Part 2.a: Configure AlienVault’s OSSIM as your primary security console

 

UPDATED December 19th, 2012: This section turned out alright after all. It should give people a good starting ground to get from 0 to monitoring log files and using some detectors. I will cover several other aspects of integrating event management directly into OSSIM by writing up sections on nxlog, rsyslog, logging from Windows, etc. For now, you can get started with some of the info contained on the EventDB page to pipe Windows events, remember OSSIM likes the snare format. I’m going to implement a few more detectors, then look into why OSSIM wants openvas, ossec, ntop, and netflow. Then bend OSSIM to integrate with icinga, and see if we can get argus into the mix.

 

Introduction to OSSIM:
OSSIM is a correlation engine, an alert tracker, an issue/ticket tracker, and includes various probes/sensors that produce log data (note that the sensors do not need to be used).

OSSIM seems great so far. It is and isn’t very accessible. For instance, if you use several default configurations, you can get some useful data. But, then you don’t have any idea why you have the data, where it came from, and (most importantly) why you want it. This seems to be my biggest “problem” with OSSIM at this point.

The “ramp up” docs are simply not user friendly; they are not accessible to a non-security engineer type. I’m even having some trouble locating other peoples’ write ups that make it as easy as I wish it to be.

This is what I’ll be trying to do: KISASS. Keep it simple and secure, stupid.

On this page, the following will be done:

  • Placing and building our OSSIM box.
  • Adding networks to manage.
  • Locating hosts.
  • Deciding what we will monitor for our networks, and for our hosts.

 

Placing your OSSIM box:
You should place your OSSIM box where it is relevant. For instance, if you are going to be using sensors, place it somewhere where it can sniff the traffic you want to monitor.

I’m placing mine where it can receive traffic mirrored from a firewall cluster so that I can monitor all internet bound traffic with a few sensors. You may want to put it at any internal subnet or boundry, but primarily the location depends on the sensor(s) you wish to deploy.

You can always just use the correlation engine, alert and issue tracker, not configuring any sensors, and place the OSSIM box anywhere.

Download and install AlienVault’s OSSIM:
Making the decision on whether or not to install OSSIM as a VM is up to you. Keep in mind the requirements for the tools you will utilize for OSSIM, as well as their data flow down to the DB backend.

This procedure is very well covered on OSSIM’s site. I will give you a quick brief intro and explain what I did for this guide:

1) Download the latest ISO for OSSIM.

2) Boot a system or VM to the ISO and begin the “Custom Install.” Answer logically for most. The custom install allows you more granular configuration options for: networking, partition, mail, probed networks, “sensors”/”agents” (software, like ossec and snort), “plugins” (ossim-client extensions that will probe the syslog for info from “agents”), and “monitors” (mostly python scripts that monitor certain things from “agents”).

3) You must select all of the server roles, including: database, server, framework, sensor. However, de-select all of the sensor and monitoring plugins before finishing. This is so that we can really build from the bottom up and only include what we need.

What to expect on first boot:
1) By default the following things are running as a service, and we’ll leave them be for now:

fprobe
monit
munin-node
nagios3
nfsen
ntop
openvas-manager
openvas-scanner
openvpn
ossec
ossim-agent
ossim-firewall
ossim-framework
ossim-server

There are several cron jobs that can be reviewed:

# ls /etc/cron.d
alienvault_ip_reputation           av_system_cache         munin       ossim-cd-tools     php5     update_sensors
alienvault_ip_reputation_feedback  av_system_update_cache  munin-node  ossim-scanner-job  sysstat
# ls /etc/cron.hourly/
ossim-compliance  ossim-compliance-iso27001
# ls /etc/cron.daily/
5snort   apt       bsdmainutils   clean-alarms  dpkg    logrotate  ocsinventory-agent  standard
apache2  aptitude  check-tickets  clean-flows   locate  man-db     passwd              sysstat
# ls /etc/cron.weekly/
man-db

2) If you kick out a `top`, you will see openvassd utilizing as much CPU as it can. OpenVAS is an open source vulnerability scanner, and it is loading its plugins. You can “watch” this process by performing the following command (which will run the check 200 times):

for i in {1..200}; do echo "--iteration $i--" && lsof | grep $(pgrep openvassd) | grep plugins; if \[ $? = 1 \]; then ps -fC openvassd | grep "waiting for incoming" && break; fi; sleep 10; done

The output will list the currently loading plugin or echo nothing if a plugin is loading, until all the plugins have loaded. It will then exit the loop. This may take about 10-15 minutes.

Update the included packages:
1) Access the web UI and enter the information requested.

2) Go to Deployment> System Configuration

3) Click on the Software Updates link in the upper right

4) If no updates are found, check the following:
From a terminal run:

alienvault-update #this will take about 15 minutes

This is the same as selecting System Update in ossim-setup. I’m not sure why the web UI’s update function disregards updating some packages.

Set the NTP and Mail servers:

1) Access the web UI

2) Go to Deployment> System Configuration

3) Click on General link in the upper right

4) Set NTP Server and Mail server to yes; supply information and click Apply changes to run ossim-reconfig, restarting ossim-server, ossim-agent, and our spawned friend openvassd.

Administrative tasks:
To find the mysql root password:

grep ^pass= /etc/ossim/ossim_setup.conf

References:

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: