Security Basics mailing list archives
Re: Open Source Security Information Management (OSSIM)
From: Joe <bitshield () gmail com>
Date: Mon, 2 Jul 2007 19:03:43 +0200
Hello Neil About one year ago, I checked out OSSIM quite thoroughly. My findings were more frustrating than something else. First of all I was not able to configure a properly running system, even after going through the installation manual multiple times. I then realized that I was not the only one who had such problems. During my research I only found one guy, who was able to set up a running OSSIM. One source stated that an OSSIM developer said: "if hell was coded, it would have been done like our server". This was the definitive answer to my question: fingers way! Reading the documentation at this time was also a real pain. It was not useful at all. Finally, the VMWare is only good for demo purposes. If you plan to run a productive system, them you must be able to build the system from scratch and you should also be able to maintain the software, which is probably a hard undertaking with OSSIM. As I said, this was about one year ago… The GUI looks really nice but… joe On 6/26/07, neil () horizontheory com <neil () horizontheory com> wrote:
Does anyone have any experience using OSSIM? I'm looking to beef up security at a school having about a thousand computers, about 800 of them laptops that students and staff take home and bring back, and a bit over a dozen servers (many of which are planned to be taken out of service). In addition, they have an open wireless connection (though connectivity to the internet is restricted via ISA). The school is rapidly growing, and while they've been lucky to have mostly benign students, I think the security is inadequate. (I'm looking at some other stuff too, like some firewalls to compartmentalize the network.) I'm looking to OSSIM to try to help bring a much greater insight into what's travelling across the network. In particular, I like the sound of anomaly detection, a consolidated place to view all events on the network that can be filtered as needed (to isolate the behavior of a particular box, and thus a user). Of course, these are imperfect sciences, so I would love to hear how it fares for others. Ideally, I would like to set up just one OSSIM box to have it monitor the network, but it looks like it would really need agents, particularly on the servers. Naturaly, any other opinions, feedback, or advice would be great (even if its not about OSSIM, as long as it helps me get to my goal). Thanks. -- Neil.
Current thread:
- Re: Open Source Security Information Management (OSSIM) Joe (Jul 02)