Chinaunix首页 | 论坛 | 博客
  • 博客访问: 431038
  • 博文数量: 125
  • 博客积分: 2838
  • 博客等级: 少校
  • 技术积分: 1410
  • 用 户 组: 普通用户
  • 注册时间: 2010-08-05 09:45
文章分类

全部博文(125)

文章存档

2012年(13)

2011年(5)

2010年(107)

我的朋友

分类: 网络与安全

2010-08-31 23:32:49

资源:





http://www.ossim.net/blogs.php

OSSIM其实并不是一个SIM(Security Information Management system)而是一个SEM(Security Event Management system)。
SIM和SEM的区别在于,SIM偏重于收集和长期保存大量原始日志,支持审计和计算机犯罪 法证,通常为满足客户合规性管理的需求;而SEM偏重于实时安全监控,实时风险评估、报警与处理。OSSIM从功能上看并不具备大规模日志采集与存储能 力,功能实际上是接近SEM,它的正确命名应该是OSSEM,这个事情OSSIM的开发团队其实也注意到了,但是当初这些概念并不明朗,所以导致了取名为 OSSIM,事后OSSIM的开发团队在其项目的wiki上作了如下阐述:
What is a SIM?
According to Wikipedia: “Security Information Management (SIM) is the industry-specific term in computer security referring to the collection of data (typically log files; e.g. event logs) into a central repository for trend analysis. Due to historic reasons of terminology evolution; SIM refers to just the part of information security which consists of discovery of ‘bad behaviour’ by using data collection techniques. The term commonly used to represent an entire security infrastructure that protects an environment is commonly called Information Security Management (InfoSec)”.

SIM’s focus in real time security monitoring, correlating differente log types and offering fast analysis and dashboard tools.
They store events in a SQL database which have a concurrent event storage limitation.

What is a SEM?
A SEM (Security Event Management) stores large amount of logs in disk devices for historical storage purposes. It typically offers integrity and confidentiality implementing cyphering and digital signature.

SEM’s are slow but can store years of logs. OSSIM does not implement SEM functionalities, although an OSSIM professional edition developed by AlienVault implements a SIEM (SIM+SEM).(来 源 )

红 色部分就是弯曲行业内对SIM和SEM的一致认同概念的部分。但是SIM和SEM似乎都过时了,大家都在吹SIEM的概念,所以AlienVault 说他们开发了一个professional edition 的OSSIM,实现了SIEM的功能,也就是SIM和SEM的整合。
阅读(1823) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~