OSSIM

OSSIM (Open Source Security Information Management) unifies network monitoring, network/host security, correlation and qualification information in one single tool. It is designed and built to work with a number of Open Source and commercial tools. Its main goal is to get the most information from every single tool in a cohesive, easy to understand way.

OSSIM uses the following methods to help deliver concise information:

• Event correlation
• Event qualification
• Network anomaly detection
• Qualified intrusion detection
• Network availability information

OSSIM integrates, qualifies and correlates both high level and low level security and network events. Sensors are integrated to gain per-view three network/host visibility levels, namely:

• Low level log/alert/anomaly information
• Mid level network risk level information
• High level decision support information

Tools OSSIM Uses

OSSIM uses network security information from a variety of Open Source tools; to include:

• Spade: network anomaly detection
• Snort: pattern matching intrusion detection system
• Acid: log viewer (Event Database)
• Ntop: network use monitor
• OpenNMS: Service availability monitoring
• Mrtg: graphing
• Mysql and PostgreSQL: data storage
• RRDtool: a system to store and display time-series data
• Nessus: vulnerability assessment
• Nmap: Network discovery
• Pads: Passive network discovery
• Tcptrack: Passive network connection monitor

OSSIM also works with a number of other commercial tools as well:

• Checkpoint: Firewall logs
• Cisco PIX
• Cisco Routers
• Cisco IDS
• UNIX: System logs
• Microsoft IIS
• Apache
• Iptables
• realsecure

The most complete and up-to-date information about OSSIM can be found at OSSIM's website: http://www.ossim.net/.