Questions[ossim](server)

I know the "risk" calculation, but I don't understand what the variables in the calculation mean

The risk calculation is ((asset * priority * reliability)/25)

I don't quite understand what the individual variables in this equation are supposed to be, though, and they don't appear to be documented or explained in any detail.

For example, what is "reliability" supposed to denote? Is there any article or documentation describing the parts of this calculation and what they are supposed to actually mean? Something like "this event is very reliable" -- but what does that even mean, especially if I have no idea if a particular event is reliably a security event. For example, what metric/rubric am I to use to determine if an event is more "reliable"?

And "asset": I suppose some assets are clearly more important than others, but how can I decide how much more important? For example, is there a rule of thumb on setting asset value?

And finally, priority seems pretty arbitrary as well. Are there any guidelines or examples on setting this value for any given event?

I want to turn up the sensitivity of some events, but I feel like I'm randomly mashing buttons without understanding what the intent is behind the components of this risk equation.

we've recently moved our NIDS installation from StrataGuard to the new OSSIM 2.1 release to take advantage of the additional features (Nagios, ntop, Nessus/OpenVas, etc.) it provides in addition to just Snort. So far, I'm very impressed with OSSIM but also slightly overwhelmed with the complexity and sheer amount of information provided.

Where StrataGuard made it very easy to tune and configure rules, e.g. to exclude or specify combinations of source/destination addresses and ports for a given rule, I'm having a very difficult time figuring out how to tune rules in OSSIM from the different event sources (Snort, rrd, arpwatch, directive_alert, etc.). The documentation is pretty sparse at present and doesn't appear to say much about this.

My question is, am I missing something, i.e. should I be approaching at a different level? Should I be configuring the Policy and Correlation elements only, and let the events pour in, even if I know they're false positives? Or is there a straightforward way to tune rules for each sensor?

Thanks for your help.

Update: A nice review article from Linux Journal has been made available through the AlienVault web site that explains the correlation process in more depth than I've seen, and provides a nice overall review of the OSSIM system.

Update November 2012: We tried other open source logging and/or monitoring solutions in the 3+ years since I posted this question (Icinga, ZenOSS, and Splunk in that order) without any great satisfaction, so I've recently come back to playing with OSSIM. It's currently up to version 4.0, and the tools overall seem to be much improved and better integrated than prior versions, especially on the logging end. I've found the 'OSSIM Made Simple' webinars made available by Alienvault very helpful, at least in setting it up as a syslog/OSSEC repository. Still trying to get a handle on rules and event/alert correlation for Snort/ntop on mirrored traffic -- I think some of the tools in the paid/non-"community" version might make this easier, but that's not in our budget.

I am trying to get some real-world feedback on OSSIM.

Are you using OSSIM in production?

If so, what has your overall experiance been?

How many nodes are in your enviroment?

Finally, what kind of bandwidth are you monitoring?

Thanks!

Anapologetos