Saturday, June 19, 2010


OSSIM is an open source security information management and correlation tool from a company called AlienVault (there's a pro version too). I installed on it on two boxes recently, one using the unattended install the other using the custom install. It's an incredibly easy app to install. You download an ISO from their web site and make an install CD, boot it up and give it some info (the unattended asks only for a few basic items like the network config info, a name for a box and a few details on how you want the app configured). The default unattended install sets up the server, sensor, and database all on one box. Once the app is installed and rebooted, you'll need to set up your monitoring interfaces (the custom install asks which ones to use) and you're off and running. If you want to use Nagios, you will need to configure that as well. You'll have over 30 apps all properly installed, with a nice dashboard to show your status at a glance, and then you can drill down to investigate events, check your network status, see what hosts are detected from the traffic and more. The box does passive vulnerability assessment using Nessus, runs Snort, arpwatch, P0F, Ntop, Osiris and many others.
I see this as being a great teaching tool for new analysts, as it will allow them to work with a lot of tools quickly without the learning curve of getting them all installed and configured properly and working together. The site for the open source version is here.

No comments:

Blog Archive