In many ways it’s a matter of scale. OSSIM is a kind of lite version of AlienVault, and used by them. I’ve seen people move from an OSSIM architecture to Metron specifically to get better scaling, things like PCAP capabilities etc. but also retain the OSSEC agents to handle endpoint and scanning use cases, which they then feed into Metron. In these cases it was mostly about scalability and flexibility to extend, as well as manageability of multi-tenant environments.
In functional terms, Metron also emphasises behaviour profiling and machine learning, whereas OSSIM is a more traditional rules-centric way of looking at security and log monitoring. Hope that helps you understand the difference a little better, Simon > On 21 Dec 2017, at 12:22, moshe jarusalem <tuu...@gmail.com> wrote: > > Jon thanks for the information. > > I am indeed trying to learn both of them just wanted to get expert ideas. > > OSSEC is also supported by OSSIM which is somewhat like metron. I would like > to hear ideas which may make metron better alternative and or composite > usage. > > Regards, > > > On Thu, Dec 21, 2017 at 2:39 PM, zeo...@gmail.com <zeo...@gmail.com > <mailto:zeo...@gmail.com>> wrote: > Yes, I run both in my environment and they are both security products but > that's about where the similarities end. Ossec is a host based solution that > monitors local activity with it's tree based rules engine, Metron is a > distributed solution that handles large sets of data from many sources and a > lot more. A possible connection between the two may be that ossec > logs/alerts could be fed into Metron for enrichment, triage, alerting, and > analysis. > > I would recommend either reading the documentation for both of them in more > detail, or spinning them both up to get a better handle on the differences. > > Jon > > > On Thu, Dec 21, 2017, 00:34 moshe jarusalem <tuu...@gmail.com > <mailto:tuu...@gmail.com>> wrote: > Hi All, > I have come across OSSEC project and find it similar to metron. I am confused > a bit. > is anyone aware of Ossec and give some comparisons? > > Regards, > -- > Jon > >
