OSSIM Components Overview

OSSIM Functional Components

Server – The core of the SIEM

Framework – Connects everything together

Sensor – Collects Information

Database – Storage for other components

Logger (Commercial Only) – Complete log storage

Server

Server is the central component of OSSIM, and performs the key SIEM functions:

Event CorrelationRisk Assessment And PrioritizationInventory and Identity ManagementAlarms and SchedulingPolicy ManagementReputation Engine

Framework

Framework manages OSSIM components and connects them together.

Provides the Web User InterfaceManages OSSIM component configurations and communication.

Database

Handles storage for Inventory data, configuration and SIEM events.

SIEM Event StorageAsset StorageContinuous Data (netflow, etc) storageRun-time OSSIM Configurations

Sensor (+Agents)

The Information-Gathering component of OSSIM. Agents collect logs and events from external devices and OSSIM monitoring components, using Plugins for each type of information they will collect

Log Collection Fetch and Receive

Network Monitoring Network Traffic MonitoringNetwork Intrusion DetectionAsset DetectionHost Intrusion DetectionWireless Intrusion Detection

Logger [Commercial Only]

The Server stores log events that are of interest to security analysis, filtering out only the log events that are significant. The Logger additionally stores the log in raw format for forensic and compliance purposes. and archival searches.

Indexed for Full-Text searches

Cryptographically Signed log messages

Additionally accessible as raw text.

Designed for long-term storage

Open Source Software in the OSSIM Architecture

Within each of the components of OSSIM, lie a selection of open-source security software.

Some are part of the core Framework, others reside on the Sensors which may be distributed over the network to provide visibility.

Server/Framework:• Nagios• OCSInventory• NFSen• Ntop (interface)

Sensor• Snort • Nfcap/Fprobe • P0f • Pads• Arpwatch• Ntop• Nmap• OpenVAS• OSSEC• Kismet