OSSIM is an open source security information management system (OPEN SOURCE SECURITY INFORMATION MANAGEMENT), which is a very popular and complete open source security architecture system. OSSIM integrates open source products to provide a basic platform that can implement security monitoring functions. Its purpose is to provide a centralized and organized framework system that can better monitor and display.
OSSIM is clearly positioned as an integrated solution. Its goal is not to develop a new function, but to utilize a rich and powerful variety of programs (including open source system security software such as Snort, Rrd, Nmap, Nessus, and Ntop). Integrate them under an open architecture system environment that retains their original functions and functions. The core work of the OSSIM project is to be responsible for integrating and correlating the information provided by various products, as well as the integration of related functions. Since the open source OSSIM is clearly positioned as an integrated solution, its goal is not to develop a new function, but to utilize a rich and powerful variety of programs (including open source system security software such as Snort, Rrd, Nmap, Nessus, and Ntop) . Integrate them under an open architecture system environment that retains their original functions and functions. The core work of the OSSIM project is to be responsible for integrating and correlating the information provided by various products, as well as the integration of related functions. Due to the advantages of open source projects, these tools have been tried and tested, and are reliable tools. The advantages of the project, these tools have been tried and tested, and they are also reliable tools.
In fact, from the perspective of process, security can be divided into four steps: evaluation, protection, detection, and response. There are now many excellent open source software corresponding to these four steps. But the problem is that these four steps are a dynamic and seamless process, and all open source tools are only for a single security problem. How to comprehensively utilize existing security tools and integrate them seamlessly? OSSIM gives a good The answer is integration.
OSSIM consists of five modules: data collection, monitoring, detection, auditing and console. These 5 modules include a complete process from incident prevention to incident handling in the current security field. In the current security architecture, OSSIM is the most complete. These five functional modules are divided into three levels, namely the high-level security information display control panel, the middle-level risk and activity monitoring, and the bottom-level evidence console and network monitoring. Each level provides different functions to jointly ensure the security of the system. Running.
In OSSIM, the whole process is divided into two stages. These two stages reflect the different historical periods from the occurrence to the processing of an event. These two stages are respectively the pre-processing stage. The processing in this stage mainly includes Monitors and detectors are completed together, they are mainly to provide preliminary security control for the system; another post-processing stage, the processing in this stage is more concentrated, more is reflected in the adjustment of the system security policy and the overall The security configuration of the system is improved.
In the architecture system of OSSIM, there are three components that attract attention. These are the three strategy databases in OSSIM, which are the information sources for OSSIM event analysis and strategy adjustment. They are the following three databases:
◆EDB (Event Database): Among the three databases, EDB is undoubtedly the largest. It stores all the events captured by all underlying detectors and monitors.
◆KDB (Knowledge Database): In the knowledge database, the state of the system is parameterized. These parameters will provide detailed data descriptions and definitions for the safety management of the system.
◆ UDB (User Database): In the user database, the user's behavior and other user-related events are stored.