AlienVault: the Future of Security Information Management
Security Information Management (SIM) systems have made many security administrators' lives easier over the years. SIMs organize an enterprise's security environment and provide a common interface to manage that environment. Many SIM products are available today that perform well in this role, but none are as ambitious as AlienVault's Open Source Security Information Management (OSSIM). With OSSIM, AlienVault has harnessed the capabilities of several popular security packages and created an “intelligence” that translates, analyzes and organizes the data in unique and customizable ways that most SIMs cannot. It uses a process called correlation to make threat judgments dynamically and report in real time on the state of risk in your environment. The end result is a design approach that makes risk management an organized and observable process that security administrators and managers alike can appreciate.
In this article, I explain the installation of an all-in-one OSSIM agent/server into a test network, add hosts, deploy a third-party agent, set up a custom security directive and take a quick tour of the built-in incident response system. In addition to the OSSIM server, I have placed a CentOS-based Apache Web server and a Windows XP workstation into the test network to observe OSSIM's interoperation with different systems and other third-party agents.
To keep deployment time to a minimum, I deployed OSSIM on a VMware-based virtual machine (VM). OSSIM is built on Debian, so you can deploy it to any hardware that Debian supports. I used the downloadable installation media from the AlienVault site in .iso form (version 2.1 at the time of this writing) and booted my VM from the media.
On bootup, you will see a rather busy and slightly difficult-to-read install screen (Figure 1). The default option is the text-based install, but by pressing the down arrow, you will see a graphical install option. Select the Text option and press Enter. If you've seen Debian install screens, the OSSIM installer will look very familiar. Set your language preferences and partition your hard drive(s). Configure your settings for Postfix if desired. Finally, set your root password, and enter a static IP address for the server when prompted. The installer will restart the machine to complete the configuration.
Open a browser from a machine on the same network and enter the IP address of the OSSIM server in the URL field (Figure 2). Enter “admin” as the user and password to log in to the management site. Change your password under the Configuration→Users section. After logging in, the main dashboard view loads (Figure 3).
The next step is to add systems for the OSSIM server to monitor. Start by defining your local network and performing a cursory scan. On the Networks tab under Policy, click Insert New Network. Enter your LAN information in the fields provided. If you don't see a sensor listed, insert a new one using the hostname and IP address of your all-in-one OSSIM server. Leave the Nagios check box enabled, but the Nessus box unchecked (Figure 4) to reduce the time needed for the first scan. After the scan completes, several hosts should appear on the Hosts tab of the Policies section. OSSIM installs and auto-configures Nagios and ntop during installation, so you also can see basic network information by visiting the Monitors section of the management page (Figure 5). Once all hosts are found, find the CentOS Web server in the Hosts section under Policies, and modify its priority from 1 to 5 (Figure 6). You will use this later in the article when I discuss correlation.
You now have an active OSSIM server using passive network monitors like snort, Nagios and ntop to report on your test network's activity. Next, let's add some client-based agents that feed data into the OSSIM server.
|September 2015 Issue of Linux Journal: HOW-TOs||Sep 01, 2015|
|September 2015 Video Preview||Sep 01, 2015|
|Using tshark to Watch and Inspect Network Traffic||Aug 31, 2015|
|Where's That Pesky Hidden Word?||Aug 28, 2015|
|A Project to Guarantee Better Security for Open-Source Projects||Aug 27, 2015|
|Concerning Containers' Connections: on Docker Networking||Aug 26, 2015|
- Optimization in GCC
- Using tshark to Watch and Inspect Network Traffic
- September 2015 Issue of Linux Journal: HOW-TOs
- Problems with Ubuntu's Software Center and How Canonical Plans to Fix Them
- Concerning Containers' Connections: on Docker Networking
- A Project to Guarantee Better Security for Open-Source Projects
- Where's That Pesky Hidden Word?
- Firefox Security Exploit Targets Linux Users and Web Developers
- My Network Go-Bag
- Doing Astronomy with Python