Security Information and Event Management (SIEM) in open source

Tom Buskey tom at buskey.name
Tue Jul 16 09:07:36 EDT 2013 

On Mon, Jul 15, 2013 at 12:10 PM, Greg Rundlett (freephile) <
greg at freephile.com> wrote:

> I've become interested in Security Information and Event Management (SIEM)
> and comparing or learning more how open source products stand in the
> marketplace.  This book http://www.amazon.com/books/dp/0071701095
>  compares
> AlienVault OSSIM (which appears to operate on the freemium model)
> http://communities.alienvault.com/ with the other big players:
>
>    - Cisco MARS http://www.cisco.com/en/US/products/ps6241/index.html
>    - IBM QRadar http://www-03.ibm.com/software/products/us/en/qradar/
>    - HP ArcSight
>    http://www8.hp.com/us/en/software-solutions/software.html?compURI=1214365
>
> Snare <http://sourceforge.net/projects/snare/> is a commercial product
with some open sources parts.  The snare agents are open source and widely
used.  Basically, they convert audit events to syslog, timestamp them and
throw them at a syslog server over TCP or UDP.

There are lots of OSSIM components in open source as well.  Snort is an IDS
that comes to mind.


>
>    -
>
> One not featured in the book, and the project that got me interested in
> the topic is OpenVAS http://www.openvas.org/
>
> Are there others?
>
>    - OSSEC http://www.ossec.net/
>    - sguil http://sguil.sourceforge.net/index.html
>
>
> Does anyone have insights to share on leading open source implementations
> of Security Assessment, or SIEM systems?  Dr. Anton Chuvakin does.
> http://chuvakin.blogspot.com/2009/06/why-no-open-source-siem-ever.html
> He predicted 5 years ago that none would ever truly come to fruition due to
> multiple aspects of the domain which do not fit well with the open source
> model.
>

Log standards are so great that everone has their own!  And it's hard to
get people that operate on a need to know basis to share info.


>
>
> Greg Rundlett
>
> p.s. also rhetorically wondering why these big companies have such bad
> information architecture  = ugly URLs
>
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20130716/d998e397/attachment.html

More information about the gnhlug-discuss mailing list