IDS mailing list archives
RE: Ossim
From: "Hoover, James A (THIP, Corp)" <James.Hoover () thehartford com>
Date: Mon, 26 Sep 2005 11:10:49 -0400
Just for grins & giggles I installed this off of the iso image supported by http://www.boseco.com/. It was very straight forward but I found the applicationst that are integrated are poorly documented. By that I mean that the way they are configured and integrated are poorly documented not that the base application (such as ntop) is poorly documented. I had to do a lot of digging to find the configuration files because they were not always in the same places. I've done all of my testing off of a single install so far. What I was most impressed with was the simple configuration for vulnerability assessment scans and the basic interface for reviewing vulnerability assessment results. I could not find any documentation on the installation of the software on a "sensor" only install. Does anyone have a reference for that by chance? I don't think that it requires a full install does it? Jim -----Original Message----- From: Craig Rodenberg [mailto:crodenberg () gmail com] Sent: Wednesday, September 21, 2005 2:49 PM To: thin.hack () gmail com Cc: focus-ids () securityfocus com Subject: Re: Ossim Hello Syn Ack, I've deployed OSSIM in four datacenters now. I think OSSIM is a good IPS support tool, but I wouldn't deploy it as my primary IDS unless I had a zero dollar budget for the project. OSSIM can be customized, configured and tweaked to provide reliable and sustainable network protection, but it requires a lot of configuration, and then a lot of tuning and constant updating. The Cisco ACL creation and PIX firewall rule insertion features are what I spent the most time on. The basic functionality for attack blocking is already there, but you'll want to make sure that a DDoS attack (or other spoofed attack) does not cause you to ACL / firewall your network against the entire internet. OSSIM is a good, solid security tool. My only caution to you would be: Make sure you have plenty of coffee in the break room, and be prepared to spend several late nights tweaking and tuning. OSSIM and AAnval seem to be the best "free" NETSEC tools right now. If you have slightly more than $0.00 to spend on your IPS project, you may want to consider Sentarus by Demarc. (www.demarc.com) The Sentarus appliance and host agents are heavyweight contenders with Tipping Point and ISS. They do, however, actually want customers to pay for the software. :) I may still have some OSSIM configs laying around that could help you with the Catalyst ACL's and PIX firewall rules. Let me know if you want them, and I'll start looking. Good Luck with OSSIM ! ./c0redump Craig Rodenberg, GIAC Director, INFOSEC Connectria Internet Services www.connectria.com On 9/20/05, Syn Ack <thin.hack () gmail com> wrote:
Hello list members, I'm working on implementing IDSes in the company a work for. Did some of you have experience with Ossim (http://www.ossim.net)? Any comment are welcome. Regards, Dominique ---------------------------------------------------------------------- -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ---------------------------------------------------------------------- --
************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------