Russell Handorf

OSSIM : Open Source Security Information Manager

Previously I had written about using honeypots within your infrastructure to add an extra layer of detection for malicious events. I mentioned that you can integrate it into the rest of your security event management and log aggregation via enabling syslog on the honeypot. Some of the feedback I received was that the people would be interested in running an install like this, however they do not have the infrastructure to support it. Well, not anymore; please let me introduce you to another great open source product, OSSIM.

OSSIM combines a suite of open source security products, some that you’ve heard of and some that you haven’t. From the site, here is a list of currently integrated programs:

  • Arpwatch, used for mac anomaly detection.
  • P0f, used for passive OS detection and OS change analysis.
  • Pads, used for service anomaly detection.
  • Nessus, used for vulnerability assessment and for cross correlation (IDS vs Security Scanner).
  • Snort, the IDS, also used for cross correlation with Nessus.
  • Spade, the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signature.
  • Tcptrack, used for session data information which can grant useful information for attack correlation.
  • Ntop, which builds an impressive network information database from which we can get aberrant behavior anomaly detection.
  • Nagios. Being fed from the host asset database it monitors host and service availability information.
  • Osiris, a great HIDS.
  • OCS-NG, Cross-Platform inventory solution.
  • OSSEC, integrity, rootkit, registry detection and more.

You may have noticed that Nessus is included in this suite, and may be concerned with long term plugin feed support now that Tenable has changed

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*