open source security information manager · 2013. 7. 5. · what is not ossim ossim is neither a...
TRANSCRIPT
-
OSSIM
OPEN SOURCE SECURITY
INFORMATION MANAGER
-
What is OSSIM
OSSIM is an open source security system.
OSSIM integrates more than 30 open source tools.
OSSIM gathers events from any device or application.
OSSIM includes a powerful correlation system.
OSSIM can be integrated with any already deployed
device or application in the network.
OSSIM generates a wide number of metrics and reports.
OSSIM is easily adaptable (Use what you need)
OSSIM can be integrated with proprietary and open
source products.
-
What is not OSSIM
OSSIM is neither a firewall nor a content proxy
OSSIM is not a Security Linux Distribution (Backtrack,
WifiSlax)
OSSIM is not a product for home use
OSSIM is not a simple software package (exe, rpm, deb...)
which can be easily installed on any Operative System.
-
Advantages
Freeware-no doubt about backdoors.
customizable according to requirement.
2300+ data source plugins.
Highly Scalable.
High Redundancy/Availability.
Provide security at every level. (IDS/IPS ,firewall, antivirus servers, proxy, Domain controller, VPN servers, web servers, OS ).
Correlation (Cross correlation & Logical Correlation).
Correlation Directives (200+)
Risk calculation
Reporting
-
System Requirements
RAM:4GB RAM
Processor:64 bit processor
LAN Card: e1000 network card
-
OSSIM in Real World
-
Architecture
Typically OSSIM consists of four elements;
Sensors(Detector + Collector)
Detector Generates events.
Collector Collects and analyzes data using predefined RegEx.
Management Server
The main Server tasks as Normalizing, Prioritizing, Collecting, Risk Assessment and Correlating engines
The maintenance and external tasks, as backups, scheduled backups, online inventory or scanning launching
Database
Front end Web Interface
-
How OSSIM Works
Devices and/or applications generate security
events(Detectors).
Events are gathered by OSSIM collector.
The collectors send normalized events to the OSSIM
Server.
The OSSIM Server does a risk calculation for every event.
The events are correlated in the OSSIM Server.
Events are stored in database.
The Web Console offers access to all the information
collected and generated by OSSIM.
-
How OSSIM Works
-
OSSIM Operation
-
OSSIM Operations
-
OSSIM Web Interface
-
Integrated Tools
-
Snort
-
Ntop
-
OCS
-
Nfdump and NFSen
-
NetFlow
-
Nagios
-
OpenVAS
-
OSVDB
-
OSSEC
-
NMAP
-
POf
-
Pads
-
ARPWatch
-
TCPtrack
-
Nepenthes
-
Sample Deployment
-
The End
Thanks…