Hi!
I'm an It engineering student co Politecnico di Milano. I'm studying ids
correlation for my thesis
and I'm now working on ossim. I think it's a very interesting tool, although it
has some problems:
1. lack of complete documentation
2. server (which implements correlation) c source code completely obscure: not
a single comment in all
the source code, nor a single doc about implementation. Agent and Framework are
better commented
(and they're in python, perl and php).
3. difficult installation (except for debian or fedora users); you have
precompiled binaries, but
building from source is a pain (you have to patch other tools as well) and
badly documented.
4. not portable (server doesn't work well on *bsd)
Moreover, i think they should have used pure idmef, not a different
implementation.
Anyway, if you can get it work, it's really powerful imho. I think correlation
engine could be
empowered (i'm working on that) because it's composed by a simple fsa
implementation (you have to manually
insert all possible event chain) and a very simple anomaly algorithm (calm).
This is my impression, and I'd really like to know other's too.
I'd like to know if someone's tried to work on server sources, and if he's got
some documentation
about this.
Regards
Giorgio Luciani
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
