OSSIM

OSSIM
	OSSIM Web Framework
Original author(s)	Dominique Karg, Julio Casal, Ignacio Cabrera and Alberto Román
Developer(s)	AT&T Cybersecurity
Stable release	5.8.11 / May 10, 2022
Operating system	Linux
Type	Security / SIEM
License	GNU General Public License
Website	cybersecurity.att.com

Last updated June 03, 2024

OSSIM (Open Source Security Information Management) is an open source security information and event management system, integrating a selection of tools designed to aid network administrators in computer security, intrusion detection and prevention.

The project began in 2003 as a collaboration between Dominique Karg,^[1] Julio Casal ^[2] and later Alberto Román.^[3] In 2008 it became the basis for their company AlienVault.^[4] Following the acquisition of the Eureka project label and completion of R&D, AlienVault began selling a commercial derivative of OSSIM ('AlienVault Unified Security Management'). AlienVault was acquired by AT&T Communications and renamed AT&T Cybersecurity in 2019.^[5]

OSSIM has had four major-version releases^[6] since its creation and is on a 5.x.x version numbering.^[7] An information visualization of the contributions to the source code for OSSIM was published at 8 years of OSSIM. The project has approximately 7.4 million lines of code.^[8] The current version of OSSIM is 5.7.5 and was released on September 16, 2019. Information about this release and past versions can be found here

As a SIEM system, OSSIM is intended to give security analysts and administrators a more complete view of all the security-related aspects of their system, by combining log management which can be extended with plugins and asset management and discovery with information from dedicated information security controls and detection systems. This information is then correlated together to create contexts to the information not visible from one piece alone. Alarm and availability views along with reporting capabilities are provided to enhance the capabilities of the tool and its utility to the security and systems engineers.

OSSIM performs these functions using other well-known^[9] open-source software security components, unifying them under a single browser-based user interface. The interface provides graphical analysis tools for information collected from the underlying open source software component (many of which are command line only tools that otherwise log only to a plain text file) and allows centralized management of configuration options.

The software is distributed freely under the GNU General Public License. Unlike the individual components which may be installed onto an existing system, OSSIM is distributed as an installable ISO image designed to be deployed to a physical or virtual host as the core operating system of the host. OSSIM is built using Debian as its underlying operating system. Due to this core platform being open additional components abilities may be added and extend by the security administrators using standard packages and scripting as needed.

Components

OSSIM features the following software components:

PRADS, used to identify hosts and services by passively monitoring network traffic. Added in release v4.0.^[10]
Snort, used as an Intrusion detection system (IDS), and also used for cross correlation with OpenVAS.
Suricata, used as an Intrusion detection system (IDS), as of version 4.2 this is the IDS used in the default configuration
Tcptrack, used for session data information which can grant useful information for attack correlation.
Munin, for traffic analysis and service watchdogging.
NFSen/NFDump, used to collect and analyze NetFlow information.
FProbe, used to generate NetFlow data from captured traffic.
Nagios, used to monitor hosts and specified ports for asset availability a well as full local system Monitoring.^[11]
OpenVas, is used for vulnerability assessment and associated to assets.
OSSIM also includes self developed tools, the most important being a generic correlation engine with logical directive support and logs integration with plugins.

Note: Suricata and Snort cannot be used at the same time. Snort is currently being phased out in favor of Suricata.^[12]

Deprecated Components

Arpwatch, used for MAC address anomaly detection, replaced by PRADS.
P0f, used for passive OS detection and OS change analysis, replaced by PRADS.
PADS, used for service anomaly detection, replaced by PRADS.
Ntop, for recording traffic patterns between hosts and host groups, and statistics on protocol usage, deprecated.^[13]

Open Threat Exchange

AlienVault maintains a crowd-sourced service for IP reputation information, generated by (and available to anyone) with an active OSSIM installation. OTX uses tokenized information from participating OSSIM installations to identify Internet addresses engaged in malicious activities and share that information to those same OSSIM installations. It was launched in 2012^[14]

Related Research Articles

An intrusion detection system is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013.

Suricata is an open-source based intrusion detection system (IDS) and intrusion prevention system (IPS). It was developed by the Open Information Security Foundation (OISF). A beta version was released in December 2009, with the first standard release following in July 2010.

A host-based intrusion detection system (HIDS) is an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces, similar to the way a network-based intrusion detection system (NIDS) operates. HIDS focuses on more granular and internal attacks through focusing monitoring host activities instead of overall network traffic. HIDS was the first type of intrusion detection software to have been designed, with the original target system being the mainframe computer where outside interaction was infrequent.

Sguil is a collection of free software components for Network Security Monitoring (NSM) and event driven analysis of IDS alerts. The sguil client is written in Tcl/Tk and can be run on any operating system that supports these. Sguil integrates alert data from Snort, session data from SANCP, and full content data from a second instance of Snort running in packet logger mode.

LAMP is an acronym denoting one of the most common software stacks for the web's most popular applications. Its generic software stack model has largely interchangeable components.

Prelude SIEM is a Security information and event management (SIEM).

Sourcefire, Inc was a technology company that developed network security hardware and software. The company's Firepower network security appliances were based on Snort, an open-source intrusion detection system (IDS). Sourcefire was acquired by Cisco for $2.7 billion in July 2013.

Computer security software or cybersecurity software is any computer program designed to influence information security. This is often taken in the context of defending computer systems or data, yet can incorporate programs designed specifically for subverting computer systems due to their significant overlap, and the adage that the best defense is a good offense.

