Fork

[kakadoo]

hi

i start a fork today from analogi and add some fixes .

@ECSC if you like to merge to your source please contact me.

Holger

[fsSnowboard]

I just emailed ECSC (email pulled from commits) to see if they are still developing this. I just discovered this project, and also want to make updates and changes.

Tyler

[shadyb]

I don't think ECSC is maintaining this project anymore. Activity has been nill for quite awhile. That is problematic since analogi is broken with ossec 2.8.

[kakadoo]

hi

i use analogi wth the 2.8 without problems

holger

2014-07-30 15:57 GMT+02:00 shadyb notifications@github.com:

I don't think ECSC is maintaining this project anymore. Activity has been nill for quite awhile. That is problematic since analogi is broken with ossec 2.8.

— Reply to this email directly or view it on GitHub https://github.com/ECSC/analogi/issues/15#issuecomment-50617453.

[shadyb]

Did you fix the bugs with 2.8 in your version ? If you do a fresh install the db schema different than 2.7 and analogi cannot find the data table (rightly so, since it no longer exists in 2.8).

[fsSnowboard]

I got an email response and they said they are "maintaining it" but have had other priorities, so haven't updated it in a while. They are going to discuss internally what they want to do with the project.

As far as the bugs, I forked and tried netman2k's and it works with 2.8. As of a few days ago he seemed to have the most changes.

[shadyb]

I cloned netman2k's on a fresh ossec 2.8 install and analogi complains that the mysql tables are not set properly. Did you upgrade ?

[kakadoo]

hi

maybe i figure out the table by hand with phpmyadmin , i dont know it , sorry i´m a old man ;)

i rember me that i have trouble with the database after the ossec update from 2.7 to 2.8 .

that i did somthing with phpmyadmin .

basiclly the trouble came from the ossec update , not from analogi

i fix a lot in my version and i use it any day , no problems with ossec 2.8

Holger

[kakadoo]

no , did you compile ossec or iuse the ready made rpm ? i think the is a bug inside of the rpms .

i use ossec .28 compiled by me , with analogi and , some changes by hand via phpmyadmn at the db.

Holger

2014-07-31 4:32 GMT+02:00 shadyb notifications@github.com:

I cloned netman2k's on a fresh ossec 2.8 install and analogi complains that the mysql tables are not set properly. Did you upgrade ?

— Reply to this email directly or view it on GitHub https://github.com/ECSC/analogi/issues/15#issuecomment-50706148.

[shadyb]

Okay, got clarification from the ossec devs. Basically, the new db changes are intentional because they improve performance. What they have effectively done is move the data TABLE content into the alert TABLE, so that means less JOINS. Now, it appears you can compile without this functionality but whether that'll be the case for the future, Im not sure.

I think what I am going to do is make a pull request and update the queries so that you can run analogi out of the box with ossec 2.8.

[kakadoo]

hi

sound perfekt.

did you pull from ECSC ?

Holger

2014-07-31 14:11 GMT+02:00 shadyb notifications@github.com:

Okay, got clarification from the ossec devs. Basically, the new db changes are intentional because they improve performance. What they have effectively done is move the data TABLE content into the alert TABLE, so that means less JOINS. Now, it appears you can compile without this functionality but whether that'll be the case for the future, Im not sure.

I think what I am going to do is make a pull request and update the queries so that you can run analogi out of the box with ossec 2.8.

— Reply to this email directly or view it on GitHub https://github.com/ECSC/analogi/issues/15#issuecomment-50749941.

[shadyb]

Yes. I have implemented it but there are several problems. The devs have removed the signatures so you can only see rule IDs. Before, each rule ID had a rule description, this is no longer the case. I had a chat with one of the ossec devs and he told me it was taking up to 10m for ossec to start when populating the signatures table so they have removed it completely. Although this may save time, it makes analogi unusable. You can do a clone of my fork if you want to and play around with it.

I have decided to go back to 2.7 and maybe give it a year or two before considering an upgrade.