os-sim-devel — Developers

[Os-sim-devel] OSIM arquitecture: too many components?

[Jose V. N. Z. <jo...@us...>]

Greetings,

I saw the project and i think is definitely worth the effort; If you
have a medium to large network under you control you will notice pretty
soon than without the appropiate tools you will not be able to correlate
and investigate event the most basic events.

The idea of using readily available tools like Snort, OpenNMS, NMAP etc
is very attractive because a large number of sites are already using
them so a 'glue' that ties all that information together is more than
welcome.

Still, there are some points related with the arquitecture of the
project that doesn't seem to fit appropriately.

All my comments are based on the information contained on the
arquitecture diagram published by the os-sim developers
(http://os-sim.sourceforge.net/docs/ossim3.jpg) and the tools mentioned
on their web site (http://os-sim.sourceforge.net/home.html)


1) Too many OpenSource tools, some overlapping: For example NTOP could
be replaced with custom OpenNMS graphs and custom polling of SNMP OIDS
on the target machines; MGRT could be replaced directly with RRDD tool
and again OpenNMS can show the custom graphs too; You mention NMAP for
network discovery, but OpenNMS already does that job.

Two databases? PostgreSQL can do the job of MySQL (and OpenNMS already
uses it). Snort can log events directly to PostgreSQL. MySQL probably is
too simple for an enterprise solution like this one.

Sortova consulting was doing some works to integrate Nessus with OpenNMS
(currently nobody is working on that tough). Maybe is better to
contribute code to integrate them than reinventing the wheel here.

2) Too many languajes and platforms to maintain: The arquitecture itself
is composed of at least two databases (PostgreSQL and MySQL), at least
two web presentation layers (PHP, JSP), several programming languajes
(Perl, PHP, Java, C). This is a mainteinance disaster waiting to happen
unless a hughe team of developers with a large skillset is ready to
maintain all the pieces that tie together the application.

The team should reconsider to rewrite at least some of the analisys
components. Also only one database shold be used.

3) What about other devices like switches, firewalls that doesn't even
speak SNMP but Syslog?. What about machine that run only Syslog deamons?
A custom Syslog listener could be a very good glue to gather information
from several places like Snort sensors, IPTables firewalls, Switches.
One problem with SNMP traps is than they are not very secure and once
you know the password you can tamper the contents or even flood the SNMP
trap daemon.

4) PHP and JSP, which one is better? My Opinion is that PHP is not
prepared for the enterprise. PHP doesn't have the optimizations than
Java do on the server side and also ties the presentation too close with
the logic. It's true than Java takes more time to master, but is also
true than is much more flexlible and standarized than PHP (PHP doesn't
have a common database layer AFIK). The team should try to replace tools
like ACID (wich source code is freely available) and maybe thing about
integrating those changes with OpenNMS (as a custom web app) or
developing the tool using Java as a separate web app.

In my opinion, a tigher integration with OpenNMS will solve many of
these issues;

What do you think about this?

JV.

[Os-sim-devel] Re: mail from OSSIM web page

[DK <dk...@us...>]

Hola Jose Vicente,

Te agradezco mucho el inter=E9s y tanto yo como el resto del equipo que
estamos trabajando en el proyecto estar=EDamos encantados en escuchar
opiniones/cr=EDticas sobre la arquitectura.

Por ello env=EDo copia a la lista creada para discusiones de este tipo,
os-...@li....

En cuanto a colaboraci=F3n tambi=E9n estamos abiertos a todo, el problema es la
definici=F3n de la arquitectura. Ahora mismo lo estamos desarrollando un grup=
o
de compa=F1eros de trabajo que tenemos comunicaci=F3n directa pero para incluir
a colaboradores externos necesitamos una especie de roadmap mejor definido
en el que estoy trabajando ahora.

En cuanto tenga este documento definido te lo env=EDo, lo colocaremos tambi=E9n
en la home del proyecto.

Mientras tanto te agradecer=EDa tus cr=EDticas y opiniones sobre el estado
actual de la arquitectura.

Saludos,

DK

El 9/25/03 23:30, "nobody" <no...@us...> escribi=F3:

> Jose Vicente Nunez Zuleta <jo...@us...> wrote:
>=20
> Hola,
>=20
> Me llamo mucho la atencion el proyecto, se ve bien interesante; Sin embar=
go
> hay algunos aspectos de la arquitectura que me parecen dificiles de mante=
ner y
> quisiera saber lo siguiente:
>=20
> 1) Que tan interesados estan en tener un nuevo desarrollador en el equipo=
?
> 2) Que tanto desean cambiar / discutir acerca de la arquitectura? (hay un
> monton de cosas que no me cuadran).
>=20
> Que experiencia tengo? Bueno, yo escribi el plugin de JDBC para OpenNMS
> (http://blog.opennms.org/archives/000029.html#more), he escrito algunos
> tutoriales acerca de como integrar OpenNMS con Snort usando SNMP
> (http://faq.opennms.org/faq/fom-serve/cache/116.html)  y en estos momento=
s
> estoy trabajando en un buscador que usa el diccionario de vulnerabilidade=
s de
> Mitre (http://cvebrowser.sourceforge.net)
>=20
> Avisense si estan interesados en conversar.
>=20
> JV.

[Os-sim-devel] Test

[DK <dk...@ip...>]

Prueba de devel