Bo-log cua Vu Lam Chi Nhan (nhanitvn)

Wednesday, July 27, 2005

OSSIM (Open Source Security Information Management)

Summary

OSSIM aims to unify network monitoring, security, correlation and qualification in one single tool. Using Snort, Acid, Mrtg, NTOP, OpenNMS, nmap, nessus and rrdtool, OSSIM team want the user to have full control over every network or security aspect.

Here you can read a full description of OSSIM [ pdf pdf ] or you can visit OSSIM homepage at www.ossim.net


Components

OSSIM is divided in 5 subsystems as represented in the following graph:

components

you can click on the components to see their description


  • Spade: network anomaly detection
  • Snort: pattern matching intrusion detection system
  • Acid: log viewer (Event Database)
  • Ntop: network use monitor
  • OpenNMS: Service availability monitoring
  • Mrtg: graphing
  • Mysql and PostgreSQL: data storage
  • RRDtool: Round robin data storage
  • Nessus: vulnerability assesment
  • Nmap: Network discovery
  • More to come...

About OSSIM

OSSIM's goal is to obtain a working SIM (Security Infrastructure Monitor) able to integrate, qualify and correlate both high level and low level security and network events which is capable to compete with commercial products recently appearing on the security market.

Integrate multiple opensource security/network monitoring products to obtain three network/host visibility levels:

  • Low level log/alert/anomaly information
  • Mid level network risk level information
  • High level decision support information

Development languages

  • C
  • Perl
  • Python
  • PHP
  • Java

Supported platforms

  • Linux
  • Limited functionality on: *BSD, Solaris, MacosX

Conclusion

Using the above described systems and programming languages, OSSIM's goal is to get the most information out of every tool with the following objectives in mind:

  • Event correlation
  • Event qualification
  • Network anomaly detection
  • Qualified intrusion detection
  • Network availability information