Re: Prelude/OSSIM/OpenSIMS/OSSEC

["Angel Alonso Párrizas" <parrizas () gmail com>]

Hello:
I have a similar topology developed with OSSIM like the one you are lookig for.

The UNIX machines (Solaris and Linux) are monitorized by two ways:
logs (auth.log, messages..) that are send to a syslog server in a
OSSIM server,  and Integrity, checked by OSIRIS, that are manage by a
OSIRIS manager also installed in the same OSSIM Server.
The windows Machines, Windows 2000 Servers and XP, send the logs to
the same syslog server (in OSSIM server machine) by a tool called
Snare. Snare is easy to manage. Yo can see the features of the tool in
http://www.intersectalliance.com/projects/Snare/
Although, in my case NAGIOS is not configured, OSSIM integrates the
tool in its framework, you only may configure it.

SIMS is  one of the main funcion os OSSIM, but the may problem is that
you will have to configure the parsers properly to catch those
importants events reported by the differentes Intergrity checkers
(OSIRIS and SNARE) or the logs send via Syslog. Also you will have to
create your own correlation rules according to your topology and your
needs.

With this topology: a central server running syslog, (OSIRIS that is
integrated with OSSIM, OSSIM with the correct configuration, and a
syslog server)  and all the montitorized system sendind the logs to
this server, all the events wille be catched (logins attempts, correct
logins, changes in filesystem..)
The main problem is that you will have to configure properly all the
parsers and the tools, but that is only a time cuestion.


Regards. Angel.

2006/8/29, Pat <securityfocus.20.patgourmet () spamgourmet com>:
> Hi,
>
> Briefly, my question: does anyone here know the best way to implement
> all of these (Integrity Checks, Servers Monitoring and Remote
> Logging) in a mixed environment (UNIX/Windows), everything being open-source ?
>
> Details of the question:
>
> I am looking for open-source products to secure our network and
> servers, which are a mix of Windows/Linux/AIX. I am looknig for some
> help in deciding what products to implement.
>
> 1- I want to begin by implementing an integrity checker. I am looking
> at Samhain and Osiris. Samhain seems better, but since it does not
> support Windows, I will probably use Osiris. Maybe OSSEC also would
> do the job ?
>
> 2- I want to run Nagios on my servers for monitoring
>
> 3- I want to setup my UNIX and Windows servers with remote logging.
> For the UNIX/Linux servers, I would do remote syslogging to a syslog
> server such as Syslog-ng or Rsyslog. For the Windows servers, I would
> also setup a remote logging to that same syslog server, with a client
> tool such as Winsyslog.
>
> 4- On top of that, I would like to implement a SIMS. I know of 3
> open-source SIMS: Prelude, OSSIM and OpenSIMS. Is one better than the
> other with my mixed environment?
>
> 5- Would a Change Management Solution like Radmind on top of all that
> be compatible worthwile, or it would mainly be redundant ?
>
> So my question again: does anyone here know the best way to implement
> all of these (Integrity Checks, Servers Monitoring and remote
> Logging) in a mixed environment (UNIX/Windows), everything being open-source ?
>
>
> Thank you.
>
> Pat
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------



--
Angel Alonso Párrizas
parrizas () gmail com

CCNA, SSP-MPA

___________________________________
"La libertad no es algo negociable"