Fabio Pietrosanti (naif) wrote: > On Wed, Jul 17, 2002 at 06:16:55PM +0200, Lubomir.Nistorat_private wrote: > >>well you're looking for a centralized security monitoring system.. >>and even worse.. you are looking to offer SOC services to various customers.. >>did I get it right? > > > not properly... it's only for one customer so i don't need a soluzion "service > provider class" but only "enterprise class" and only for "monitoring purporse" > and not for "managing purpose" . Take a look at eSecurity's OeSP[1] product it sounds like it would do what you are asking for. I haven't looked at the product in over a year so I don't know where it is at. Here's a quick overview of how it works: There is a central correlation/analysis program running on a machine with a SQL database (last I knew it had to be Oracle, but they were moving to allow any ODBC compliant database). This system receives information in a couple of ways, either directly from the device or through a proxy system. If the device sends the information directly to the management console it needs to use SNMP. SNMP v3 over TCP was high up on their development list to ensure security and delivery of traps. If the device originating the logs or traps does not run SNMP, or does not have SNMPv3, the information can be sent to a machine locally on their network and converted to SNMPv3 traps. They have the software for this proxy agent (as I call it), it runs on Windows (last I heard) and is very extensible. I don't like their scripting language, it was strongly suggested that they switch to something like Perl or Python, but I don't know if they ever did. If they didn't change the scripting language be prepared to pull some hair out in frustration. There was also a lot of talk about setting up a library of scripts and agents people had created on their web site. The proxy agent can read binary and text files, read ports, or SNMP traps. This information can then be processed acording to rules you specify on the proxy box for parsing and taking certain actions. The central OeSP console has the ability to show different views depending on who is logged into the system. This is good if you want to allow your customer to view high level information, but they aren't really interested in the nitty gritty. Or if you have different sites/clients where you don't want one to see the information of the other. This is not a product that you will be able to take out of the box, install and walk away...it takes a bit of configuration and tuning. I don't know what the price is these days, but IIRC it was around 35K a year ago for the base system then a fee for the number of agents monitored. This is the only thing that I know of that is close to what you are asking for. Wayne [1] http://www.esecurityinc.com -- Wayne Pierce web: http://www.mishre.com email: wayneat_private "What you need to know." --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Wed Jul 17 2002 - 14:39:13 PDT