OSSIM Fast Guide - AlienVault

More documents

Recommendations

Info

OSSIM 2004/02/07Sensors- Sensors integrate powerful software in order to provide three capabilities:. IDS. Anomaly Detection. Real time Monitoring- Sensors can also perform other functions including traffic consolidation ona segment and event normalization.- Sensors communicate and receive orders from the server using a proprietaryprotocol.Server- OSSIM’s server has the following capabilities:. Correlation. Prioritization. Online inventory. Risk assessment. NormalizationConsoleThe console’s interface is structured hierarchically with the followingfunctions:. Control Panel. Risk and usage monitors. Forensic console. The Configuration FrameworkDatabases- OSSIM uses an open interface that gives it the ability to communicate withany SQL database- The distribution uses Postgress or Mysql as its open source relationaldatabaseCommunication Protocol- The protocol used for communication between server and sensors is proprietaryand utilizes a TCP port.- With this protocol, the user can activate, configure, request and receivedata from the sensors.- This protocol includes all of the functionality of IDMEF, it even adds anoption for on-demand queries from the correlation engine to the monitors,sometime in the future it will be IDMEF compliant.* NORMALIZATION & AGGREGATION- OSSIM is currently able to read alerts from:. SnortFast Guide 2 http://www.ossim.net
OSSIM 2004/02/07. Real Secure. Spade. Any data from NTOP. Firewall-1. Iptables. Apache. IIS. Cisco Routers. Unix Servers- Normalization is performed with a configurable parser using XML files. Addingnew agents can be accomplished in a matter of hours.- Information from each detector is normally sent to the nearest sensor usingnative delivery capacity. OSSIM allows delivery using the following methods:. Snmp. Syslog. Rawsockets. SQL. OPSEC- Aggregation between sensor and server is executed using OSSIM’s proprietaryprotocol.- If encrypted communications and authentication is required, it can beestablished using tunnels at the application level, typically ssh or ssl.Fast Guide 3 http://www.ossim.net
Page 1: -----------------OSSIM Fast Guide--
Page 5 and 6: OSSIM 2004/02/07- As a result corre
Page 7: OSSIM 2004/02/07Usage Monitor- OSSI

OSSIM Fast Guide - AlienVault

Create successful ePaper yourself

Delete template?

Save as template?