Re: Ossim

luciani.giorgio_at_gmail.com
Date: 09/21/05

  • Next message: mccainca_at_gmail.com: "Re: RE: Tippingpoint" 
    Date: 21 Sep 2005 15:02:49 -0000
To: focus-ids@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Hi!
    I'm an It engineering student co Politecnico di Milano. I'm studying ids correlation for my thesis
    and I'm now working on ossim. I think it's a very interesting tool, although it has some problems:
    1. lack of complete documentation
    2. server (which implements correlation) c source code completely obscure: not a single comment in all
    the source code, nor a single doc about implementation. Agent and Framework are better commented
    (and they're in python, perl and php).
    3. difficult installation (except for debian or fedora users); you have precompiled binaries, but
    building from source is a pain (you have to patch other tools as well) and badly documented.
    4. not portable (server doesn't work well on *bsd)
    Moreover, i think they should have used pure idmef, not a different implementation.
    Anyway, if you can get it work, it's really powerful imho. I think correlation engine could be
    empowered (i'm working on that) because it's composed by a simple fsa implementation (you have to manually
    insert all possible event chain) and a very simple anomaly algorithm (calm).
    This is my impression, and I'd really like to know other's too.
    I'd like to know if someone's tried to work on server sources, and if he's got some documentation
    about this.
    Regards
    Giorgio Luciani

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------

  • Next message: mccainca_at_gmail.com: "Re: RE: Tippingpoint"

    Relevant Pages

    • RE: Correlation software
      ... >analysis and triage of FW, IDS, IPS, AV, VA and network events using ... >scans and recent event history and attack source. ... >rules for your correlation engine for each new potential attack vector ... Find out by easily testing it with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • Need help in correlation
      ... E_status column from 'R' to 'C', i have to pick up ids from another ... based upon SourceID table(store procedure selects those id s from ... make only one receive shape as activity true and neither i can make ... ""you must specify at least one already-initialized correlation set ...
      (microsoft.public.biztalk.general)
    • Need help in correlation
      ... E_status column from 'R' to 'C', i have to pick up ids from another ... based upon SourceID table(store procedure selects those id s from ... make only one receive shape as activity true and neither i can make ... ""you must specify at least one already-initialized correlation set ...
      (microsoft.public.biztalk.general)
    • RE: IDS Correlation
      ... Subject: IDS Correlation ... > We do this by centralizing logging and built a front-end to ... How about some front-end that can sort and aggregate on ... I think IDS is supposed to be able to figure this out on his own thusly a need for better spoof detection in IDS. ...
      (Focus-IDS)
    • Re: How can I conditionally include resources?
      ... I *think* I could do this by having the two projects in separate physical directories with different .rc files, and have one of the projects point to the source code in the other project's directory, but that seems like a bit of a kludge. ... where IDs are automatically added by VStudio's resource designer), ... if they have in common, every time we added a new IDs to resource.h, ...
      (microsoft.public.vc.ide_general)