I have started to work on a Live CD for Open Source tools like Prelude
SIEM, and software like Suricata, Snort, OpenVAS to send alerts. The
goal is to easily test these tools, register new agents, get some alerts
and be able to correlate them etc. I also want to add some visualization
tools, so this CD could maybe become a reference for security alert
detection and report.
First, a few points on applications used:
Debian Live for
building the CD. It’s very easy, it’s based on Debian, and it allows
me to re-use some work I’ve done
is the key point: suricata, snort, syslog etc. will send alerts to
Prelude, which has a database, a correlator, a web interface
Standard useful tools: nmap, scapy, wireshark, p0f, etc.
This first version is based on Debian Lenny and arch x86. Everything is
based on packages (.debs) to make it easier to maintain, upgrade
versions or add patches: most of the time, I just have to rebuild
packages from squeeze or sid.