OSSIM Components Overview
OSSIM Functional Components
Server – The core of the SIEM
Framework – Connects everything together
Sensor – Collects Information
Database – Storage for other components
Logger (Commercial Only) – Complete log storage
Server
Server is the central component of OSSIM, and performs the key SIEM functions:
Event CorrelationRisk Assessment And PrioritizationInventory and Identity ManagementAlarms and SchedulingPolicy ManagementReputation Engine
Framework
Framework manages OSSIM components and connects them together.
Provides the Web User InterfaceManages OSSIM component configurations and communication.
Database
Handles storage for Inventory data, configuration and SIEM events.
SIEM Event StorageAsset StorageContinuous Data (netflow, etc) storageRun-time OSSIM Configurations
Sensor (+Agents)
The Information-Gathering component of OSSIM. Agents collect logs and events from external devices and OSSIM monitoring components, using Plugins for each type of information they will collect
Log Collection Fetch and Receive
Network Monitoring Network Traffic MonitoringNetwork Intrusion DetectionAsset DetectionHost Intrusion DetectionWireless Intrusion Detection
Logger [Commercial Only]
The Server stores log events that are of interest to security analysis, filtering out only the log events that are significant. The Logger additionally stores the log in raw format for forensic and compliance purposes. and archival searches.
Indexed for Full-Text searches
Cryptographically Signed log messages
Additionally accessible as raw text.
Designed for long-term storage
Open Source Software in the OSSIM Architecture
Within each of the components of OSSIM, lie a selection of open-source security software.
Some are part of the core Framework, others reside on the Sensors which may be distributed over the network to provide visibility.
Server/Framework:• Nagios• OCSInventory• NFSen• Ntop (interface)
Sensor• Snort • Nfcap/Fprobe • P0f • Pads• Arpwatch• Ntop• Nmap• OpenVAS• OSSEC• Kismet
Top Related