New to OSSIM ? Read on

OSSIM stands for Open Source Security Information Management. Its goal is to provide a comprehensive compilation of tools which, when working together, grant network/security administrators with a detailed view over each and every aspect of his or her networks, hosts, physical access devices, server, etc.

Besides getting the most out of well known open source tools, some of which are briefly described below, OSSIM provides a strong correlation engine, detailed low, medium and high level visualization interfaces, and reporting and incident management tools, based on a set of defined assets such as hosts, networks, groups and services.

All of this information can be restricted by network or sensor in order to provide only the required information to specific users; allowing for a fine grained multi–user security environment. Finally, the ability to perform as an IPS (Intrusion Prevention System), using correlated information from virtually any source, will be a useful addition to any security professional’s arsenal.

Components

OSSIM features the following software components:

Arpwatch – used for MAC anomaly detection.
P0f – used for passive OS detection and OS change analysis.
Pads – used for service anomaly detection.
Nessus – used for vulnerability assessment and for cross correlation (IDS vs Security Scanner).
Snort – the IDS, also used for cross correlation with nessus.
Tcptrack – used for session data information which can prove useful for attack correlation.
Ntop – which builds an impressive network information database from which we can identify aberrant behavior/anomaly detection.
Nagios – fed from the host asset database, it monitors host and service availability information.
Osiris – a great HIDS.
OCS-NG – cross-platform inventory solution.
OSSEC – integrity, rootkit, registry detection, and more.

To this we add a bunch of self developed tools, the most important being a generic correlation engine with logical directive support. Finally we take any other device you might have on your network which could contain useful data which, when fed to the system, could allow for a better undestanding of what's going on on your network.

Profiles

Usually a typical ossim deployment consists of:

A database host.
A server which hosts the correlation, qualification and risk assessment engine.
N agent hosts which do information collection tasks from a number of devices. For a list of plugins please refer to: http://www.alienvault.com/community.php?section=Plugins
A control daemon which does some maintenance work and ties some parts together. It's called frameworkd.
The frontend is web based, unifying all the gathered information and providing the ability to control each of the components.

What to do next ?

Have a look at the screenshots. They're a good reference on what OSSIM looks like.
Check our news section so you can see what's going on lately with OSSIM.
For a more detailed description you might want to check the whatis page.
Get additional in-depth documentation from the documents section.
Have a look at the provided VMWare image and try it out by yourself !
Download the OSSIM Installer and get your own ossim running in under 10 minutes.