Anton Chuvakin wrote:
> Feel free to restart the discussion here! :-)
I won't with argue why/why not there are no credible open-source SIMs,
but I think some of the arguments used in the discussion over on Daily-
Daves are flawed:
1. "Supporting a large number of devices is a requirement" (for success)
I don't think this is necessarily true; while support for many
log-generating
components is a nice thing, even generic handling of logs (collection,
structured storage, searchability, visualization) of syslogs or
Windows event-
logs will be of use for a number of use-cases.
Even some well-known commercial offerings only claim to cover a couple
of dozen of devices (and just one or two versions of each); if they
are useful
enough to justify their price tag even with this limited coverage,
why can't an
openly available solution be as well?
2. "Complete coverage of message vocabulary for each log-generating item
is a requirement" (for success).
While complete coverage certainly is a goal, the content of logs
are generally
either (1) well-known-use, (2) well-known-noise or (3) relatively
rare. Writing
regexes for the first two rarely need "400 pretty esoteric and ugly
regular
expressions" in my experience.
Generic reports on (1) can generally be written if the general log
management
mechanisms are in place, filtering (2) is easy, and that leaves (3)
for manual
follow-up. (1) gives value (especially in regard to regulative
requirements) and
(2) ease the operational understanding the events by reducing the
clutter.
This can be done without requiring a Sguil-style analyst going
through the
output (what does, and should, require expertise is forensic
investigations
and advanced troubleshooting).
3. "Lifetime commitment for support". No freely available solution can
offer this,
and in reality -- no commercial solution either. Companies get
bought, product
strategies change, and that's just something we all have to take
into account
when choosing our preferred solution, regardless of
licensing/pricing model.
In sum -- for some environments only a commercial solution will do, but that
does not mean that an open source solution can't/won't exist nor provide
value.
One argument that's missing from the discussion so far is the ease of
integration
with other information sources in the enterprise. For me, this is a
major incentive
for doing in-house development of this kind of solutions; correlating
inventory
information, user databases, personell databases and so forth with the
log events
is important, and this is an area where commercial solutions
traditionally have been
weak (particularly in the ystem management space).
Furthermore, I think that viewing a SIM solution as a machine that goes
'ping!' when
something bad happens is just about as futile as the initial, simplistic
IDS offerings.
While alerts certainly are useful, I would claim that 'better
operational understanding
of what's going on' is a more important goal than the 'ping!' factor.
Viewing the SIM
as an operational tool is therefore more important than the 'black box'
factor, imho.
FloCon (http://www.cert.org/flocon/2005/presentations/) is an example of
cool
research trying to give us a better understanding of our networks -- and
not just
the security events taking place on them.
Just my $0.02. YMMV. :-)
> Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
-oddbjorn
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Fri Dec 30 2005 - 18:34:20 PST