OSSIM

[pauldotcom at grymoire.com (Grymoire)]

I've been playing around with OSSIM as a SIM product.
Some comments.

                1) It does nicely integrate many open source tools.

                2) Install is easy - but it overwrites an entire disk. There
           is no obvious way to install it on top of an OS, or install
           it as a dual-boot system.

                I installed it in a VM environment. I tried Sun's Virtual
                Box, and it worked for a while. But I'm trying to manage
                multiple ethernet interfaces, USB drives, and shared folders,
                and that is not working well at all. I'm going to give up on
                VirtualBox on an Windows XP system. I'll try a native OSSIM
                install on a spare disk, after disconnected the current disks..


                3) It bothers me that "AlienVault Professional SIEM now offers
           30 times the performance of OSSIM for any traffic type."

                This suggest to me that improvements are not going back into
                Open Source, and that the 95% open source OSSIM product is
                essentially crippleware.  As one example, They forked
                ACIC/BASE and the improvements were not integrated back into
                BASE sourcecode.

It's not clear that investing in the product will have any indirect
benefit to non-OSSIM users.