RE: Ossim

[Jason A Minto <jminto () lomin com>]

I am currently working on the follow-up SIM CD Release.  SIM CD is 
currently being developed and hosted by Lomin LLC 
(http://www.lomin.com/).  This is the same SIM CD that was formerly 
offered by Boseco Security.  The next release brings about a lot of 
changes to the SIM CD. 

Jim, a lot of your issues with configuration files being located in 
different places is addressed in this release.  The goal of SIM CD is to 
make deployment of OSSIM as easy as possible.  The next version of SIM 
CD is based on CentOS.  Standard configuration file location for that 
distribution should be expected. 

To answer the question about a "sensor" install, the easiest thing to do 
is use the same ISO to do the stand-alone install.  Unfortunately there 
is no way to get around a "complete install" with SIM CD.  Once it is 
installed you can easily stop services you do not want to run on your 
sensor.  The old 9.6.1 version of SIM CD uses a mix of "daemontools" and 
System V startup scripts.  Go through each of those to disable services 
you do not want to run.  Information about "daemontools" can be found 
here:  http://cr.yp.to/daemontools.html.  Lomin LLC will be offering a 
user manual in the near future to help you install a distributed system 
with sensors.

Further information is available on the SIM CD Forums 
(http://sim.lomin.com/forums/).  There you can post any questions you 
might have about OSSIM.  This is the same forum formerly hosted by 
Boseco Security.  Its look has been changed, but all of the old messages 
are there. 

Jason A Minto

----- Original Message -----

> From: Hoover, James A (THIP, Corp) <James.Hoover () thehartford com>
> Date: Sep 26, 2005 11:10 PM
> Subject: RE: Ossim
> To: Craig Rodenberg <crodenberg () gmail com>, thin.hack () gmail com
> Cc: focus-ids () securityfocus com
>
>
> Just for grins & giggles I installed this off of the iso image supported
> by http://www.boseco.com/.  It was very straight forward but I found the
> applicationst that are integrated are poorly documented.  By that I mean
> that the way they are configured and integrated are poorly documented
> not that the base application (such as ntop) is poorly documented.  I
> had to do a lot of digging to find the configuration files because they
> were not always in the same places.  I've done all of my testing off of
> a single install so far.  What I was most impressed with was the simple
> configuration for vulnerability assessment scans and the basic interface
> for reviewing vulnerability assessment results.
>
> I could not find any documentation on the installation of the software
> on a "sensor" only install.  Does anyone have a reference for that by
> chance?  I don't think that it requires a full install does it?
>
>
> Jim
>
>
> -----Original Message-----
> From: Craig Rodenberg [mailto:crodenberg () gmail com]
> Sent: Wednesday, September 21, 2005 2:49 PM
> To: thin.hack () gmail com
> Cc: focus-ids () securityfocus com
> Subject: Re: Ossim
>
> Hello Syn Ack,
>
> I've deployed OSSIM in four datacenters now. I think OSSIM is a good IPS
> support tool, but I wouldn't deploy it as my primary IDS unless I had a
> zero dollar budget for the project.  OSSIM can be customized, configured
> and tweaked to provide reliable and sustainable network protection, but
> it requires a lot of configuration, and then a lot of tuning and
> constant updating.
> The Cisco ACL creation and PIX firewall rule insertion features are what
> I spent the most time on. The basic functionality for attack blocking is
> already there, but you'll want to make sure that a DDoS attack (or other
> spoofed attack) does not cause you to ACL / firewall your network
> against the entire internet.
>
> OSSIM is a good, solid security tool. My only caution to you would be:
> Make sure you have plenty of coffee in the break room, and be prepared
> to spend several late nights tweaking and tuning.
>
> OSSIM and AAnval seem to be the best "free" NETSEC tools right now.
>
> If you have slightly more than $0.00 to spend on your IPS project, you
> may want to consider Sentarus by Demarc. (www.demarc.com)  The Sentarus
> appliance and host agents are heavyweight contenders with Tipping Point
> and ISS. They do, however, actually want customers to pay for the
> software.   :) 
>
> I may still have some OSSIM configs laying around that could help you
> with the Catalyst ACL's and PIX firewall rules. Let me know if you want
> them, and I'll start looking.
>
> Good Luck with OSSIM !
>
> ./c0redump
>
> Craig Rodenberg, GIAC
> Director, INFOSEC
> Connectria Internet Services
> www.connectria.com
>
>
> On 9/20/05, Syn Ack <thin.hack () gmail com> wrote:
>  
>
> > > Hello list members,
> > > I'm working on implementing IDSes in the company a work for. Did some
> > > of you have experience with Ossim (http://www.ossim.net)?
> > > Any comment are welcome.
> > > Regards,
> > >
> > > Dominique
> > >
> > > ----------------------------------------------------------------------
> > > --
> > > Test Your IDS
> > >
> > > Is your IDS deployed correctly?
> > > Find out quickly and easily by testing it with real-world attacks from
> >    
>
>  
>
> > > CORE IMPACT.
> > > Go to
> > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > > to learn more.
> > > ----------------------------------------------------------------------
> > > --
> >    
>
>
> *************************************************************************
> This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information.  If you are not the intended
> recipient, any use, copying, disclosure, dissemination or distribution is
> strictly prohibited.  If you are not the intended recipient, please notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> *************************************************************************
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------