Hello tuutdo,
We used OSSEC with OSSIM. My experience with OSSIM is you can't save queries and create elaborate dashboards like you can with Metron. Metron also seems to have a better path for integrating your own sensors. OSSEC integration with Metron is on our wish list. -Ahmed _______________________________________________________________ Ahmed Shah (PMP, M. Eng.) Cybersecurity Analyst & Developer GCR - Cybersecurity Operations Center Carleton University - cugcr.com<https://cugcr.com/tiki/lce/index.php> ________________________________ From: [email protected] <[email protected]> Sent: December 21, 2017 8:15 AM To: [email protected] Subject: Re: metron vs ossec @Haruo, we haven't tightly integrated them yet, but have plans to do so in Q1. We have been running OSSEC for a very long time and are in the middle of an upgrade/cleanup project that we want to complete before feeding the data into Metron (v2.9.0 now supports JSON alerts). Interested to hear more about your service, feel free to contact me off list if needed. I agree with Simon's opinion on OSSIM vs Metron. Jon On Thu, Dec 21, 2017 at 7:48 AM Simon Elliston Ball <[email protected]<mailto:[email protected]>> wrote: In many ways it’s a matter of scale. OSSIM is a kind of lite version of AlienVault, and used by them. I’ve seen people move from an OSSIM architecture to Metron specifically to get better scaling, things like PCAP capabilities etc. but also retain the OSSEC agents to handle endpoint and scanning use cases, which they then feed into Metron. In these cases it was mostly about scalability and flexibility to extend, as well as manageability of multi-tenant environments. In functional terms, Metron also emphasises behaviour profiling and machine learning, whereas OSSIM is a more traditional rules-centric way of looking at security and log monitoring. Hope that helps you understand the difference a little better, Simon On 21 Dec 2017, at 12:22, moshe jarusalem <[email protected]<mailto:[email protected]>> wrote: Jon thanks for the information. I am indeed trying to learn both of them just wanted to get expert ideas. OSSEC is also supported by OSSIM which is somewhat like metron. I would like to hear ideas which may make metron better alternative and or composite usage. Regards, On Thu, Dec 21, 2017 at 2:39 PM, [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> wrote: Yes, I run both in my environment and they are both security products but that's about where the similarities end. Ossec is a host based solution that monitors local activity with it's tree based rules engine, Metron is a distributed solution that handles large sets of data from many sources and a lot more. A possible connection between the two may be that ossec logs/alerts could be fed into Metron for enrichment, triage, alerting, and analysis. I would recommend either reading the documentation for both of them in more detail, or spinning them both up to get a better handle on the differences. Jon On Thu, Dec 21, 2017, 00:34 moshe jarusalem <[email protected]<mailto:[email protected]>> wrote: Hi All, I have come across OSSEC project and find it similar to metron. I am confused a bit. is anyone aware of Ossec and give some comparisons? Regards, -- Jon -- Jon
