In recent years, a number of open source consolidation tools have emerged. These tools, such as Groundwork's Open Source Monitor, an enterprise monitoring tool, consist of a number of open source tools integrated together, often with a Web-based or
OSSIM, or Open Source Security Information Management, is one such tool. It addresses the needs of security professionals to provide an enterprise-wide view of the state of security. OSSIM's commercial competitors include products like Symantec Security Information Manager, CA's eTrust SIM and products from companies such as netForensics and Intellitactics. OSSIM combines a broad selection of networking, host and device management and informational tools together with a correlation engine. It includes visualization capabilities, as well as reporting and incident management tools.
OSSIM incorporates tools such as Arpwatch (MAC address anomaly detection), p0f (operating system profiling and analysis), Nessus (vulnerability scanning), the Snort IDS, NTOP (network information tool), the enterprise-monitoring tool Nagios and the Osiris host intrusion detection tool. OSSIM also comes with integration to the OSVDB - Open Source Vulnerability Database - which provides enhanced information about detected events and vulnerabilities.
In addition, the OSSIM team has developed a number of integration tools, including a correlation tool that combines data from all the tools and outputs it in the Web-based console. OSSIM can also be customized using a system of plug-ins to take data from a variety of other sources including devices like firewalls, applications and operating systems. You can see a full list of the available plug-ins at OSSIM's roadmap plug-in page.
So how should you make use of OSSIM? OSSIM is ideal for security and network administrators and engineers to monitor the events and activities in their environments. OSSIM can act as the central collection and collation point for events in your environment, can generate alerts and provide reporting, both in the form of a Security Operations Centre dashboard and management reporting.
An OSSIM deployment is three-tiered -- database, application server and a Web-based front-end. Added to this are the agents and plug-ins, which act as remote agents and gather data, and an administration and control daemon, frameworkd, which ties the components together.
The OSSIM front-end, or console, is the heart of the solution. It focuses on providing a high-level display and control panel and the capability to drill down to display greater levels of granularity. At the lowest level of granularity, the console can display data about your network and events at a forensic or packet level. Like many modern SIMs, OSSIM also provides a risk-based meter view. The console also includes some pre-packaged reports. Here are some screenshots demonstrating the OSSIM console.
The application back-end provides the correlation, prioritization and risk assessment capabilities of OSSIM and integrates a number of tools for pre- and post-processing of events and incoming data. The framework daemon provides the administrative glue that allows you to define the assets you wish to monitor, configure the various tools that make up the OSSIM solution and define policy, standards and correlation rules. All of this information is stored in the database back-end. Depending on the size of your installation you may require a dedicated database host. You will also need to size the storage of your database host, based on the volume of events you estimate will be generated. You need to ensure you have sufficient storage to hold events for your required reporting or auditing period, for example keeping firewall or IDS events for 30 days.
If you want to install OSSIM there are packages available for Red Hat Fedora and Debian or you can download the source to install OSSIM. OSSIM comes bundled with the tools integrated into it and many of its prerequisites. But you will need to pre-install a few items, including the MySQL database server, Perl, PHP, Python and Apache (httpd) amongst others. You can see a full list of the pre-requisites on the OSSIM website. As a result of the number and combination of pre-requisites, installing OSSIM can occasionally be tricky but the installation process is clear and well documented and error messages provide good insight into what pre-requisite may be causing an issue. I recommend installing OSSIM on a freshly-built (and given OSSIM's security focus -- secure and hardened) host to ensure you minimize any installation issues with previously installed libraries or applications.
OSSIM is fully-featured, fast and powerful and if you are in the market for a SIM product, I recommend taking a look at OSSIM. But even if you are not in the market for a SIM, then I suggest taking a look at OSSIM simply because of its potential to enhance your security posture and reporting.
This was first published in May 2007