Re: News, dumbug, prediction rebuttals

[Dominique Karg <dk () ossim net>]

Hello,

this is my first post to this list and I must admit I haven't been  
following it until today. I'd like to greet everybody warmly first of  
all.
I got pointed by a friend at the discussion regarding this and the  
followups:
(sorry for not quoting appropiately, I don't have the original posts)

----------
"""
A Credible Open-Source SIM
There's about $100MM spent annually on products that manage and
correlate logs. Guess what? None of it is hard to do. The underlying
tools are there. Customers know how to do this better than the vendors
do. Expect a mainstream open-source combination of Argus
<http://www.qosient.com/argus/> and Sguil
<http://sguil.sourceforge.net/>to own the security management
conversation next year.

"""

3. My prediction: No credible open source SIM (aka, log aggregator).
Boring work gets done by corporations, and that's that. Not to mention
the impossibly high barrier to market of having to purchase and
maintain all the random devices that generate logs.

Anyways, as always, those are only opinions. I guess we'll find out
next year. :>

- - -dave

-----------

I'd like to agree with most of the points:

- Log aggregation and amount of supported devices is one of the  
hardest hurdles open source SIM systems face / will face, performance  
being the other one.

As a quick introduction we got no problems at all on the parsing side  
(python code with all the matching regexp's) nor at the correlation  
engine part, it's the event visualization part with around 2 million  
stored events being the standard limit for common hardware (we use  
Acid/Base as event visualization frontend).

- Part of SIM's mission is in unifying disparate tools and views into  
a single view.

Fully agree with this point and if you can combine functionality of  
different systems that weren't intended to work together into one,  
well, even better.

I have to strongly disagree with there not being room for an open  
source sim and it not being able to handle load similar to commercial  
devices. There are ways of overcoming this which we can handle  
(scaled / distributed architecture) and other which we can't and thus  
far have failed (device support).

Last but not least, I just wanted to say that there has been a slow  
down on ossim development indeed (mainly my fault) but that seems to  
have been solved now.

Well, I don't want to get a first message much longer and hope I'll  
be able to join you on this sort of discussions in the future. Just  
one last question:
Besides actual log parsing (sheer amount of devices) and performance,  
which do you think are the biggest hurdles for an open source sim to  
be useful to companies / community at large.

Thank you and greetings,

Dominique