OSSIM Security Information Management

OSSIM stands for Open Source Security Information Management, compiling more than 15 open source security programs, collecting from more than 35 products and providing all the technology levels to cover the full Security Management cycle.

It's goal is to provide a comprehensive compilation of tools which, when working together, grant a network/security administrator with detailed view over each and every aspect of his networks/hosts/physical access devices/server/etc...

Besides getting the best out of well known open source tools, some of which are quickly described below these lines, OSSIM provides a strong correlation engine, detailed low, mid and high level visualization interfaces as well as reporting and incident managing tools, working on a set of defined assets such as hosts, networks, groups and services.

All this information can be limited by network or sensor in order to provide just the needed information to specific users allowing for a fine-grained multi-user security environment. Also, the ability to act as an IPS (Intrusion Prevention System) based on correlated information from virtually any source result in a useful addition to any security professional.

OSSIM features the following software components:

·       Arpwatch - used for mac anomaly detection.

·       P0f - used for passive OS detection and os change analysis.

·       Pads - used for service anomaly detection.

·       Nessus - used for vulnerability assessment and for cross correlation (IDS vs Security Scanner).

·       Snort, the IDS, also used for cross correlation with Nessus.

·       Spade - the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signature.

·       Tcptrack - used for session data information which can grant useful information for attack correlation.

·       Ntop - which builds an impressive network information database from which we can get aberrant behaviour anomaly detection.

·       Nagios - Being fed from the host asset database it monitors host and service availability information.

·       Osiris, a great HIDS.

·       OCS-NG - Cross-Platform inventory solution.

·       OSSEC - integrity, rootkit, registry detection and more.

To this has been added a bunch of self-developed tools, the most important being a generic correlation engine with logical directive support. Finally we take any other device you might have on your network which could contain useful data which, when fed to the system, could allow for a better understanding of what's going on on your network.

Usually a typical OSSIM deployment consists of:

·       A database host.

·       A server which hosts the correlation, qualification and risk assessment engine.

·       N agent hosts which do information collection tasks from a number of devices.

·       A control daemon which does some maintenance work and ties some parts together.

·       The front end is web based, unifying all the gathered information and providing the ability to control each of the components.

The goal of OSSIM is to fill a gap that we see in our daily needs as security professionals.

Considering the important technological advances of recent years that have made tools with capacities such as those of IDS available to us, we are surprised that it is so complex from a security standpoint to obtain a snapshot of a network as well as information with a level of abstraction that allows practical and manageable monitoring.