OSSIM
   HOME

TheInfoList



Click Here for Items Related To - OSSIM
OR:
OSSIM on:   [Wikipedia]   [Google]   [Amazon]

OSSIM (Open Source Security Information Management) is an open source
security information and event management Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time ana ...
system, integrating a selection of tools designed to aid
network administrator A network administrator is a person designated in an organization whose responsibility includes maintaining computer infrastructures with emphasis on local area networks (LANs) up to wide area networks (WANs). Responsibilities may vary between org ...
s in
computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
,
intrusion detection An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...
and
prevention Prevention may refer to: Health and medicine * Preventive healthcare, measures to prevent diseases or injuries rather than curing them or treating their symptoms General safety * Crime prevention, the attempt to reduce deter crime and crimi ...
. The project began in 2003 as a collaboration between Dominique Karg, Julio Casal and later Alberto Román. In 2008 it became the basis for their company AlienVault. Following the acquisition of the
Eureka Eureka (often abbreviated as E!, or Σ!) is an intergovernmental organisation for research and development funding and coordination. Eureka is an open platform for international cooperation in innovation. Organisations and companies applying th ...
project label and completion of R&D, AlienVault began selling a commercial derivative of OSSIM ('AlienVault Unified Security Management'). AlienVault was acquired by
AT&T Communications AT&T Communications is a division of AT&T that focuses on mobile phone, broadband, fixed line telephone, home security, network security, and business services. The division houses AT&T Mobility, AT&T Internet, AT&T Phone, AT&T Labs, AT&T Digi ...
and renamed AT&T Cybersecurity in 2019. OSSIM has had four major-version releases since its creation and is on a 5.x.x version numbering. An
information visualization Information is an abstract concept that refers to that which has the power to inform. At the most fundamental level information pertains to the interpretation of that which may be sensed. Any natural process that is not completely random, ...
of the contributions to the source code for OSSIM was published a
8 years of OSSIM
The project has approximately 7.4 million lines of code. The current version of OSSIM is 5.7.5 and was released on September 16, 2019. Information about this release and past versions can be foun
here
As a
SIEM Siem is a surname. Notable people with the surname include: * Charlie Siem (born 1986), British violinist * Kjetil Siem (born 1960), Norwegian businessperson, journalist, author and sports official * Kristian Siem (born 1949), Norwegian businessman ...
system, OSSIM is intended to give security analysts and administrators a more complete view of all the security-related aspects of their system, by combining
log management Log management (LM) comprises an approach to dealing with large volumes of computer-generated log messages (also known as audit records, audit trails, event-logs, etc.). Log management generally covers: * Log collection * Centralized log agg ...
which can be extended with plugins and asset management and discovery with information from dedicated information security controls and detection systems. This information is then correlated together to create contexts to the information not visible from one piece alone. Alarm and availability views along with reporting capabilities are provided to enhance the capabilities of the tool and its utility to the security and systems engineers. OSSIM performs these functions using other well-known
open-source software Open-source software (OSS) is computer software that is released under a license in which the copyright holder grants users the rights to use, study, change, and distribute the software and its source code to anyone and for any purpose. Op ...
security components, unifying them under a single browser-based user interface. The interface provides graphical analysis tools for information collected from the underlying open source software component (many of which are command line only tools that otherwise log only to a plain text file) and allows centralized management of configuration options. The software is distributed freely under the
GNU General Public License The GNU General Public License (GNU GPL or simply GPL) is a series of widely used free software licenses that guarantee end users the Four Freedoms (Free software), four freedoms to run, study, share, and modify the software. The license was th ...
. Unlike the individual components which may be installed onto an existing system, OSSIM is distributed as an installable
ISO image An optical disc image (or ISO image, from the ISO 9660 file system used with CD-ROM media) is a disk image that contains everything that would be written to an optical disc, disk sector by disc sector, including the optical disc file system. IS ...
designed to be deployed to a physical or virtual host as the core operating system of the host. OSSIM is built using
Debian Debian (), also known as Debian GNU/Linux, is a Linux distribution composed of free and open-source software, developed by the community-supported Debian Project, which was established by Ian Murdock on August 16, 1993. The first version of D ...
as its underlying operating system. Due to this core platform being open additional components abilities may be added and extend by the security administrators using standard packages and scripting as needed.


Components

OSSIM features the following software components: * PRADS, used to identify hosts and services by passively monitoring network traffic. Added in release v4.0. *
Snort Snort may refer to: * Nose-blowing * Sniffle * Nasal administration, the inhaling of drugs through the nose * Snort (software), a package for intrusion detection * Snort, a map-coloring game * Insufflation, the act of blowing, breathing, hissing, ...
, used as an
Intrusion detection system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...
(IDS), and also used for cross correlation with OpenVAS. *
Suricata ''Suricata'' is a genus of mongoose that is endemic to Africa. The oldest species known is the extinct '' Suricata major'' that lived about 1.8 million years ago in South Africa South Africa, officially the Republic of South Africa (RSA) ...
, used as an
Intrusion detection system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...
(IDS), as of version 4.2 this is the IDS used in the default configuration * Tcptrack, used for session data information which can grant useful information for attack correlation. * Munin, for traffic analysis and service watchdogging. * NFSen/NFDump, used to collect and analyze
NetFlow NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine thin ...
information. * FProbe, used to generate
NetFlow NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine thin ...
data from captured traffic. *
Nagios Nagios Core , formerly known as Nagios, is a free and open-source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. ...
, used to monitor hosts and specified ports for asset availability a well as full local system Monitoring. *
OpenVas OpenVAS (''Open Vulnerability Assessment System'', originally known as ''GNessUs'') is the scanner component of Greenbone Vulnerability Manager (GVM), a software framework of several services and tools offering vulnerability scanning and vulnerabi ...
, is used for vulnerability assessment and associated to assets. * OSSIM also includes self developed tools, the most important being a generic correlation engine with logical directive support and logs integration with plugins. Note: Suricata and Snort cannot be used at the same time. Snort is currently being phased out in favor of Suricata.


Deprecated Components

*
Arpwatch arpwatch is a computer software tool for monitoring Address Resolution Protocol traffic on a computer network. It generates a log of observed pairing of IP addresses with MAC addresses along with a timestamp when the pairing appeared on the networ ...
, used for
MAC address A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking techno ...
anomaly detection, replaced by PRADS. * P0f, used for passive OS detection and OS change analysis, replaced by PRADS. * PADS, used for service anomaly detection, replaced by PRADS. *
Ntop ntop is computer software that probes a computer network to show network use in a way similar to what the program top does for processes. Software In interactive mode, it displays the network status on the user's terminal. In Web mode, it act ...
, for recording traffic patterns between hosts and host groups, and statistics on protocol usage, deprecated.


Open Threat Exchange

AlienVault maintains a
crowd-sourced Crowdsourcing involves a large group of dispersed participants contributing or producing goods or services—including ideas, votes, micro-tasks, and finances—for payment or as volunteers. Contemporary crowdsourcing often involves digita ...
service for IP reputation information, generated by (and available to anyone) with an active OSSIM installation. OTX uses
tokenized In computer science, lexical analysis, lexing or tokenization is the process of converting a sequence of characters (such as in a computer program or web page) into a sequence of ''lexical tokens'' (strings with an assigned and thus identified m ...
information from participating OSSIM installations to identify Internet addresses engaged in malicious activities and share that information to those same OSSIM installations. It was launched in 2012


External links


Official website Official forumOfficial source code


References

{{DEFAULTSORT:Ossim Internet Protocol based network software Linux security software