I've been playing with OSSIM (http://www.ossim.net) for the last week. The stand-alone installation from AlienVault was trivially easy, thanks guys! I was able to install a main 'trusted net' stand-alone and integrate a DMZ sub-sensor in an hour. The dashboard is pretty, with many reporting features and does a decent job of aggregating the infeed of data from the wide collection of tools it provides.
But...
Having put this Unified Threat Management (http://en.wikipedia.org/wiki/Unified_Threat_Management) device on the network, I find it to be the least secure thing out there. While AlienVault did an excellent job of bringing all of these wonderful security monitoring tools together, having the production interface on the main network acting as both collector, sensor, and admin access is a bad idea. It also uses so many products and services that it is terribly insecure itself. Having the main sensor in the trusted network isn't too bad for this, but having one of these in the more exposed DMZ makes me wary. OSSIM needs a lot of custom configuration to implement restricted access, split the collection interface to a promiscuous-only and have a separate admin interface. This can be done with taps to ensure only one-way traffic occurs, but that still leaves the service open to injection if one were to expect the box to be there. In all, the UTM sensor-with-everything idea needs to be rethought.
It's been fun to play with, but ultimately I'm going to explore running with some functionalized implementations that might prove more secure.
