Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Ossim

from [Jason A Minto] Network Security [Permanent Link]
Subject: RE: Ossim
Date: Tue, 04 Oct 2005 21:47:30 -0400

I am currently working on the follow-up SIM CD Release. SIM CD is currently being developed and hosted by Lomin LLC (http://www.lomin.com/). This is the same SIM CD that was formerly offered by Boseco Security. The next release brings about a lot of changes to the SIM CD.

Jim, a lot of your issues with configuration files being located in different places is addressed in this release. The goal of SIM CD is to make deployment of OSSIM as easy as possible. The next version of SIM CD is based on CentOS. Standard configuration file location for that distribution should be expected.

To answer the question about a "sensor" install, the easiest thing to do is use the same ISO to do the stand-alone install. Unfortunately there is no way to get around a "complete install" with SIM CD. Once it is installed you can easily stop services you do not want to run on your sensor. The old 9.6.1 version of SIM CD uses a mix of "daemontools" and System V startup scripts. Go through each of those to disable services you do not want to run. Information about "daemontools" can be found here: http://cr.yp.to/daemontools.html. Lomin LLC will be offering a user manual in the near future to help you install a distributed system with sensors.

Further information is available on the SIM CD Forums (http://sim.lomin.com/forums/). There you can post any questions you might have about OSSIM. This is the same forum formerly hosted by Boseco Security. Its look has been changed, but all of the old messages are there. 

Jason A Minto

----- Original Message -----

From: Hoover, James A (THIP, Corp) <James.Hoover@thehartford.com>
Date: Sep 26, 2005 11:10 PM
Subject: RE: Ossim
To: Craig Rodenberg <crodenberg@gmail.com>, thin.hack@gmail.com
Cc: focus-ids@securityfocus.com


Just for grins & giggles I installed this off of the iso image supported
by http://www.boseco.com/.  It was very straight forward but I found the
applicationst that are integrated are poorly documented.  By that I mean
that the way they are configured and integrated are poorly documented
not that the base application (such as ntop) is poorly documented.  I
had to do a lot of digging to find the configuration files because they
were not always in the same places.  I've done all of my testing off of
a single install so far.  What I was most impressed with was the simple
configuration for vulnerability assessment scans and the basic interface
for reviewing vulnerability assessment results.

I could not find any documentation on the installation of the software
on a "sensor" only install.  Does anyone have a reference for that by
chance?  I don't think that it requires a full install does it?


Jim


-----Original Message-----
From: Craig Rodenberg [mailto:crodenberg@gmail.com]
Sent: Wednesday, September 21, 2005 2:49 PM
To: thin.hack@gmail.com
Cc: focus-ids@securityfocus.com
Subject: Re: Ossim

Hello Syn Ack,

I've deployed OSSIM in four datacenters now. I think OSSIM is a good IPS
support tool, but I wouldn't deploy it as my primary IDS unless I had a
zero dollar budget for the project.  OSSIM can be customized, configured
and tweaked to provide reliable and sustainable network protection, but
it requires a lot of configuration, and then a lot of tuning and
constant updating.
The Cisco ACL creation and PIX firewall rule insertion features are what
I spent the most time on. The basic functionality for attack blocking is
already there, but you'll want to make sure that a DDoS attack (or other
spoofed attack) does not cause you to ACL / firewall your network
against the entire internet.

OSSIM is a good, solid security tool. My only caution to you would be:
Make sure you have plenty of coffee in the break room, and be prepared
to spend several late nights tweaking and tuning.

OSSIM and AAnval seem to be the best "free" NETSEC tools right now.

If you have slightly more than $0.00 to spend on your IPS project, you
may want to consider Sentarus by Demarc. (www.demarc.com) The Sentarus
appliance and host agents are heavyweight contenders with Tipping Point
and ISS. They do, however, actually want customers to pay for the
software. :) 

I may still have some OSSIM configs laying around that could help you
with the Catalyst ACL's and PIX firewall rules. Let me know if you want
them, and I'll start looking.

Good Luck with OSSIM !

./c0redump

Craig Rodenberg, GIAC
Director, INFOSEC
Connectria Internet Services
www.connectria.com


On 9/20/05, Syn Ack <thin.hack@gmail.com> wrote:


Hello list members,
I'm working on implementing IDSes in the company a work for. Did some
of you have experience with Ossim (http://www.ossim.net)?
Any comment are welcome.
Regards,

Dominique

----------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from






CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
----------------------------------------------------------------------
--





*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: Ossim, Jason A Minto <=
Previous by Date:  HIDS solution for NT4 machines, bcihak
Next by Date:  [ANNOUNCE] CyberManager Lite 3.0 released, thomas . setzer
Previous by Thread:  HIDS solution for NT4 machines, bcihak
Next by Thread:  [ANNOUNCE] CyberManager Lite 3.0 released, thomas . setzer
Indexes:  [Date] [Thread] [Top] [All Lists]