Last time I messed with OSSIM, I installed from the ISO image (didn't use the prebuilt VM) and Snort was setup, by default, to monitor on the single interface you configure during installation.
If this is the only interface you have, and you put it on a SPAN/MIRROR port, then you probably will lose communication because those ports aren't acting as a normal two-way/full duplex, they are merely dumping all the data down the wire to the OSSIM box. It's best to configure another interface for management via the web etc, and another interface setup on a span/mirror port for Snort and other services. You'll have to dig around in the Snort and OSSIM config files to get it all right though. From: Joe Heaton [mailto:[email protected]] Sent: Monday, January 05, 2009 9:13 AM To: NT System Admin Issues Subject: RE: Question about OSSIM That's what I was thinking, but when I plugged it into the monitor port on my HP 4108 chassis, I lost all connectivity to it. Joe Heaton Employment Training Panel From: Benjamin Zachary - Lists [mailto:[email protected]] Sent: Friday, January 02, 2009 6:53 PM To: NT System Admin Issues Subject: RE: Question about OSSIM I looked at ossim a couple of times but never set it up , however, any app that monitors the edge , like ntop for example always required a hub or a mirrored port. From: Joe Heaton [mailto:[email protected]] Sent: Friday, January 02, 2009 14:24 To: NT System Admin Issues Subject: Question about OSSIM The box that has OSSIM installed on it, should it be plugged in to a switch port that is monitoring all other network ports? i.e. a mirrored port? Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 [email protected] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
