one and added a field that would prompt the user for a month and it would generate a report for that one?
4. take 10 more iterations...
5. somebody integrates 10 of these sub-reports and creates an awesome auto-report for everyone to schedule on a daily/weekly/montly basis?

This last step is my goal and I really think it can be done.

OSSIM parts that benefit from custom content:

• Snort
• Nessus
• Ossim directives
• Ossim plugins (cfg + sql)
• Cross correlation rules
• Inventory Correlation rules
• Event repriorizations
• OSSEC plugins
• JasperServer custom reports

The needs for this custom content will be covered in two ways:

AlienVault Feed

Alien Forge

The AlienVault Feed will include updates for all those items on a regular basis. Updates will happen once a week with exceptional "critical" updates on certain important threats. Most of the items from the AlienVault Feed will be consolidated into the ossim releases, effectively creating a delay for regular users.

The Alien Forge on the other hand is an exchange place for all those items between users. Got something to share? put it in there. The more content is shared the more people will be willing to share back. Think of a snowball rolling down a snowfield :-)

The code is just being finished. Uploads will be categorized into Manufacturer, Product, Version and Type. Everybody will get full credit for their uploads and points, points we plan on being able to spend in:

• Free subscriptions.
• Certification extensions.
• Shirts / toys.
• Free Appliances.
• A free tryp (business class) to Mars once Mars flights are of common use (a visit to AlienVault headquarters included :P)

• Upload list
• Upload form
• Download list
• Download content

I hope you liked this tutorial, the best way you can show that is by contributing reports back, any of them, even if it's a "last 10 entries into the mysql users table"; everything will be used at some time by another users :-) Thanks for reading this far btw, it's been one of the longest and most intensive tutorials so far.