IDS mailing list archives
Re: Prelude/OSSIM/OpenSIMS/OSSEC
From: "Angel Alonso Párrizas" <parrizas () gmail com>
Date: Wed, 30 Aug 2006 22:29:09 +0200
Hello: I have a similar topology developed with OSSIM like the one you are lookig for. The UNIX machines (Solaris and Linux) are monitorized by two ways: logs (auth.log, messages..) that are send to a syslog server in a OSSIM server, and Integrity, checked by OSIRIS, that are manage by a OSIRIS manager also installed in the same OSSIM Server. The windows Machines, Windows 2000 Servers and XP, send the logs to the same syslog server (in OSSIM server machine) by a tool called Snare. Snare is easy to manage. Yo can see the features of the tool in http://www.intersectalliance.com/projects/Snare/ Although, in my case NAGIOS is not configured, OSSIM integrates the tool in its framework, you only may configure it. SIMS is one of the main funcion os OSSIM, but the may problem is that you will have to configure the parsers properly to catch those importants events reported by the differentes Intergrity checkers (OSIRIS and SNARE) or the logs send via Syslog. Also you will have to create your own correlation rules according to your topology and your needs. With this topology: a central server running syslog, (OSIRIS that is integrated with OSSIM, OSSIM with the correct configuration, and a syslog server) and all the montitorized system sendind the logs to this server, all the events wille be catched (logins attempts, correct logins, changes in filesystem..) The main problem is that you will have to configure properly all the parsers and the tools, but that is only a time cuestion. Regards. Angel. 2006/8/29, Pat <securityfocus.20.patgourmet () spamgourmet com>:
Hi, Briefly, my question: does anyone here know the best way to implement all of these (Integrity Checks, Servers Monitoring and Remote Logging) in a mixed environment (UNIX/Windows), everything being open-source ? Details of the question: I am looking for open-source products to secure our network and servers, which are a mix of Windows/Linux/AIX. I am looknig for some help in deciding what products to implement. 1- I want to begin by implementing an integrity checker. I am looking at Samhain and Osiris. Samhain seems better, but since it does not support Windows, I will probably use Osiris. Maybe OSSEC also would do the job ? 2- I want to run Nagios on my servers for monitoring 3- I want to setup my UNIX and Windows servers with remote logging. For the UNIX/Linux servers, I would do remote syslogging to a syslog server such as Syslog-ng or Rsyslog. For the Windows servers, I would also setup a remote logging to that same syslog server, with a client tool such as Winsyslog. 4- On top of that, I would like to implement a SIMS. I know of 3 open-source SIMS: Prelude, OSSIM and OpenSIMS. Is one better than the other with my mixed environment? 5- Would a Change Management Solution like Radmind on top of all that be compatible worthwile, or it would mainly be redundant ? So my question again: does anyone here know the best way to implement all of these (Integrity Checks, Servers Monitoring and remote Logging) in a mixed environment (UNIX/Windows), everything being open-source ? Thank you. Pat ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
-- Angel Alonso Párrizas parrizas () gmail com CCNA, SSP-MPA ___________________________________ "La libertad no es algo negociable"
Current thread:
- RE: Prelude/OSSIM/OpenSIMS/OSSEC Warner Moore (Sep 02)
- <Possible follow-ups>
- Re: Prelude/OSSIM/OpenSIMS/OSSEC Daniel Cid (Sep 02)
- Re: Prelude/OSSIM/OpenSIMS/OSSEC Angel Alonso Párrizas (Sep 02)