Educause Security Discussion mailing list archives
Re: anyone using OSSIM....
From: "E. Todd Atkins" <todd.atkins () UCSB EDU>
Date: Tue, 16 Mar 2010 13:32:53 -0700
Russell Fulton wrote:
We have just set up a default install of OSSIM and first impressions are favourable -- what seems to be lacking is decent documentation -- presumably you get this when you buy the commercial version. Does anyone have any notes/experience in using OSSIM with several different snort sensors that run different rule sets and need to be treated separately? Or even for getting snort data in from sensors on other machines... R
I've been running OSSIM with snort running on a remote ossim sensor since last year. Here is how to get data from the remote sensors... Set up your remote snort sensor set up to do unified logging Install ossim-agent Enable the snortunified plugin Check to make sure the plugin file has the correct settings Restart ossim-agent On the OSSIM console... Go to Assets -> SIEM Components and add the sensor Note that alerts must have a defined plugin_sid within ossim to be logged, so you have to add any custom or 3rd party rules by hand. I added mine directly to the database since I didn't see any other way and had quite a few to add. You can see the ones that are defined under Configuration -> Collection. -- E. Todd Atkins Office of Information Technology University of California, Santa Barbara
Current thread:
- anyone using OSSIM.... Russell Fulton (Mar 15)
- <Possible follow-ups>
- Re: anyone using OSSIM.... Russ Harvey (Mar 16)
- Re: anyone using OSSIM.... E. Todd Atkins (Mar 16)