SEIM system with OSSEC.

[Jason Long]

Hello Experts.

How can I launch a SEIM for my local network and find the spread point of malware in my local network? 

Any idea? Please let me know which tools are needed.

Thank you.

[namobud...@gmail.com]

Security Onion is ideal for this and you can send OSSEC logs to it as well.

Check Doug Burk's group:

https://groups.google.com/forum/#!forum/security-onion

[Grant Leonard]

Try Alienvault or OSSIM, they both make good use of OSSEC and add additional tools you will need for detecting the spread of malware

On Friday, August 7, 2015 at 6:40:54 AM UTC-4, Jason Long wrote:

[Jason Long]

Thank you.

Grant , Can you give me more information? I want to implement SIEM for a windows network with 200 clients. Which requirements are need? 

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Daniil Svetlov]

Hello, Jason!

You can also try LightSIEM: https://github.com/dsvetlov/lightsiem

It's free and open source project based on ELK stack. It allows search in alerts and logs and create visualizations based on received alerts.

вс, 9 авг. 2015 г. в 18:45, 'Jason Long' via ossec-list <ossec...@googlegroups.com>:

--

--
С уважением, Светлов Даниил.

[Jason Long]

Thank you.

How many servers are need for launch Lightweight ? One for Snort and another for OSSEC and another for Lightweight ?

After it, I must install OSSEC on Windows clients for forward logs? 

[Grant Leonard]

a SIEM platform of any kind is a correlation tool for comparing and contrasting logs from disparate device types

As you have seen, 3 different folks provided 3 different answers and that will likely be true when talking with any professionals.

for 200 devices, you will need a decent size server, OSSIM (and ultimately Alienvault) have the OSSEC server running on their main server and remote sensor devices allowing you to manually deploy OSSEC agents and control OSSEC agent configurations from a GUI as well as command line.

If you are only managing 200 servers and no other log feeds, OSSIM might be a good place to start as you will get some pre-canned ideas for writing subsequent rules/directives/escalations.

If, however, you choose to add additional feeds, you might keep the 200+ agents reporting to a remote sensor and use the server for just correlation/presentation. Your options are wide open, give it a try!

https://www.alienvault.com/products/ossim

Grant Leonard

Castra Consulting, LLC

919-949-4002

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/oAWYa0XDz1M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

[Daniil Svetlov]

Jason, LightSIEM maintain one database for all events. It's not important from what sources it comes. OSSEC and Snort logs goes through normalization process, where they are parsed in spacial fields and alert level are reduce for common scale.

Answering your question you need only one server of LightSIEM for building SIEM.

Also, note, that except others "freeware" SIEM, LightSIEM doesn't contain any limits and build on  top of opensource and free software.

пн, 10 авг. 2015 г. в 17:42, Grant Leonard <gr...@castraconsulting.com>:

--

[Jaime Blasco]

If you are talking about OSSIM, it doesn't contain any limits and it is based on top of Open Source and free software as well. There are more than 10k installation worldwide and it is maintained by a company and the core technology is used in a commercial product as well. It also gives you many more capabilities (Netflow, IDS, Vulnerability Scanning, Correlation, Asset discovery, IOC matching, etc).

Happy to answer any questions about OSSIM

Regards

_______________________________

Jaime Blasco

Vice President and Chief Scientist

www.alienvault.com
https://www.alienvault.com/open-threat-exchange

Email: jaime....@alienvault.com

http://twitter.com/jaimeblascob

[Daniil Svetlov]

Hi, Jaime!

I'm not mean aspecially OSSIM.

It was try OSSIM and Prelude (Prewikka).

OSSIM can work only with single user. And only with limited number of OSSEC agents.

Community version of prewikka uses some kind of deoptimized SQL queries, so MySQL server can't answer quickly. It also have very poor visualizations. And it seems that new owners of Prelude remove some functions from community version.

вт, 11 авг. 2015 г. в 22:35, Jaime Blasco <jaime....@alienvault.com>:

[theresa mic-snare]

Hi,

my problem with OSSIM or USM always was that Alienvault only provides a debian-based image.
however a lot of companies use red hat based distros...whether it's RHEL or CENTOS.
of course you could argue that it's still a linux distro, but it doesn't really match with most corporate strategies if you have a lot of RHEL-based servers and then one single debian appliance or vice versa.

it would also be nice if you could deploy the open-source community version (OSSIM) on physical servers and not just for VMs...

just my 2cents..