Home | Blogs
Home - News - Download - Docs - Screenshots - Developers - Blogs - Forums - Contact

 
Table of Contents

Reports > Host Report Index

The Report tab displays the Host Report page by default, as shown in Figure 15 – Reports > Host Report Index.

:user_manual:figure5.1.png
Figure 15 – Reports > Host Report Index

There are four different types of reports available from the Report Index, including the Host Report. These are:

  • Host Report
  • Alarm Report
  • Security Report
  • PDF Report


These reports can easily be accessed by clicking the tab located underneath the Reports button, as shown in the above figure.

Reports > Host Report

The Host Report page displays the various hosts defined, per operating system, as shown in Figure 15.

The Host Report page displays a table featuring the host name, IP address, Asset, and corresponding operating system.

To work with a hostname in this page, simply click the hostname link for the corresponding IP address or the desired operating system.

The most important part of the Host Report appears once you click the desired hostname (see Figure 16 – Reports > Host Report). Once the report appears, there are two important panels: the left panel features host report features, such as inventory, metrics, alarms, alerts, usage, and anomalies. The right panel displays the information relevant to the link clicked in the left panel. By default, it is the Inventory information.

:user_manual:figure5.1.1.png
Figure 16 – Reports > Host Report

The Host Report panel (the left panel) provides extensive capabilities for working with your reports.

The Inventory link displays various pieces of information relating to the host in three distinct sections. The Host Info section displays the host name, IP address, operating system, and the machine’s MAC address. The second section provides information on where the host belongs, notably the net and sensor for the host. The third section contains port/service information related to the host. This includes the service name, version, and date. You can choose if you want to see the data obtained with passive tools (p0f, pads..), or the data obtained with active tools (nmap).

The Metrics link displays graphic representations indicating performance security stats for various periods: last day, last week, last month, and last year. These charts, measuring performance, show the number of attacks and security breaches (compromise) for the hostname. This page also displays the current levels for the hostname.

The next link is for three different types of alarms: Source or Dest, Source, and Destination.

The Source or Dest Alarm displays source or destination alarms with the same IP than the reported host. The page features a list of corresponding alarms at the bottom of the page. It includes information such as the alarm name, risk, sensor, status, etc. By default, this list is blank; however, you can quickly locate this type of alarms by using the Filter feature at the top of the page.
Using the Filter, you can set a range of dates for alarm incidents, as well as setting the desired source and destination IP addresses, and select the number of alarms to display per page. Once you have set your criteria, click Go and they appear in the aforementioned list at the bottom of the page.

The Source displays only source alarms. This page works exactly like the Source or Dest page, however, in the Filter, only the source IP address is listed.

The Destination displays only destination alarms. This page works exactly like the Source or Dest page, however, in the Filter, only the destination IP address is listed.

The next set of links is for various alerts, or events: Main, Src Unique events, Dst Unique events.

The Main page is an introductory page to the Events section. This page works hand in hand with BASE (Basic Analysis and Security Engine). The top of the page has a link to the home page (which takes you to the BASE home page and not a refresh of the Main page) as well as a Search feature and cached alerts.

From the Main page, you can query any alerts for your hostname (IP address) by type: Source, Destination, or Source/Destination. You can also perform a whois on your hostname using one of several authorities: ARIN, RIPE, APNIC, or LACNIC.

You can also view the number of sensors for your hostname or access Alert Group Maintenance using the corresponding link.

The Src Unique events page provides information on source events. The left side of the page displays the latest query information, as well as the criteria used to make the query. You can clear the criteria by clicking the Clear link in this window.

The right side of the page provides Summary Statistics for sensors, alerts (events), IP links, and ports (destination and source).

Please remember that every alert inside BASE is called an event in OSSIM. So when we say alerts it’s the same than events.

Corresponding alerts appear in a table in the bottom half of the screen. This table contains information such as the alert signature, classification, first and last occurrence, etc. Each alert can be selected and actions performed using the table located below this table of alerts. Using the drop-down menus, you can select a number of actions, such as archiving or deleting alerts or e-mailing alert information for one or more alerts.

The Dst Unique events page has the same functionality as the aforementioned Src Unique events page, except that this page deals exclusively with destination events and not source events.

The Usage page provides information on how the hostname is used, thanks to ntop.

The Anomalies page provides detailed information on any incidents that occurred relating to the selected hostname.

Reports > Alarm Report

The Alarm Reports page displays graphic representation of hosts, as shown in Figure 17 – Reports > Alarm Report.

:user_manual:figure2.2.2.png
Figure 17 – Reports > Alarm Report

As shown in the above figure, charts are displayed indicating important host-related data. The first chart displays the hosts that have received the most attacks. A numeric representation appears next to the chart displaying a table with the host name and the number of attack occurrences. Each attack corresponds to a specific alarm.

This page features the following charts:

  • Top 10 Attacked Hosts
  • Top 10 Attacker Hosts
  • Top 10 Used Ports
  • Top 10 Alarms
  • Top 10 Alarms by Risk


With the exception of the final chart, Top 10 Alarms by Risk, you can find out more information about the hostname, alarm, or port by clicking its corresponding link.

Reports > Security Report

The Security Reports page displays graphic representation of hosts, as shown in Figure 18 – Reports > Security Report.

:user_manual:figure5.2.png
Figure 18 – Reports > Security Report

As shown in the above figure, the Security Reports page is very similar in content to the Alarm Reports in that it provides graphic representation of security-related information.

The Security Reports page provides a number of charts:

  • Top 10 Attacked hosts
  • Top 10 Attacker hosts
  • Top 10 Used ports
  • Top 10 Events
  • Top 10 Events by Risk


Like the Alarm Reports page, the Security Reports page also provides a data representation of each chart, including hostname/alarm, etc. It also provides information relating to occurrence quantities.

With the exception of the final chart, Top 10 Events by Risk, you can find out more information about the hostname, alarm, or port by clicking its corresponding link.

Reports > PDF Report

The PDF Reports page lets you select which report or reports to generate in PDF format, as shown in Figure 19 – Reports > PDF Report.

:user_manual:figure5.4.png
Figure 19 – Reports > PDF Report

As shown in the above figure, the PDF reports page lets you select four reports via the drop down box at the top of the form. A number of sub-options may be selected by using the check boxes below the drop down box. Each report type has its own options. You can choose wich of them include, as you can filter by different attributes . A PDF file report is built when the Generate button is pressed. OSSIM can save your reports in this format without the need for any third-party software or plug-ins.

The available reports for generation are:

  • Security
  • Metrics
  • Alarms
  • Incidents


Once you select the report and sub-options to generate, in the Security or Alarm reports, you can designate how many hosts to display per table. By default, OSSIM proposes 15.

To generate the report, simply click Generate. OSSIM generates your report in to a single PDF files and displays the report. For more information on using Adobe Acrobat to manage your report and perform tasks, such as saving or sending it, please refer to Adobe documentation available at www.adobe.com.

Reports > OCS Inventory

Currently this redirects to a pre-configured OCS inventory collector installed on the ossim server. For more information please visit www.ocsinventory-ng.org/. The Tools → Downloads section provides the agents required for correct operation.

  • Written By: Jason A. Minto
  • Reviewed By: Alberto Roman, Dominique Karg
  • Contributors: Juan Blanco

Please add your name to the list above if you make significant improvements to this document

 
user_manual/reports.txt · Last modified: 2009/11/28 21:59 (external edit)
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki