OSSIM : Lessons Learned from Tuning Snort IDS

Recently I’ve been busy with tuning Snort IDS (Intrusion Detection System) included with OSSIM. Compare to the installation process, the tuning process is much more involved and time-consuming.

You may wonder why should you do the tuning for you IDS ? Because if you don’t tune the IDS to suit your network environment (servers, network devices, security devices) you will get a lot of events. And I really mean A LOT OF. I received more than 100,000 events each day during the days before I did the tunnng.  It’s a sure thing that if you received this number of events, you will not analyze them, you may not even read them anymore. The good thing is they are all false-positive, so you can ignore them. And of course you don’t want to store those false-positive events to disk. After the tuning process, I received less than ten events per day. :D

Continue reading

OSSIM : Nagios3 Warnings

Recently I’ve successfully update my OSSIM machine from version 2.1.x to version 2.2.x. It took several times to finish the update process.

After restarting the machine, I found out several warning messages from Apache depicted in the following figure :

The warnings were caused by the conflict between several nagios-apache configuration files. In my case there are two configuration files (apache2.conf and nagios3.conf) soft-linked to the same configuration file :

The solution is just delete the “apache2.conf” file.