Re: Open Source Security Information Management (OSSIM)

[Joe <bitshield () gmail com>]

Hello Neil

About one year ago, I checked out OSSIM quite thoroughly. My findings
were more frustrating than something else. First of all I was not able
to configure a properly running system, even after going through the
installation manual multiple times. I then realized that I was not the
only one who had such problems. During my research I only found one
guy, who was able to set up a running OSSIM.

One source stated that an OSSIM developer said: "if hell was coded, it
would have been done like our server". This was the definitive answer
to my question: fingers way!

Reading the documentation at this time was also a real pain. It was
not useful at all. Finally, the VMWare is only good for demo purposes.
If you plan to run a productive system, them you must be able to build
the system from scratch and you should also be able to maintain the
software, which is probably a hard undertaking with OSSIM.

As I said, this was about one year ago… The GUI looks really nice but…


joe

On 6/26/07, neil () horizontheory com <neil () horizontheory com> wrote:
> Does anyone have any experience using OSSIM?
>
> I'm looking to beef up security at a school having about a thousand
> computers, about 800 of them laptops that students and staff take home
> and bring back, and a bit over a dozen servers (many of which are
> planned to be taken out of service).  In addition, they have an open
> wireless connection (though connectivity to the internet is restricted
> via ISA).  The school is rapidly growing, and while they've been lucky
> to have mostly benign students, I think the security is inadequate.
> (I'm looking at some other stuff too, like some firewalls to
> compartmentalize the network.)
>
> I'm looking to OSSIM to try to help bring a much greater insight into
> what's travelling across the network.  In particular, I like the sound
> of anomaly detection, a consolidated place to view all events on the
> network that can be filtered as needed (to isolate the behavior of a
> particular box, and thus a user).  Of course, these are imperfect
> sciences, so I would love to hear how it fares for others.
>
> Ideally, I would like to set up just one OSSIM box to have it monitor
> the network, but it looks like it would really need agents,
> particularly on the servers.
>
> Naturaly, any other opinions, feedback, or advice would be great (even
> if its not about OSSIM, as long as it helps me get to my goal).
>
> Thanks.
> --
> Neil.