wazuh and/or OSSIM?

[Barry Kaplan]

(context: I currently do not use OSSIM, and am just getting wazuh/OSSEC installed.)

Would wazuh with ELK be a replacement for OSSIM, or would it make sense to also route wazuh/ossec output to OSSIM? 

[Santiago Bassett]

Hi Barry,

those are different technologies, so it depends on your needs to use one or another. I also know cases where they are using both. Here is a brief explanation:

Wazuh OSSEC fork is a HIDS technology that can be used to monitor security policies, file integrity, detect rootkits and to centralize and analyze log data (using OSSEC rules). We have:

- Developed new features to improve OSSEC detection capabilities (e.g. Ruleset).

- Improved compliance monitoring (specially for PCI DSS, enriching rules).

- Expanded OSSEC output for better integration with log management systems (Splunk, Elasticsearch) or SIEM technologies (AlienVault, Arcsight, Nitro...).

- Developed an API that makes it easy to monitor your OSSEC deployment (through RESTful queries).

We have also documented the process of integrating our fork with ELK Stack (as it is also Open Source), so they can be used together as a HIDS and Log Management solution. Same way you could use our OSSEC fork with Splunk. Right now we are both creating a Kibana app and modifying existing Splunk app, to make use of our API capabilities, and be able to build monitoring dashboards.

OSSIM is a Unified Security Management platform, that puts together a wide variety of technologies, including HIDS (OSSEC), NIDS (Suricata), vulnerability scanner (OpenVas), services monitoring tools (Nagios) and Netflow collector (Nfdump tools). As well, it implements several capabilities to asses alerts risk via correlation and integration with threat intelligence feeds. OSSIM does not include our OSSEC fork at this point, but can still be fed with alerts coming from it (receiving them via Syslog). So you can use OSSIM and our OSSEC fork together.

I hope that helps,

Santiago.

On Thu, Feb 18, 2016 at 5:19 PM, Barry Kaplan <mem...@gmail.com> wrote:

(context: I currently do not use OSSIM, and am just getting wazuh/OSSEC installed.)

Would wazuh with ELK be a replacement for OSSIM, or would it make sense to also route wazuh/ossec output to OSSIM? 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/de52a17d-b9fe-4529-97e3-d398b5c51122%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Barry Kaplan]

Thanks Santiago,

I asked this mainly to see where you were going with this. I tried to install alienvault usm for aws last week but it failed to start most of the services. Since its a commercial product I was also evaluating their support so I am waiting for help from them. But we are also looking at alertlogic, qualys, nessus, and the other big players. (Any guidance here would be much appreciated.)

I am very much not happy about the manual agent install promoted by alienvault. Our infrastructure is way too dynamic for that. Hence, I spent today ansible'izing around ossec. I studied all the existing projects and learned from them. 

I now have working ansible playbooks/roles to

- install wazuh ossec server and api idempotently (a bit painful to get right)

- register both with consul as services

- install agents and auto register idempotently (also a bit painful to get right)

using our existing elk cluster

- collect the alert.log and route via rabbit the elk nodes

- extended the existing elk playbook to add the ossec template and define a new output to es

- adding the kibana dashboards is still manual, thinking of using something like elasticdump to automate that

into our aws staging environment

- fired up an instance to run the ossec server (along with all the supporting stuff like consul, logstash, datadog, etc).

- extended the provisioning playbooks to define security groups and modify acls

So far its quite nice. I have not yet dug into any real ossec configuration yet, but am already starting to get actionable alerts.

Once I have deployed this to production and proved its robustness I will be happy donate back to wazuh or publish a git project.

When I get back to usm, I will try to route wazuh alerts to it.

cheers and thanks again!

[theresa mic-snare]

this sounds fantastic, Barry!
please keep us updated on your progress, it sounds very interesting to me!