Part 2.b: Adding assets to OSSIM

Define networks through the Web UI:

It’s important to compile the list of assets to secure. This allows correlation of events across many data sources.

AlienVault has a video about this step. The wiki contains information, that I will summarize.

1) Access the web UI and enter the information requested.

2) Go to Assets> Assets> Networks tab.

3) Select and delete Networks you don’t want. Click New to create a new Network by providing the information as follows:

Name: [alias name of network]
CIDRs: [the network subnet in CIDR notation]
External Asset: No
Asset value: [Consider this as a categorization of the sensitivity of the network (risk value).  I will leave at 2.]
Sensors: [leave as associated with this one]
Scan options: [monitor availability with Nagios]
Threshold C: Compromise threshold level
Threshold A: Attack threshold level

Define network groups through the web UI:

Why? Network Groups are used to: create policy exceptions, run vulnerability scanning, or create reports. It may make sense for you to create a network group per-site, but per-role (access) might make just as much sense.

AlienVault has a video about this step (starting at 3:30). The wiki contains information, that I will summarize.

1) Access the web UI.

2) Go to Assets> Assets> Networks groups tab.

3) Click New and enter the following:

Name: [Name of group]
Select networks: [Tunnel down until you see the Network object(s) you just created, click on the Network object(s).]
Networks of this group: [Lists the networks you've just selected]

4) Click Update

Manually trigger an inventory/asset discovery:
AlienVault has a video about this step (starting at 5:08). The wiki contains outdated information.

1) Access the web UI.

2) Go to Assets> Assets Discovery

3) Under Target selection, select the Network Group you’ve just created.

4) Bullet local scan or select the specific sensor you wish to use.

5) Select Scan type and timing template: Probably Ping or Normal with Normal timing are acceptable, but read on and below for warnings and details.

Scan type

nmap command line ‡

Description
Ping

/usr/bin/nmap -sP -oX - [timing template] [-A] [-n] [CIDR of target] --no-stylesheet
output scan in XML to stdout, excluding the XSL stylesheet. -sP is legacy, and should be changed to -sn. When using -sn the following are sent: ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request. ARP is used if the target is a host on the local network. No ports are scanned.
Normal

/usr/bin/nmap -oX - [timing template] [-A] [-n] -sS [CIDR of target] --no-stylesheet
output scan in XML to stdout, excluding the XSL stylesheet. TCP SYN scan (“half-open” scan). Scans 1000 of the most common ports from /usr/share/nmap/nmap-services.
Fast

/usr/bin/nmap -oX - [timing template] [-A] [-n] -sS -F [CIDR of target] --no-stylesheet
output scan in XML to stdout, excluding the XSL stylesheet. TCP SYN scan (“half-open” scan). Scans only 100 of the most common ports from /usr/share/nmap/nmap-services.
Full

/usr/bin/nmap -oX - [timing template] -sS -p1-65535 [CIDR of target] --no-stylesheet
output scan in XML to stdout, excluding the XSL stylesheet. TCP SYN scan (“half-open” scan). Scans all 65535 TCP ports.
Custom

/usr/bin/nmap -oX - [timing template] [-A] [-n] -sS -p [ports selected] [CIDR of target] --no-stylesheet
output scan in XML to stdout, excluding the XSL stylesheet. TCP SYN scan (“half-open” scan). Scans only the given ports.


-A is only used when “Autodetect services and Operating System” is checked. Provides for OS and version detection, script scanning and traceroute enabled (same as using -O -sV -sC and –traceroute… see below).
-n is only used when “Enable reverse DNS Resolution” is checked.

Options should be reviewed further nmap man page.

Note when using “Autodetect services and Operation Systems”:
Usage of `-sC` can boisterous. Review with `nmap –script-help default` to see how many deep scanning scripts are used when you use -A (implying -sC).

Timing template

nmap argument

Description
Paranoid

-T0
“for IDS evasion.”
Sneaky

-T1
“for IDS evasion.”
Polite

-T2
“slows down the scan to use less bandwidth and target machine resources.”
Normal

-T3
Default speed.
Aggressive

-T4
“making the assumption that you are on a reasonably fast and reliable network.” Good for LAN.
Insane

-T5
“assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed.” Good for LAN, but less accurate for detection scripts.

For more info, review the files:

  • /usr/share/ossim/scripts/vulnmeter/remote_nmap.php
  • /usr/share/ossim/include/classes/Scan.inc

6) Click start scan to spawn nmap.

7) Once the scan finishes, and discovered assets are listed, review the assets. You can choose whether to insert the assets into your DB by checking the Insert column. Once you’ve finalized reviewing the results, click Update Database Values

8) This following screen will create a Host Group for you with the scan results. The Instant Scan screen is a final prompt to supply information about the scan results you’ve just reviewed before they are inserted into the database. Fill out the info as above and click Save. (why are these not automatically populated?). Click yes to overwrite the entries.

Modify hosts:
1) Access the web UI.

2) Go to Assets> Assets> Hosts tab

3) Spend some time filling out detailed information about your hosts. The more information you put into the system the better the system will turn out to be.

4) Optionally, click on Import from SIEM to create Hosts from data that already exists in the SIEM… which there should be none of now, but note it for later!

References:

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: