ossim - AlienVault
ossim - AlienVault
ossim - AlienVault
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
3.7 Monitors<br />
Although they are simply monitors of previously executed processes, as such these<br />
functionalities are worth pointing out:<br />
3.7.1. Risk Monitor<br />
OSSIM possesses a risk monitor called RiskMeter that displays the values produced by the<br />
CALM algorithm. These values measure the compromise (C) and attack (A) risk levels derived<br />
from alerts that indicate the possibility that a machine has been compromised or is being<br />
attacked.<br />
3.7.2. Use, Session, and Profile Monitors<br />
As explained in the section on anomalies, OSSIM places a lot of importance on detailed<br />
monitoring of each machine and profile.<br />
There are three types for this kind of monitoring:<br />
• The use monitor provides general information about the machine, such as number of<br />
bytes transmitted per day.<br />
• The profile monitor provides specific information about user activity, allowing us to<br />
establish a profile, for example “uses mail, pop, and http" is a normal user profile.<br />
• The session monitor provides a real-time display of the sessions in which a user is<br />
engaged, as well as a snapshot of that machine on the network.<br />
We believe that all three of these are essential for a security system, and in their absence the<br />
security administrator would be blind to past events, would not be able to distinguish normal<br />
from abnormal activity, and would not be able to see the network—like a traffic cop on a pitch<br />
black road.<br />
This area of security coincides with network administration, but some overlap is inevitable since,<br />
for example, the saturation of a network or the anomalous behavior of a machine could indicate<br />
either a network problem or a security problem.<br />
OSSIM provides these three monitoring capabilities using products with the ability to act as<br />
sniffers and see the network situation at the highest degree of detail.<br />
23