Hello: I have a similar topology developed with OSSIM like the one you are
lookig for.
The UNIX machines (Solaris and Linux) are monitorized by two ways:logs
(auth.log, messages..) that are send to a syslog server in aOSSIM server, and
Integrity, checked by OSIRIS, that are manage by aOSIRIS manager also installed
in the same OSSIM Server.The windows Machines, Windows 2000 Servers and XP,
send the logs tothe same syslog server (in OSSIM server machine) by a tool
calledSnare. Snare is easy to manage. Yo can see the features of the tool in
http://www.intersectalliance.com/projects/Snare/Although, in my case NAGIOS is
not configured, OSSIM integrates thetool in its framework, you only may
configure it.
SIMS is one of the main funcion os OSSIM, but the may problem is thatyou will
have to configure the parsers properly to catch thoseimportants events reported
by the differentes Intergrity checkers(OSIRIS and SNARE) or the logs send via
Syslog. Also you will have tocreate your own correlation rules according to
your topology and yourneeds.
With this topology: a central server running syslog, (OSIRIS that isintegrated
with OSSIM, OSSIM with the correct configuration, and asyslog server) and all
the montitorized system sendind the logs tothis server, all the events wille be
catched (logins attempts, correctlogins, changes in filesystem..)The main
problem is that you will have to configure properly all theparsers and the
tools, but that is only a time cuestion.
Regards. Angel.
2006/8/29, Pat <securityfocus.20.patgourmet@spamgourmet.com>:> Hi,>> Briefly, my question: does anyone here know the best way to implement> all of these (Integrity Checks, Servers Monitoring and Remote> Logging) in a mixed
environment (UNIX/Windows), everything being open-source ?>> Details of the question:>> I am looking for open-source products to secure our network and> servers, which are a mix of Windows/Linux/AIX. I am looknig for some>
help in deciding what products to implement.>> 1- I want to begin by implementing an integrity checker. I am looking> at Samhain and Osiris. Samhain seems better, but since it does not> support Windows, I will probably use Osiris.
Maybe OSSEC also would> do the job ?>> 2- I want to run Nagios on my servers for monitoring>> 3- I want to setup my UNIX and Windows servers with remote logging.> For the UNIX/Linux servers, I would do remote syslogging to a
syslog> server such as Syslog-ng or Rsyslog. For the Windows servers, I would> also setup a remote logging to that same syslog server, with a client> tool such as Winsyslog.>> 4- On top of that, I would like to implement a SIMS.
I know of 3> open-source SIMS: Prelude, OSSIM and OpenSIMS. Is one better than the> other with my mixed environment?>> 5- Would a Change Management Solution like Radmind on top of all that> be compatible worthwile, or it would
mainly be redundant ?>> So my question again: does anyone here know the best way to implement> all of these (Integrity Checks, Servers Monitoring and remote> Logging) in a mixed environment (UNIX/Windows), everything being
open-source ?>>> Thank you.>> Pat>>> ------------------------------------------------------------------------> Test Your IDS>> Is your IDS deployed correctly?> Find out quickly and easily by testing it>
with real-world attacks from CORE IMPACT.> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708> to learn more.> ------------------------------------------------------------------------>>
-- Angel Alonso PÃrrizasparrizas@gmail.com
CCNA, SSP-MPA
___________________________________"La libertad no es algo negociable"
