![]() |
![]() |
![]() |
Tutorial 7: Feature highlight / pre-tutorial on Risk Maps Wed, 15 Oct 2008 IntroductionToday I would to share something interesting we're working on: Risk/Availability/Vulnerability indicator Maps.
The purpose was to fit the most important information that can be gained from ossim all over it's interface, into a simple to use, simple to manage and simple to analyze interface. ::read more
posted at: 14:26 | path: /ossim/tutorials | permanent link to this entry | 1 comments | Tutorial 6: Plugin writing primer Tue, 11 Mar 2008
A couple of days ago I was fixing the fortinet/fortigate with the kind help of a Swiss OSSIM user (thanks Mikael ;-) ) and I wrote this little piece of python in order to help me out with it. Now I'm using it a lot to debug plugins so I guess more people could benefit from this also :-)
::read more
posted at: 11:38 | path: /ossim/tutorials | permanent link to this entry | 2 comments | Tutorial 5: Windows event logging Wed, 19 Dec 2007 The windows event log
As an introduction to windows event logging I recommend reading the following article: Monitoring and Troubleshooting Using Event Logs. It's the first interesting one I've found after googling for an introduction. This article reviews best practices for working with Windows event logs including how to interpret event messages, how to configure event logs, how to search and filter events, how to view events on remote systems, and how to use EventCombMT.exe and other tools to monitor events on multiple systems. ::read more
posted at: 15:54 | path: /ossim/tutorials | permanent link to this entry | 11 comments | Tutorial 4: Correlation engine primer Mon, 10 Dec 2007 Introduction
In order to answer to a recent forum post I had to do a quick research since it had been some time since I last tested this. Hello, Is there a document talking about how the directives are processed? One question that I have is if you have multiple directives created and an event comes in that matches the initial states of more than a single directive will both actually process the event, or only the first match (which I think is the case)? Thanks for any clarification you can provide. Stephen This post gives a bit of insight to how the correlation engine works and features some simple, custom made directives that help me answer that question. The test environment features two events belonging to the ssh plugin (plugin_id 4003):
::read more
posted at: 12:47 | path: /ossim/tutorials | permanent link to this entry | 3 comments | Tutorial 3: First recommended steps after installation Fri, 07 Dec 2007
This tutorial tries to show the first common steps you could perform if you're new to ossim and just finished installation, without knowing what to do next.
::read more
posted at: 16:53 | path: /ossim/tutorials | permanent link to this entry | 4 comments | Tutorial 2: Syslog data mining with attached md5sum. AKA "Store 100% of data". Thu, 06 Dec 2007
1. The need. The Hype.There's obviously a need for storing vast amount of logs, and few things today aren't able to log into syslog. So it's just obvious to stumble upon that request every once in a while, and this tutorial illustrates the OSSIM approach at massive syslog data storage. Of course, where you say syslog you can say windows event log, snmp data, whatever generates a big amount of raw data.ComplianceI don't know much yet about all of this compliance stuff (I were lucky, Julio always has been much more knowledgeable on that area than me so I could skip it) but I guess I'll have to start learning, there are just too many people asking for it and I'm getting very curious.From what I've seen, a short list of regulations requiring, or at least strongly recommending a certain amount of raw data storage and reports are:
Centralized loggingMaybe the need is pure sysadmin's lazyness. You want to be able to answer to questions you get asked by your management / customers in the easiest possible way.I heard this from a guy a couple of days ago: the more information about your network you've got, the more answers you can give, and that's exactly what SIM/SEM systems are good at. Data miningThis is a bit redundant with the previous entry, but there are people that just don't care about exact data, but they're in desperate need of colorful graphs in order to be able to keep their bosses calm. Well, having logs from everything in your network allows for easy colorful report generation with little knowledge of the underlying data. The worthyness of those reports in the end will be highly questionable of course.::read more
posted at: 20:10 | path: /ossim/tutorials | permanent link to this entry | 11 comments | Tutorial 1: Host Inventory using OSSIM Sun, 25 Nov 2007 This post will be the first of a series of tutorials describing how to accompliush certain useful things using OSSIM. A friendly IT teacher from Oklahoma suggested that it would be a good idea, and I have to agree. And on top, it's relaxing :-). So here we go, this first installment will focus on deploying OCS Inventory on a couple of hosts, getting them to log to the central ossim server and see how it shows up in our interface. This will demonstrate the powerful cross-platform inventory capabilities built into ossim thanks to the new OCS integration. The test environment consists of 6 devices:
::read more
posted at: 11:26 | path: /ossim/tutorials | permanent link to this entry | 9 comments | |
Categories
/ (36)
Archives
2008-Oct Tags | |||||||||||||||||||||||||||||||||||||||||||||||||
![]() |
![]() |




