IDS mailing list archives

Re: Ossim

From: Craig Rodenberg <crodenberg () gmail com>
Date: Wed, 21 Sep 2005 13:49:26 -0500

Hello Syn Ack,

I've deployed OSSIM in four datacenters now. I think OSSIM is a good
IPS support tool, but I wouldn't deploy it as my primary IDS unless I
had a zero dollar budget for the project.  OSSIM can be customized,
configured and tweaked to provide reliable and sustainable network
protection, but it requires a lot of configuration, and then a lot of
tuning and constant updating.
The Cisco ACL creation and PIX firewall rule insertion features are
what I spent the most time on. The basic functionality for attack
blocking is already there, but you'll want to make sure that a DDoS
attack (or other spoofed attack) does not cause you to ACL / firewall
your network against the entire internet.

OSSIM is a good, solid security tool. My only caution to you would be:
Make sure you have plenty of coffee in the break room, and be prepared
to spend several late nights tweaking and tuning.

OSSIM and AAnval seem to be the best "free" NETSEC tools right now.

If you have slightly more than $0.00 to spend on your IPS project, you
may want to consider Sentarus by Demarc. (www.demarc.com)  The
Sentarus appliance and host agents are heavyweight contenders with
Tipping Point and ISS. They do, however, actually want customers to
pay for the software.  :)

I may still have some OSSIM configs laying around that could help you
with the Catalyst ACL's and PIX firewall rules. Let me know if you
want them, and I'll start looking.

 Good Luck with OSSIM !

 ./c0redump

 Craig Rodenberg, GIAC
 Director, INFOSEC
 Connectria Internet Services
 www.connectria.com


On 9/20/05, Syn Ack <thin.hack () gmail com> wrote:

Hello list members,
I'm working on implementing IDSes in the company a work for. Did some
of you have experience with Ossim (http://www.ossim.net)?
Any comment are welcome.
Regards,

Dominique

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Current thread:

OSSIM Tales Teixeira (Sep 01)
- <Possible follow-ups>
- Ossim Syn Ack (Sep 21)
  - Re: Ossim Craig Rodenberg (Sep 22)
    - Message not available
    - Re: Ossim Craig Rodenberg (Sep 26)
- Re: Ossim Adolfo . (Sep 22)
- Re: Ossim luciani . giorgio (Sep 22)
  - Re: Ossim Andre Ludwig (Sep 26)
- RE: Ossim Hoover, James A (THIP, Corp) (Sep 27)