1

we've recently moved our NIDS installation from StrataGuard to the new OSSIM 2.1 release to take advantage of the additional features (Nagios, ntop, Nessus/OpenVas, etc.) it provides in addition to just Snort. So far, I'm very impressed with OSSIM but also slightly overwhelmed with the complexity and sheer amount of information provided.

Where StrataGuard made it very easy to tune and configure rules, e.g. to exclude or specify combinations of source/destination addresses and ports for a given rule, I'm having a very difficult time figuring out how to tune rules in OSSIM from the different event sources (Snort, rrd, arpwatch, directive_alert, etc.). The documentation is pretty sparse at present and doesn't appear to say much about this.

My question is, am I missing something, i.e. should I be approaching at a different level? Should I be configuring the Policy and Correlation elements only, and let the events pour in, even if I know they're false positives? Or is there a straightforward way to tune rules for each sensor?

Thanks for your help.

Update: A nice review article from Linux Journal has been made available through the AlienVault web site that explains the correlation process in more depth than I've seen, and provides a nice overall review of the OSSIM system.

Update November 2012: We tried other open source logging and/or monitoring solutions in the 3+ years since I posted this question (Icinga, ZenOSS, and Splunk in that order) without any great satisfaction, so I've recently come back to playing with OSSIM. It's currently up to version 4.0, and the tools overall seem to be much improved and better integrated than prior versions, especially on the logging end. I've found the 'OSSIM Made Simple' webinars made available by Alienvault very helpful, at least in setting it up as a syslog/OSSEC repository. Still trying to get a handle on rules and event/alert correlation for Snort/ntop on mirrored traffic -- I think some of the tools in the paid/non-"community" version might make this easier, but that's not in our budget.

nedm
  • 5,610
  • 5
  • 30
  • 52

3 Answers3

1

I am wrestling with the same issue right now. The closest I have found to official docs on tuning is:

There are at least three ways of doing this:
a. Filtering at origin (disabling a snort rule, setting a tcpdump-style filter at p0f, etc...)
b. Policy
c. Agent Consolidation (undocumented)

I have started working on removing the false positives via policies--we shall see how it goes.

Josh

Josh Brower
  • 1,659
  • 3
  • 18
  • 29
  • If you have a chance, update and let me know how it goes -- I've had to focus on other things for the moment but would love to hear what you come up with. – nedm Oct 08 '09 at 04:05
  • Looks like 2.2 will be out soon. – nedm Feb 15 '10 at 19:58
0

According to the article I've referenced in the update, setting a rule's priority to 0 causes OSSIM to ignore the rule. While this is the short answer to my question, it turns out that configuring events and correlations is much more complex (though also more powerful) than tuning individial rules.

The AlientVault web site states that OSSIM version 2.2 will be released very soon, and after looking at the online slides on what's new, it looks like there are some great updates (particularly glad to see the web interface will be https by default). Hopefully some good documentation will follow.

nedm
  • 5,610
  • 5
  • 30
  • 52
0

I've found this by a quick search.

https://www.ossim.net/forum/index.php?t=msg&goto=435&S=835a0b9097e14e3b306ba1fae2a94de9#msg_435

Hope this may guide you on a resolution.

Regards,

David.

r0ca
  • 212
  • 2
  • 10
  • 25
  • Thanks, I've looked through the documentation and forums but was hoping for a more thorough explanation of rule tuning. I'll try posting in the forum. – nedm Sep 17 '09 at 06:57
  • Ok no problem, let me know if you find your answer there. Hope I guided you to the right point. – r0ca Sep 18 '09 at 16:04