OSSIM

Ossim stands for Open Source Security Information Management. Its goal is to provide a comprehensive compilation of tools which, when working together, grant a network/security administrator with detailed view over each and every aspect of his networks/hosts/physical access devices/server/etc…
Besides getting the best out of well known open source tools, ossim provides a strong correlation engine, detailed low, mid and high level visualization interfaces as well as reporting and incident managing tools, working on a set of defined assets such as hosts, networks, groups and services.

Advantages

• VERIFICATION may be OSSIM’s most valuable contribution at this time. Using its correlation engine, OSSIM screens out a large percentage of false positives.
• The second advantage is that of INTEGRATION, we have a series of security tools that enable us to perform a range of tasks from auditing, pattern matching and anomaly detection to forensic analysis in one single platform.
• The third is RISK ASSESSMENT, OSSIM offers high level state indicators that allow us to guide inspection and measure the security situation of our network.

Ossim features the following software components:

• Arpwatch, used for mac anomaly detection.
• P0f, used for passive OS detection and os change analisys.
• Pads, used for service anomaly detection.
• Nessus, used for vulnerability assessment and for cross correlation (IDS vs Security Scanner).
• Snort, the IDS, also used for cross correlation with nessus.
• Spade, the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signature.
• Tcptrack, used for session data information which can grant useful information for attack correlation.
• Ntop, which builds an impressive network information database from which we can get aberrant behaviour anomaly detection.
• Nagios. Being fed from the host asset database it monitors host and service availability information.
• Osiris, a great HIDS.
• OCS-NG, Cross-Platform inventory solution.
• OSSEC, integrity, rootkit, registry detection and more.

Usually a typical ossim deployment consists of:

• A database host.
• A server which hosts the correlation, qualification and risk assesment engine.
• N agent hosts which do information collection tasks from a number of devices. For a list of plugins please refer to: http://www.ossim.com/home.php?id=plugins
• A control daemon which does some maintenance work and ties some parts together. It’s called frameworkd.
• The frontend is web based, unifying all the gathered information and providing the ability to control each of the components.