Dailydave mailing list archives

Re: News, dumbug, prediction rebuttals.

From: Anton Chuvakin <anton () chuvakin org>
Date: Thu, 22 Dec 2005 13:08:17 -0500

Anton Chuvakin wrote:

3. My prediction: No credible open source SIM (aka, log aggregator).
Boring work gets done by corporations, and that's that. Not to mention
the impossibly high barrier to market of having to purchase and
maintain all the random devices that generate logs.



100% true. These two reasons will likely kill any future for the open
source SIM at least until all the logs are in  standard format (like
in XXVIII century, givne some luck :-))


Not to be contrarian, but with Open Source, no one organization need
buy all the devices.  Given proper documentation and a convenient
interface, new log parsing routines could be added by those who already
have the devices, and contributed to the pool for future user.

Ha-ha, that was a good one :-)

If you look at a typical firewall, one sometimes needs to have a nice
set of, say, 400 pretty esoteric and ugly regular expressions [which
are not fun to write, not by a long shot] to intelligently parse all
the logs into tokens. "Given proper documentation" is another fantasy;
in many cases, there isn't any :-) And don't even get me started on
the convenient interface...

I find this prediction credible; in fact it's already true.
OSSIM already exists (www.ossim.net) and this could be its year.
After all, if correlation engines are $50k - $100k per company,
the economics of developing or contributing to a free solution make
it a very attractive proposition.


OSSIM seems stagnant; I haven't seem any new features for quite some
time. And, just as mentioned by Dave Aitel, device support is a big
issue for adoption. If you read the PIX 6.1 logs just fine, there is
nothing that tell you that you will deal with PIX 6.2 logs just as
fine... Thus, there is a good reason that many SIM softwares cost a
bit more than the above number :-)

Best,
--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
     http://www.chuvakin.org
http://www.securitywarrior.com

Current thread:

News, dumbug, prediction rebuttals. Dave Aitel (Dec 21)
- Message not available
  - Re: News, dumbug, prediction rebuttals. Dave Aitel (Dec 21)
- Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 21)
  - Re: News, dumbug, prediction rebuttals. David J. Bianco (Dec 21)
    - Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 22)
    - Message not available
    - Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 23)
    - Message not available
    - Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 23)
- Re: News, dumbug, prediction rebuttals. Florian Weimer (Dec 22)
- Message not available
  - Re: News, dumbug, prediction rebuttals. Dave Aitel (Dec 22)
    - Re: News, dumbug, prediction rebuttals. Florian Weimer (Dec 22)
    - Re: News, dumbug, prediction rebuttals. Blue Boar (Dec 22)
    - Re: News, dumbug, prediction rebuttals. Adam Shostack (Dec 22)
    - Re: News, dumbug, prediction rebuttals. plonky (Dec 22)
    - Message not available
    - Re: News, dumbug, prediction rebuttals. plonky (Dec 23)
- <Possible follow-ups>
- Re: News, dumbug, prediction rebuttals. sgc (Dec 22)

(Thread continues...)