Re: anyone using OSSIM....

["E. Todd Atkins" <todd.atkins () UCSB EDU>]

Russell Fulton wrote:
> We have just set up a default install of OSSIM and first impressions are favourable -- what seems to be lacking is 
> decent documentation -- presumably you get this when you buy the commercial version.
>
> Does anyone have any notes/experience in using OSSIM with several different snort sensors that run different rule 
> sets and need to be treated separately?
>
> Or even for getting snort data in from sensors on other machines...
>
> R
I've been running OSSIM with snort running on a remote ossim sensor
since last year. Here is how to get data from the remote sensors...

    Set up your remote snort sensor set up to do unified logging
    Install ossim-agent
    Enable the snortunified plugin
    Check to make sure the plugin file has the correct settings
    Restart ossim-agent

On the OSSIM console...
    Go to Assets -> SIEM Components and add the sensor

Note that alerts must have a defined plugin_sid within ossim to be
logged, so you have to add any custom or 3rd party rules by hand. I
added mine directly to the database since I didn't see any other way and
had quite a few to add. You can see the ones that are defined under
Configuration -> Collection.

--
E. Todd Atkins
Office of Information Technology
University of California, Santa Barbara