Hi, my problem with OSSIM or USM always was that Alienvault only provides a debian-based image. however a lot of companies use red hat based distros...whether it's RHEL or CENTOS. of course you could argue that it's still a linux distro, but it doesn't really match with most corporate strategies if you have a lot of RHEL-based servers and then one single debian appliance or vice versa.
it would also be nice if you could deploy the open-source community version (OSSIM) on physical servers and not just for VMs... just my 2cents.. Am Dienstag, 11. August 2015 21:54:10 UTC+2 schrieb Daniil Svetlov: > > Hi, Jaime! > > I'm not mean aspecially OSSIM. > It was try OSSIM and Prelude (Prewikka). > OSSIM can work only with single user. And only with limited number of > OSSEC agents. > Community version of prewikka uses some kind of deoptimized SQL queries, > so MySQL server can't answer quickly. It also have very poor > visualizations. And it seems that new owners of Prelude remove some > functions from community version. > > > > вт, 11 авг. 2015 г. в 22:35, Jaime Blasco <[email protected] > <javascript:>>: > >> If you are talking about OSSIM, it doesn't contain any limits and it is >> based on top of Open Source and free software as well. There are more than >> 10k installation worldwide and it is maintained by a company and the core >> technology is used in a commercial product as well. It also gives you many >> more capabilities (Netflow, IDS, Vulnerability Scanning, Correlation, Asset >> discovery, IOC matching, etc). >> >> Happy to answer any questions about OSSIM >> >> Regards >> >> >> >> On Tue, Aug 11, 2015 at 12:09 PM, Daniil Svetlov <[email protected] >> <javascript:>> wrote: >> >>> Jason, LightSIEM maintain one database for all events. It's not >>> important from what sources it comes. OSSEC and Snort logs goes through >>> normalization process, where they are parsed in spacial fields and alert >>> level are reduce for common scale. >>> >>> Answering your question you need only one server of LightSIEM for >>> building SIEM. >>> >>> Also, note, that except others "freeware" SIEM, LightSIEM doesn't >>> contain any limits and build on top of opensource and free software. >>> >>> >>> пн, 10 авг. 2015 г. в 17:42, Grant Leonard <[email protected] >>> <javascript:>>: >>> >>>> a SIEM platform of any kind is a correlation tool for comparing and >>>> contrasting logs from disparate device types >>>> >>>> As you have seen, 3 different folks provided 3 different answers and >>>> that will likely be true when talking with any professionals. >>>> >>>> for 200 devices, you will need a decent size server, OSSIM (and >>>> ultimately Alienvault) have the OSSEC server running on their main server >>>> and remote sensor devices allowing you to manually deploy OSSEC agents and >>>> control OSSEC agent configurations from a GUI as well as command line. >>>> >>>> If you are only managing 200 servers and no other log feeds, OSSIM >>>> might be a good place to start as you will get some pre-canned ideas for >>>> writing subsequent rules/directives/escalations. >>>> >>>> If, however, you choose to add additional feeds, you might keep the >>>> 200+ agents reporting to a remote sensor and use the server for just >>>> correlation/presentation. Your options are wide open, give it a try! >>>> >>>> https://www.alienvault.com/products/ossim >>>> >>>> >>>> Grant Leonard >>>> Castra Consulting, LLC <http://castraconsulting.com/#/> >>>> 919-949-4002 >>>> >>>> On Sun, Aug 9, 2015 at 10:46 AM, 'Jason Long' via ossec-list < >>>> [email protected] <javascript:>> wrote: >>>> >>>>> Thank you. >>>>> Grant , Can you give me more information? I want to implement SIEM for >>>>> a windows network with 200 clients. Which requirements are need? >>>>> >>>>> >>>>> >>>>> On Saturday, August 8, 2015 8:58 PM, Grant Leonard < >>>>> [email protected] <javascript:>> wrote: >>>>> >>>>> >>>>> Try Alienvault or OSSIM, they both make good use of OSSEC and add >>>>> additional tools you will need for detecting the spread of malware >>>>> >>>>> On Friday, August 7, 2015 at 6:40:54 AM UTC-4, Jason Long wrote: >>>>> >>>>> Hello Experts. >>>>> How can I launch a SEIM for my local network and find the spread point >>>>> of malware in my local network? >>>>> Any idea? Please let me know which tools are needed. >>>>> >>>>> >>>>> Thank you. >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected] <javascript:>. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to a topic in the >>>>> Google Groups "ossec-list" group. >>>>> To unsubscribe from this topic, visit >>>>> https://groups.google.com/d/topic/ossec-list/oAWYa0XDz1M/unsubscribe. >>>>> To unsubscribe from this group and all its topics, send an email to >>>>> [email protected] <javascript:>. >>>> >>>> >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected] <javascript:>. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >>> >>> -- >>> С уважением, Светлов Даниил. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected] <javascript:>. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> >> -- >> _______________________________ >> >> Jaime Blasco >> >> Vice President and Chief Scientist >> >> www.alienvault.com >> https://www.alienvault.com/open-threat-exchange >> Email: [email protected] <javascript:> >> >> http://twitter.com/jaimeblascob >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > -- > > -- > С уважением, Светлов Даниил. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
