Dailydave mailing list archives
Re: News, dumbug, prediction rebuttals.
From: Anton Chuvakin <anton () chuvakin org>
Date: Thu, 22 Dec 2005 13:08:17 -0500
Anton Chuvakin wrote:3. My prediction: No credible open source SIM (aka, log aggregator). Boring work gets done by corporations, and that's that. Not to mention the impossibly high barrier to market of having to purchase and maintain all the random devices that generate logs.100% true. These two reasons will likely kill any future for the open source SIM at least until all the logs are in standard format (like in XXVIII century, givne some luck :-))Not to be contrarian, but with Open Source, no one organization need buy all the devices. Given proper documentation and a convenient interface, new log parsing routines could be added by those who already have the devices, and contributed to the pool for future user.
Ha-ha, that was a good one :-) If you look at a typical firewall, one sometimes needs to have a nice set of, say, 400 pretty esoteric and ugly regular expressions [which are not fun to write, not by a long shot] to intelligently parse all the logs into tokens. "Given proper documentation" is another fantasy; in many cases, there isn't any :-) And don't even get me started on the convenient interface...
I find this prediction credible; in fact it's already true. OSSIM already exists (www.ossim.net) and this could be its year. After all, if correlation engines are $50k - $100k per company, the economics of developing or contributing to a free solution make it a very attractive proposition.
OSSIM seems stagnant; I haven't seem any new features for quite some time. And, just as mentioned by Dave Aitel, device support is a big issue for adoption. If you read the PIX 6.1 logs just fine, there is nothing that tell you that you will deal with PIX 6.2 logs just as fine... Thus, there is a good reason that many SIM softwares cost a bit more than the above number :-) Best, -- Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org http://www.securitywarrior.com
Current thread:
- News, dumbug, prediction rebuttals. Dave Aitel (Dec 21)
- Message not available
- Re: News, dumbug, prediction rebuttals. Dave Aitel (Dec 21)
- Message not available
- Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 21)
- Re: News, dumbug, prediction rebuttals. David J. Bianco (Dec 21)
- Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 22)
- Message not available
- Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 23)
- Message not available
- Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 23)
- Re: News, dumbug, prediction rebuttals. David J. Bianco (Dec 21)
- Re: News, dumbug, prediction rebuttals. Dave Aitel (Dec 22)
- Re: News, dumbug, prediction rebuttals. Florian Weimer (Dec 22)
- Re: News, dumbug, prediction rebuttals. Blue Boar (Dec 22)
- Re: News, dumbug, prediction rebuttals. Adam Shostack (Dec 22)
- Re: News, dumbug, prediction rebuttals. plonky (Dec 22)
- Message not available
- Re: News, dumbug, prediction rebuttals. plonky (Dec 23)
- <Possible follow-ups>
- Re: News, dumbug, prediction rebuttals. sgc (Dec 22)