IDS mailing list archives
RE: Ossim
From: Jason A Minto <jminto () lomin com>
Date: Tue, 04 Oct 2005 21:47:30 -0400
I am currently working on the follow-up SIM CD Release. SIM CD is currently being developed and hosted by Lomin LLC (http://www.lomin.com/). This is the same SIM CD that was formerly offered by Boseco Security. The next release brings about a lot of changes to the SIM CD. Jim, a lot of your issues with configuration files being located in different places is addressed in this release. The goal of SIM CD is to make deployment of OSSIM as easy as possible. The next version of SIM CD is based on CentOS. Standard configuration file location for that distribution should be expected. To answer the question about a "sensor" install, the easiest thing to do is use the same ISO to do the stand-alone install. Unfortunately there is no way to get around a "complete install" with SIM CD. Once it is installed you can easily stop services you do not want to run on your sensor. The old 9.6.1 version of SIM CD uses a mix of "daemontools" and System V startup scripts. Go through each of those to disable services you do not want to run. Information about "daemontools" can be found here: http://cr.yp.to/daemontools.html. Lomin LLC will be offering a user manual in the near future to help you install a distributed system with sensors.
Further information is available on the SIM CD Forums (http://sim.lomin.com/forums/). There you can post any questions you might have about OSSIM. This is the same forum formerly hosted by Boseco Security. Its look has been changed, but all of the old messages are there.
Jason A Minto ----- Original Message -----
From: Hoover, James A (THIP, Corp) <James.Hoover () thehartford com> Date: Sep 26, 2005 11:10 PM Subject: RE: Ossim To: Craig Rodenberg <crodenberg () gmail com>, thin.hack () gmail com Cc: focus-ids () securityfocus com Just for grins & giggles I installed this off of the iso image supported by http://www.boseco.com/. It was very straight forward but I found the applicationst that are integrated are poorly documented. By that I mean that the way they are configured and integrated are poorly documented not that the base application (such as ntop) is poorly documented. I had to do a lot of digging to find the configuration files because they were not always in the same places. I've done all of my testing off of a single install so far. What I was most impressed with was the simple configuration for vulnerability assessment scans and the basic interface for reviewing vulnerability assessment results. I could not find any documentation on the installation of the software on a "sensor" only install. Does anyone have a reference for that by chance? I don't think that it requires a full install does it? Jim -----Original Message----- From: Craig Rodenberg [mailto:crodenberg () gmail com] Sent: Wednesday, September 21, 2005 2:49 PM To: thin.hack () gmail com Cc: focus-ids () securityfocus com Subject: Re: Ossim Hello Syn Ack, I've deployed OSSIM in four datacenters now. I think OSSIM is a good IPS support tool, but I wouldn't deploy it as my primary IDS unless I had a zero dollar budget for the project. OSSIM can be customized, configured and tweaked to provide reliable and sustainable network protection, but it requires a lot of configuration, and then a lot of tuning and constant updating. The Cisco ACL creation and PIX firewall rule insertion features are what I spent the most time on. The basic functionality for attack blocking is already there, but you'll want to make sure that a DDoS attack (or other spoofed attack) does not cause you to ACL / firewall your network against the entire internet. OSSIM is a good, solid security tool. My only caution to you would be: Make sure you have plenty of coffee in the break room, and be prepared to spend several late nights tweaking and tuning. OSSIM and AAnval seem to be the best "free" NETSEC tools right now. If you have slightly more than $0.00 to spend on your IPS project, you may want to consider Sentarus by Demarc. (www.demarc.com) The Sentarus appliance and host agents are heavyweight contenders with Tipping Point and ISS. They do, however, actually want customers to pay for thesoftware. :)I may still have some OSSIM configs laying around that could help you with the Catalyst ACL's and PIX firewall rules. Let me know if you want them, and I'll start looking. Good Luck with OSSIM ! ./c0redump Craig Rodenberg, GIAC Director, INFOSEC Connectria Internet Services www.connectria.com On 9/20/05, Syn Ack <thin.hack () gmail com> wrote:Hello list members, I'm working on implementing IDSes in the company a work for. Did some of you have experience with Ossim (http://www.ossim.net)? Any comment are welcome. Regards, Dominique ---------------------------------------------------------------------- -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks fromCORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ---------------------------------------------------------------------- --************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- RE: Ossim Jason A Minto (Oct 05)