Artikel-Schlagworte: „Open Source“
Today I discovered the site of alienvault. Alienvault is a Vendor for Security Information and Event Management (SIEM) Software. alienvault ist the creator if the leading Open Source Security Management tool – OSSIM.
After looking around on their site, I’m quite sure, that I – at least – want to try this thing out.
A few informations about OSSIM in advance, taken from their homepage:
AlienVault Open Source SIEM (OSSIM) is a complete Security Management solution that detects and profiles attacks, and provides a comprehensive, intelligent Security Management platform and toolset.
The entire solution is composed of open source distributions including all seamlessly integrated tools, and the security management platform. The OSSIM project was created and is currently coordinated by the founders of AlienVault.
The OSSIM platform consists of a Management Server, and Sensor or “Probe”. A professional version that includes Logger functionality is also available (please see below). The solution may be implemented as a single monolithic appliance or a set of appliances in which probes are separated from the management server, and distributed throughout the enterprise.
Probes capture network and system information in real time, and send it to the central Management Server where the data is analyzed to assess immediate threats and risk, filter out false positives, and locate false negatives that other security devices and software on the network cannot detect.
Probes not only capture data, but can be tasked as sophisticated attack detection components. They come with several attack detection systems, audit systems, and context learning systems (network profiles, inventory, availability), all of which are seamlessly integrated. When deployed in this fashion probes provide a very quick and safe way of continuously and transparently monitoring local and remote networks, providing provide full visibility of all security related aspects of the enterprise.
The information from the organization’s security systems, such as the firewall, antivirus, IPS, HIDS, etc, are all collected through these probes, and then analyzed through sophisticated intelligence technology. This technology correlates data from many sources to detect blended threats otherwise undetectable by individual systems; prioritize these threats; and make automated decisions with regard to the risk implied in each one.
OSSIM provides a complete management, reporting, and security analysis environment including graphical analysis, incident management workflow, and other tools. This system is capable of monitoring the security of globally distributed networks from a customizable, management console. High level, graphical dashboards are used to progressively drill down to the lowest level of detail.
Of course, there is a commercial version as well, the differences between the Open Source and the Commercial version are as follows:
Logger
The Logger allows for storage of large volumes of data while ensuring its admissibility as evidence in a court of law. The Logger provides an additional database specifically geared for massive, long-term forensic archiving. The Logger collects data in its native format, digitally signs and time-stamps the data, and securely stores it preserving data integrity; whereas the SIEM database is designed for the rapid and versatile analysis required for attack detection and response.
Scalability
AlienVault Professional SIEM allows for both horizontal and vertical load distribution. Horizontal distribution of security information is useful for high performance and high availability configurations. This architectural flexibility also enables highly customizable and scalable management scenarios.
For example, groups of management servers may be organized to create multiple hierarchies of management servers. This sort of architecture facilitates monitoring of large, distributed networks and makes it possible to create various levels of correlation and storage. Each of these hierarchies can then be rolled up into a global view that serves as a central console from which activity on any part of the network can be seen at any time down to the smallest detail.
Performance
AlienVault Professional SIEM is capable of handling very large volumes of data. The engineering team at AlienVault has structured system architecture with multiple optimization and load distribution layers so that the AlienVault Professional SIEM now offers 30 times the performance of OSSIM for any traffic type.
Accountability & Reliability
AlienVault Professional SIEM provides for greater accountability than OSSIM for those organizations that require commercial open source licensing. The commercial license, backed by AlienVault, is accompanied by a comprehensive commercial support and version maintenance offering at extremely competitive rates.
Both OSSIM and AlienVault Professional SIEM are thoroughly tested by AlienVault and the extensive OSSIM community. However, just as with all free open source products, new OSSIM versions that are not entirely stable may at times be released for testing purposes whereas only the most exhaustively tested versions of AlienVault Professional SIEM, which have been vetted for reliability and stability are released to market.
I wil try this thing out and tell you my opinion …….
Wie mir ein Vögelchen zugetragen hat, kommt morgen die DimDim Version 4.5 Open Source raus. Ich freu mich drauf, denn nachdem die Opensource Variante meist die Features der kommerziellen Version enthielt, dürfte dann auch ein Recording der Webinars und vieles mehr möglich sein. Ich kanns kaum erwarten … 
Hier gibts im übrigen DimDim
Rumours told me, that the Open Source Version of DimDim 4.5 will be released tommorrow. Glad to hear that, because the open source version all the time contained the features of the commercial version, it should be possible to record your webinars then. Can’t await the release ….
Here you can get DimDim
During a project, we came across the problem to proxy the services of a Citrix Secure Gateway for security purposes. No deal I thought, because of the TCP over HTTP tunneling thing I had back in my mind. We’ve tried proxyiing via Squid, as well as Apache and stunnel to no avail. The problem is in the nature of how the SSL Connection is beiing used, and that it’s not a real HTTP connection at all. With the proxying enabled, the session terminates at the proxy system. The secure gateway itself thinks about this like it is a kind of “man-in-the-middle” attack., and denies the connection with an misleading SSL Error 4.
I can understand, that this kind of protection is useful in many ways, but with the usage of http proxy servers and restricted firewall policies it’s more a problem than a feature. You have to either pinpoint you’re firewall with DNATs and the like, or use a commercial feature like the Citrix Secure Gateway Proxy to get rid of the problem.
The final solution to this was, to use socat a multipurpose Relay. From the about page of socat:
socat is a relay for bidirectional data transfer between two independent data
channels. Each of these data channels may be a file, pipe, device (serial line
etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an
SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU
line editor (readline), a program, or a combination of two of these.
These modes include generation of "listening" sockets, named pipes, and pseudo
terminals.
So, whenever you’re facing a problem like this, were regular reverse proxy solutions won’t work, give socat a try, for me it saved my day.
You can get socat at http://www.dest-unreach.org/socat/
- Advisories (2)
- Apache (7)
- Arbeit (21)
- BSD (1)
- Design (5)
- Deutsch (3)
- Internet (6)
- Social Networks (1)
- Internetanbieter (3)
- Linux (14)
- Fedora (6)
- Fedora Core (2)
- Gentoo (1)
- Netzwerk (9)
- PHP (8)
- Privat (5)
- Programmierung (8)
- Software (5)
- Open Source (4)
- Sonstiges (2)
- TCP/IP (7)
- Technologie (28)
- Tipps (13)
- Uncategorized (22)
- Virtualisierung (2)
- Windows (3)
