The Open Source Security Information Manager (OSSIM) project from AlienVault is worthy of review. OSSIM offers a free entry into the SIEM arena and is truly noteworthy. The concept is OSSIM is simple, don't reinvent the wheel. The tool leverages many open source tools such as:
- Snort (IDS/IPS)
- OpenVAS (fork of Nessus)
- Ntop (network monitoring)
- Nagios (network monitoring)
- PADS (passive asset detection system)
- p0f (passive OS fingerprinting)
- OCS-NG (asset management)
- OSSEC (HIDS)
- OSVDB (vulnerability database)
- NFSen/NFDump (netflow tools)
- Inprotect (web interface for Nessus, OpenVAS, and NMAP)
- NMAP (scanning tool)
These tools work together in a cohesive unit. In addition, the AlienVault team has build a quality correlation and risk assessment engine that glues the other tools together and allows you to "connect the dots" and "find the needle in the haystack."
OSSIM works on a agent-server basis. Security event data is collected from sensors using a plugins to parse the data properly and normalize it into a common format. Once the data is collected, a risk assessment is performed and the data is correlated with other data. Alerts are generated and the security analyst may manage the system to fine tune it and perform analysis. Reports may be generated and dash boards are used to provide graphical measurements of the organizational security posture.
The tools work together in this fashion:
The Web Interface is impressive, really. For a free tool, there is more than enough "eye candy" to keep the most demanding security analyst busy.
There are a number of dashboards and many other features. In a later posting, I will detail how to install and operate this SIEM.
AlienVault does offer a commercial version with improved performance, persistent storage, and encryption. However, if you are new to the SIEM space and want to test drive before you buy, check out this tool.
Last Updated on Sunday, 21 February 2010 23:31