plan42 > Business Solutions > Security Management > Topic Details

OSSIM

Details on the Topic

What Is OSSIM?

OSSIM is an open source suite for the analysis of monitoring and log data. It is used to normalise the data basis of multiple data sources. This data, in turn, forms the basis for correlation and prioritisation that is required to identify security-relevant events.

OSSIM is a software appliance. In principle, all components can be operated on one dedicated server system. When used in major infrastructures, however, we recommend you operate each component on a dedicated system. This ensures a hierarchical structure and system scalability.

OSSIM Framework

The OSSIM framework consists of the following components:

  • Management server
  • Database
  • Sensor
  • Front-end

Open Source Components

The following open source tools are currently integrated with OSSIM:

  • Snort IDS
  • Nesus vulnerability scanner
  • Ntop network monitor
  • Nagios availability monitor
  • Osiris and Snare host IDS
  • Spade and HW aberrant behaviour anomaly detector
  • RRD
  • NMAP port scanner
  • ARPwatch, P0f, Pads and Fprobe passive monitoring
  • Acid/Base forensic analysis console
  • OSVDB vulnerability database

Commercial Data Sources

In addition to the above open-source components, OSSIM also supports a number of commercial data sources:

  • Checkpoint Firewall-1 (SAM, LEA)
  • Cisco IDS
  • Cisco PIX
  • Cisco router
  • Cisco VPN
  • Ciso router IOS
  • Cisco Catalyst switch
  • Juniper NSM
  • Unix/Linux Syslog
  • Stonegate etc.

Other data sources can be integrated by means of a framework (based on Python and regular expressions).

Data Pool

All security-relevant events are brought together in a central MySQL database. For hierarchical architectures of larger installations, this concept can be adapted in order to minimise the bandwidth of central data storage.

OSSIM uses decentralised data collectors that standardise the gathered information and forward it to the management component. Normalisation depends on the type of data source and is used for the correlation of independent data sources. The management component processes the data and writes it to a database. Correlation and prioritisation are based on the two-way communication between the database and the management component.

The transmission between the data collectors and the management component includes the encryption of the information. Within the database, the messages can be encrypted (AES 128-bit), but it is currently not possible to sign them. Anonymisation and pseudonymisation of the data collection are neither part of OSSIM functionality.

On the data collectors you can configure the amount of data to be collected as well as the types of messages to consider. Grouping similar messages to an aggregated message is currently not possible. Data is stored for a period of 30 days. Adaptions to this period are generally possible; however, they are limited by the available storage space and may affect the performance during report creation.

Event Detection

In order to enable the user to model the existing infrastructure as accurately as possible, OSSIM provides a feature for network mapping. The individual systems can either be indexed using the vulnerability scanner or by means of passive tools. During implementation you can choose to take various aspects into account including operating system, IP and MAC address, bandwidth utilisation statistics as well as system priority and vulnerability. All messages are constantly forwarded to and promptly processed by the management component. For correlation, there are a number of different mechanisms available including the following:

  • Combination of several events
  • Queries regarding the content of data fields
  • Definition of thresholds and alarms when these thresholds are exceeded
  • Implementation of actions

Individual rules can be created using the administration interface. Event prioritisation depends on the reliability of the event. Reliability is part of a rule and is also influenced by the data stored in the system information. In essence, these are the identified weaknesses of the system, the weighting (value), and the connections associated to the system. Prioritisation can not be changed in the rules and thus is exclusively based on the weighting within the system information.

Correct implementation planning is a prerequisite to keep the system performance stable. This requires knowledge about data volumes. An aggregation of similar messages to one single message is not possible in OSSIM.

Event Management & Alarming

The web-based console is accessed via HTTP/HTTPS. To facilitate event tracking, you can apply event filters and view reports about the involved data sources. The integrated vulnerability database provides further information on the vulnerability and appropriate countermeasures.

There are four main types of reports provided by OSSIM:

  • Alarm Report
  • Security Report
  • Host Report
  • Incident Report

These are static reports, which can either be generated in the HTML or the PDF format. The following interfaces are available for alarms:

  • Web console
  • SNMP
  • Email notification
  • Execution of an external programme
  • Creation of a ticket in the integrated ticketing system

Thus, it is possible to integrate OSSIM with CA Spectrum based on email, SNMP, or an external programme.

User Management

User names and passwords are used for authentication. Authentication based on an LDAP directory is possible. Access rights can be assigned to individual users and are valid for networks, rules, data sources, and individual programme functions. A role concept does not exist. There is a detailed audit log, which logs all user activities. It is impossible for users to manipulate this log.

OSSIM in Your Company

Are you interested in the implementation of OSSIM in your company? Learn about our approach, or feel free to contact us.