IDS mailing list archives
Re: Ossim
From: Andre Ludwig <andre.ludwig () gmail com>
Date: Thu, 22 Sep 2005 17:22:48 -0400
Lets not forget Prelude.. http://prelude-ids.org/article.php3?id_article=66 Rather interesting functionality with it as well. Andre On 21 Sep 2005 15:02:49 -0000, luciani.giorgio () gmail com <luciani.giorgio () gmail com> wrote:
Hi! I'm an It engineering student co Politecnico di Milano. I'm studying ids correlation for my thesis and I'm now working on ossim. I think it's a very interesting tool, although it has some problems: 1. lack of complete documentation 2. server (which implements correlation) c source code completely obscure: not a single comment in all the source code, nor a single doc about implementation. Agent and Framework are better commented (and they're in python, perl and php). 3. difficult installation (except for debian or fedora users); you have precompiled binaries, but building from source is a pain (you have to patch other tools as well) and badly documented. 4. not portable (server doesn't work well on *bsd) Moreover, i think they should have used pure idmef, not a different implementation. Anyway, if you can get it work, it's really powerful imho. I think correlation engine could be empowered (i'm working on that) because it's composed by a simple fsa implementation (you have to manually insert all possible event chain) and a very simple anomaly algorithm (calm). This is my impression, and I'd really like to know other's too. I'd like to know if someone's tried to work on server sources, and if he's got some documentation about this. Regards Giorgio Luciani ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------