Petites notes personnels sur la sécurité des serveurs

 

Sécurité -> Filtre de confidentialité

OSSIM :

Open Source Security Information and Event Management

Centralise :

OSSIM features the following software components:

  • PRADS, used to identify hosts and services by passively monitoring network traffic. Added in release v4.0. [8]
  • OpenVAS, used for vulnerability assessment and for cross correlation of (Intrusion detection system (IDS) alerts vs Vulnerability Scanner) information.
  • Snort, used as an Intrusion detection system (IDS), and also used for cross correlation with Nessus.
  • Suricata, used as an Intrusion detection system (IDS), as of version 4.2 this is the IDS used in the default configuration
  • Tcptrack, used for session data information which can grant useful information for attack correlation.
  • Nagios, used to monitor host and service availability information based on a host asset database.
  • OSSEC, a Host-based intrusion detection system (HIDS).
  • Munin, for traffic analysis and service watchdogging.
  • NFSen/NFDump, used to collect and analyze NetFlow information.
  • FProbe, used to generate NetFlow data from captured traffic.
  • OSSIM also includes self developed tools, the most important being a generic correlation engine with logical directive support and logs integration with plugins.

Note: Suricata and Snort cannot be used at the same time. Snort is currently being phased out in favor of Suricata. [9]

HIDS

OSSEC : Logiciel HIDS

Alert: IIS attack detected

SIEM

 

Doc sympa http://www.ossec.net/files/OSSEC_and_OSSIM_Unified_Open_Source_Security.pdf