Martin Roesch founded Sourcefire in 2001 and was its Chief Technology Officer until the company was acquired by Cisco Systems on October 7, 2013 for $2.7B. Roesch now is CEO of Netography which raised $45M in Series A funding in November 2021. A respected authority on intrusion prevention, detection technology, and forensics, he was responsible for the technical direction and product development efforts of Sourcefire and Cisco Security before he moved into board roles and VC roles with Decibel Partners. Martin, has industry experience in network security and embedded systems engineering. He is also the author and lead developer of the Snort Intrusion Prevention and Detection System which formed the foundation for the Sourcefire firewall and IDS/IPS systems. Snort is still developed by Cisco Systems today and remains the most-used open source IDS technology.

LYME and LYCE are software stacks composed entirely of free and open-source software to build high-availability heavy duty dynamic web pages. The stacks are composed of:

Tiger is a security software for Unix-like computer operating systems. It can be used both as a security audit tool and a host-based intrusion detection system and supports multiple UNIX platforms. Tiger is free under the GPL license and unlike other tools, it needs only of POSIX tools, and is written entirely in shell language.

Icinga is an open-source computer system and network monitoring application. It was created as a fork of the Nagios system monitoring application in 2009.

Aanval is a commercial SIEM product designed specifically for use with Snort, Suricata, and Syslog data. Aanval has been in active development since 2003 and remains one of the longest running Snort capable SIEM products in the industry. Aanval is Dutch for "attack".

Homeland Open Security Technology (HOST) is a five-year, $10 million program by the Department of Homeland Security's Science and Technology Directorate to promote the creation and use of open security and open-source software in the United States government and military, especially in areas pertaining to computer security.

Used as part of computer security, IDMEF is a data format used to exchange information between software enabling intrusion detection, intrusion prevention, security information collection and management systems that may need to interact with them. IDMEF messages are designed to be processed automatically. The details of the format are described in the RFC 4765. This RFC presents an implementation of the XML data model and the associated DTD. The requirements for this format are described in RFC 4766, and the recommended transport protocol (IDXP) is documented in RFC 4767

Sagan is an open source (GNU/GPLv2) multi-threaded, high performance, real-time log analysis & correlation engine developed by Quadrant Information Security that runs on Unix operating systems. It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire Snort IDS/IPS engine. This allows Sagan to be compatible with Snort or Suricata rule management softwares and give Sagan the ability to correlate with Snort IDS/IPS data.

Silvio Cesare is an Australian security researcher known for his multiple articles in phrack, talks at numerous security conferences including Defcon and Black Hat Briefings. Silvio is also a former member of w00w00. His security research includes an IDS evasion bug in the widely deployed Snort software. Silvio holds a PhD in Computer Science from Deakin University and is the co-founder of the security conference BSides Canberra. He earned his Master of Informatics and Bachelor of Information Technology from CQUniversity Australia. He currently operates the Canberra based training and consulting provider InfoSect.

Open Threat Exchange (OTX) is a crowd-sourced computer-security platform. It has more than 180,000 participants in 140 countries who share more than 19 million potential threats daily. It is free to use.

IPFire is a hardened open source Linux distribution that primarily performs as a router and a firewall; a standalone firewall system with a web-based management console for configuration.

References

↑ "Dkarg / Profile".
↑ "Jcasal / Profile".
↑ "Alberto_r / Profile".
↑ "AT&T Cybersecurity Blog".
↑ "AT&T Cybersecurity is Born". 10 May 2023.
↑ http://sourceforge.net/projects/os-sim/files/deprecated__check_readme/
↑ "Patch release v4.2.3 - AlienVault Forums". Archived from the original on 2013-09-14. Retrieved 2013-06-26.
↑ https://www.ohloh.net/p/alienvault-ossim/analyses/latest/languages_summary
↑ "Home". sectools.org.
↑ AlienVault, "AlienVault OSSIM v4.0 Enhancement Summary", AlienVault OSSIM v4.0 Enhancement Summary, July 2012
↑ David Josephsen (27 March 2013). Nagios: Building Enterprise-Grade Monitoring Infrastructures for Systems and Networks. Prentice Hall. ISBN 978-0-13-313568-8.
↑ AlienVault, "AlienVault v5.0.3 Patch Release", AlienVault v5.0.3 Patch Release, June 2, 2015
↑ AlienVault, "AlienVault v5.0.3 Patch Release", AlienVault v5.0.3 Patch Release, June 2, 2015
↑ "Open Threat Exchange (OTX) | AT&T Cybersecurity". 10 May 2023.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Dkarg / Profile".

[2] "Jcasal / Profile".

[3] "Alberto_r / Profile".

[4] "AT&T Cybersecurity Blog".

[5] "AT&T Cybersecurity is Born". 10 May 2023.

[6] ttp://sourceforge.net/projects/os-sim/files/deprecated__check_readme/

[7] "Patch release v4.2.3 - AlienVault Forums". Archived from the original on 2013-09-14. Retrieved 2013-06-26.

[8] ttps://www.ohloh.net/p/alienvault-ossim/analyses/latest/languages_summary

[9] "Home". sectools.org.

[10] AlienVault, "AlienVault OSSIM v4.0 Enhancement Summary", AlienVault OSSIM v4.0 Enhancement Summary, July 2012

[Josephsen2013-11] David Josephsen (27 March 2013). Nagios: Building Enterprise-Grade Monitoring Infrastructures for Systems and Networks. Prentice Hall. ISBN 978-0-13-313568-8.

[12] AlienVault, "AlienVault v5.0.3 Patch Release", AlienVault v5.0.3 Patch Release, June 2, 2015

[13] AlienVault, "AlienVault v5.0.3 Patch Release", AlienVault v5.0.3 Patch Release, June 2, 2015

[14] "Open Threat Exchange (OTX) | AT&T Cybersecurity". 10 May 2023.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]