Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Ossim

from [Hoover, James A (THIP, Corp)] Network Security [Permanent Link]
Subject: RE: Ossim
Date: Mon, 26 Sep 2005 11:10:49 -0400 
Just for grins & giggles I installed this off of the iso image supported
by http://www.boseco.com/.  It was very straight forward but I found the
applicationst that are integrated are poorly documented.  By that I mean
that the way they are configured and integrated are poorly documented
not that the base application (such as ntop) is poorly documented.  I
had to do a lot of digging to find the configuration files because they
were not always in the same places.  I've done all of my testing off of
a single install so far.  What I was most impressed with was the simple
configuration for vulnerability assessment scans and the basic interface
for reviewing vulnerability assessment results.

I could not find any documentation on the installation of the software
on a "sensor" only install.  Does anyone have a reference for that by
chance?  I don't think that it requires a full install does it?


Jim


-----Original Message-----
From: Craig Rodenberg [mailto:crodenberg@gmail.com] 
Sent: Wednesday, September 21, 2005 2:49 PM
To: thin.hack@gmail.com
Cc: focus-ids@securityfocus.com
Subject: Re: Ossim

Hello Syn Ack,

I've deployed OSSIM in four datacenters now. I think OSSIM is a good IPS
support tool, but I wouldn't deploy it as my primary IDS unless I had a
zero dollar budget for the project.  OSSIM can be customized, configured
and tweaked to provide reliable and sustainable network protection, but
it requires a lot of configuration, and then a lot of tuning and
constant updating.
The Cisco ACL creation and PIX firewall rule insertion features are what
I spent the most time on. The basic functionality for attack blocking is
already there, but you'll want to make sure that a DDoS attack (or other
spoofed attack) does not cause you to ACL / firewall your network
against the entire internet.

OSSIM is a good, solid security tool. My only caution to you would be:
Make sure you have plenty of coffee in the break room, and be prepared
to spend several late nights tweaking and tuning.

OSSIM and AAnval seem to be the best "free" NETSEC tools right now.

If you have slightly more than $0.00 to spend on your IPS project, you
may want to consider Sentarus by Demarc. (www.demarc.com)  The Sentarus
appliance and host agents are heavyweight contenders with Tipping Point
and ISS. They do, however, actually want customers to pay for the
software.  :)

I may still have some OSSIM configs laying around that could help you
with the Catalyst ACL's and PIX firewall rules. Let me know if you want
them, and I'll start looking.

 Good Luck with OSSIM !

 ./c0redump

 Craig Rodenberg, GIAC
 Director, INFOSEC
 Connectria Internet Services
 www.connectria.com


On 9/20/05, Syn Ack <thin.hack@gmail.com> wrote:

Hello list members,
I'm working on implementing IDSes in the company a work for. Did some 
of you have experience with Ossim (http://www.ossim.net)?
Any comment are welcome.
Regards,

Dominique

----------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from



CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
----------------------------------------------------------------------
--




*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Ossim, Craig Rodenberg
Next by Date:  Re: Ability for SIM to perform tcp stream reassembly, jimmy . alderson
Previous by Thread:  Re: Ossim, Andre Ludwig
Next by Thread:  RE: Open Source IDS Solution?, Steve Barron
Indexes:  [Date] [Thread] [Top] [All Lists]