Thursday, January 04, 2007

On Open Source in SIEM and Log Management

Now, check out the prediction #4 and the comments on it here. Folks discuss the challenges that a possible open source SIEM solution would face, if it ever to materialize (OSSIM and OSSEC excluded for various reasons)

5 comments:

Anonymous said...

I understand why OSSEC doesn't make the grade, but I guess I don't understand why everyone (and by everyone, I mean you and Tom Ptacek) is so dismissive of OSSIM.

OK, so right now ArcSight's not losing any sleep, but look here:

http://www.ossim.net/dokuwiki/doku.php?id=roadmap:plugins

Maybe they should be. I think you and I went 'round about this issue on fw-wiz or loganalysis, but parsers that bucketize log data and generate metadata for a SIM are reasonably easy to write. OSSIM has the hard part done - the architecture and the event correlation code.

The rest is just building the supported products up enough, which is underway, and then getting pretty and/or useful data out of it. And, let's be honest, that's something every SIM implementation struggles with at first regardless of the product.

PaulM

Anton Chuvakin said...

"but parsers that bucketize log data and generate metadata for a SIM are reasonably easy to write"

Bua-ha-ha-ha-haaa. Sorry, can't make it sound more demonic than that in writing. Writing and - what is worse - maintaining (pretty much forever) a large library of these beasties is a mammoth task. You sometimes need to tweak them due to - often undocumented - changes in vendor logs and that task alone takes resources. To add insult to injury, I don't believe the open-src community will take on that task since there is little glory in that and it is very maintainance-heavy..

And, we are also dismissive of OSSIM due to its semi-frozen status; nothing much new was added in years ...

Anonymous said...

It can't be any harder for an open source project to do than a vendor. And since the bigger SIM vendors are opening up their parsers to customers, I think we can all agree that the skill set required to write a parser is light enough that community contributions of regex strings and basic case statements are very much on the table for OSSIM.

And as far as OSSIM being frozen, I think the obituary is premature. They released rc3 this past September and there have been CVS commits as recently as today:

http://sourceforge.net/mailarchive/forum.php?forum_id=34960

PaulM

Unknown said...

I've noticed this thread on the web stat logs and I think I have to add a comment on this thread.

First of all, I thank Paul on the comments.

I'm not going to cry out for compassion (hope it's spelled reasonably well), but I know very well how much effort has gone into OSSIM these last four years, I've been leading development since the first line of code.

We've spent a lot of time developing a "good" product. We've missed most of the commercial part and maybe we'll regret it sometimes.
I'm pretty sure we've done many things wrong and have plenty of stuff to learn, but we've done most of it because we like it, not on the funding (didn't have much of it TBH :) ).

Our core coding is done, now we're aiming at the 100 product list that ArcSight has got.
After having spent 6 months recoding the agent in order to make developing an agent a trivial issue, we want to get into doing some "new" stuff again. I'd love to get some commercial company provide an easy plugin architecture as ours, after having released 1.0 (before summer).

As a finishing note, I have to admit that we don't have the marketing force that other companies can provide, at least right now, but I'm pretty sure that OSSIM can work as well as most of them without the licence cost. (I know a couple of SIMS that are far better than OSSIM right now on some areas, and I won't negate that)

Dominique Karg

dk at |||| ossim, net

Anton Chuvakin said...

Awesome! I am truly looking forward to your release; making agent/collector simple to extend is indeed a huge task and if you guys solves this, it will be extremely important.

Dr Anton Chuvakin