Network cluster in Xen

I have been working with Xen, and I found this article that
may be of
value for configuring a test and proof of concept
environment with OSSIM.

http://www.samag.com/documents/s=10112/sam0702e/0702e.h
tm

I will be exploring more in this direction as things go
along.

brian
-- 
Brian Lavender
http://www.brie.com/brian/


------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Os-sim-support mailing list
Os-sim-supportlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport

Thanks for the information, I'll have a look at it.

I'm just thinking about building a couple of installation
CD's for  
ossim that install a complete system on an empty host
(including OS).  
I remember NFR did the same years ago with their IDS.

What do you think about this ?

Greetings,

Dominique

Am 10.08.2007 um 19:48 schrieb Brian Lavender:

> I have been working with Xen, and I found this article
that may be of
> value for configuring a test and proof of concept
environment with  
> OSSIM.
>
> http://www.samag.com/documents/s=10112/sam0702e/0702e.h
tm
>
> I will be exploring more in this direction as things go
along.
>
> brian
> -- 
> Brian Lavender
> http://www.brie.com/brian/

>
>
------------------------------------------------------------
---------- 
> ---
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? 
Stop.
> Now Search log events and configuration files using
AJAX and a  
> browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Os-sim-support mailing list
> Os-sim-supportlists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport


------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Os-sim-support mailing list
Os-sim-supportlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport

On Sat, Aug 18, 2007 at 11:36:06AM +0200, Dominique Karg
wrote:
> Thanks for the information, I'll have a look at it.
> 
> I'm just thinking about building a couple of
installation CD's for  
> ossim that install a complete system on an empty host
(including OS).  
> I remember NFR did the same years ago with their IDS.
> 
> What do you think about this ?

I think VMOSSIM is great, but it only runs on one host.

Here's what I think would be great. There are quite a number
of features
to OSSIM. Each one needs to be configured and verified. Say
you install
Apache. When you install it, you go to your browser and you
see if it
works. If it does great. Then you probably start to tweak it
to your
customization. With OSSIM, we have this complex integration
of products that
needs to interact. So, I think there needs to be a feature /
verification
process for each feature. I am new to security, so I some of
the
features I don't even quite understand, but along the way of
putting
OSSIM together, I find a feature and then I explore. 

At first I just tried to get things running. I think the
biggest help
was the Debian Installation HOWTO in Spanish (The english
isn't all that
great), but in the end, I succeeded in getting a web
interface running and
once I succeeded with getting the passwords to work on the
configuration
-> main, my next question was, what do we have and what
can it do for us?

SNORT was one. With SNORT, I installed it completely
separate following
a howto completely outside of OSSIM, so I could understand
it. And then
I tried to understand how it integrates with OSSIM. 

Now I am working on with arpwatch and its integration into
OSSIM. 
Your email about the asset number and the anomoly page and
how it should
report in /var/log/ossim/arpwatch.log was great value in
breaking out
one piece and making it work. I think that needs to be
documented, which
I can do.

Overall, I think there are two approaches for
implementation. One, is
start with a completely working system such as VMOSSIM. But
VMOSSIM only
runs on one machine. The Xen guys put together a live Demo
CD, where
you can see multiple virtual machines running. I can't seem
to find the
ISO on the Net at the moment, but here is an article on its
review.

http://linuxhelp.blogspot.com/2006
/10/xen-gpled-virtualisation-technology.html

So either an installer that installs a virtual network on a
computer,
or a live CD could be a great benefit. Method two take is
take each
feature, identify the desired benefit, and then a
verification process
for that benefit.

So, those are some of my thoughts. I am going to be working
on
documentation for my customer, and... I have been given
permission to
contribute it. First thing is to translate the Spanish HOWTO
for Debian.

brian

> 
> Greetings,
> 
> Dominique
> 
> Am 10.08.2007 um 19:48 schrieb Brian Lavender:
> 
> >I have been working with Xen, and I found this
article that may be of
> >value for configuring a test and proof of concept
environment with  
> >OSSIM.
> >
> >http://www.samag.com/documents/s=10112/sam0702e/0702e.h
tm
> >
> >I will be exploring more in this direction as
things go along.
> >
> >brian
> >-- 
> >Brian Lavender
> >http://www.brie.com/brian/

> >
>
>--------------------------------------------------------
-------------- 
> >---
> >This SF.net email is sponsored by: Splunk Inc.
> >Still grepping through log files to find problems? 
Stop.
> >Now Search log events and configuration files using
AJAX and a  
> >browser.
> >Download your FREE copy of Splunk now >>  http://get.splunk.com/
> >_______________________________________________
> >Os-sim-support mailing list
> >Os-sim-supportlists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport
> 

-- 
Brian Lavender
http://www.brie.com/brian/


------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Os-sim-support mailing list
Os-sim-supportlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport

On Mon, Aug 20, 2007 at 04:11:17PM -0700, Brian Lavender
wrote:
> Overall, I think there are two approaches for
implementation. One, is
> start with a completely working system such as VMOSSIM.
But VMOSSIM only
> runs on one machine. The Xen guys put together a live
Demo CD, where
> you can see multiple virtual machines running. I can't
seem to find the
> ISO on the Net at the moment, but here is an article on
its review.
> 
> http://linuxhelp.blogspot.com/2006
/10/xen-gpled-virtualisation-technology.html

I found the iso image for the Xen live demo CD. 

http://bits.xensource.com/oss-xen/re
lease/3.0.3-0/iso/livecd-xen-3.0.3-0.iso

brian
-- 
Brian Lavender
http://www.brie.com/brian/


------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Os-sim-support mailing list
Os-sim-supportlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport