Home

AlienVault: the Future of Security Information Management

Issue 191

From Issue #191
March 2010

May 01, 2010  By Jeramiah Bowling
 in
Meet AlienVault OSSIM, a complex security system designed to make your life simpler.

Listing 1. Directive in .xml Format


<directive id="101"
           name="Unauthorized Access to Web Server"
           priority="5">
   <rule type="detector"
         name="NMAP Scan from Foreign host"
         from="ANY"
         to="web.server.ip.address"
         port_from="ANY"
         port_to="22"
         reliability="1"
         occurrence="1"
         plugin_id="1001"
         plugin_sid="2000537,2000545"
         sticky="true"
         sticky_different="SRC_IP">
      <rules>
         <rule type="detector"
               name="Too Many Logins"
               from="web.server.ip.address"
               to="ANY"
               port_from="ANY"
               port_to="ANY"
               reliability="+2"
               occurrence="2"
               time_out="86400"
               plugin_id="7010"
               plugin_sid="5716"/>
      </rules>
   </rule>
</directive>

To generate an alarm, log on to the XP client and download Nmap. Run four scans against the CentOS server using the zenmap GUI and the quick scan option. Then, ssh to the same server and attempt to log in as root, but enter an incorrect password five times. You should see a new alarm in the Unresolved Alarms link at the top of the page. Access this link and find the alarm triggered by your test directive (Figure 10). Identify the row with your test alarm and click on the icon resembling a sheet of paper in the Action column to open a new Alarm Incident (Figure 11). A new window will pop up and display basic information about the incident that will be used to create a ticket. Click OK to confirm the information, and the full ticket editor will load. Add a description and any other pertinent information to this page, and click on the Add ticket button. You should see a new Unresolved Ticket on the indicator at the top of the page. To edit a ticket, navigate to the Tickets link in the Incidents section of the navigation pane. From here you can add notes, attach files and change the status of your tickets. A ticket will no longer show in the list once its status is set to Closed. Although quite simple, this built-in ticketing system contains the necessary functionality to satisfy most enterprises' incident-response needs. OSSIM also contains a knowledge base that you can use to link tickets and external documents that adds another layer of depth to its incident response system.

Figure 10. Test Directive Generating an Alarm

Figure 11. A New Ticket Generated by the Alarm

The Sky's the Limit

This brief walk-through barely touches on the power of OSSIM. Its correlation abilities and its multitude of plugins make it an intriguing alternative to the traditional SIM. If you factor in the ability to write your own plugins, you have a tool that is fully customizable for any environment and whose value is limited only by your creativity. The makers of OSSIM have given SIMs a new intelligence that hopefully will drive innovation in the field and take security management to the next level.

Resources

OSSIM Installer Download: www.alienvault.com/opensourcesim.php?section=Downloads

OSSIM Wiki: www.ossim.net/wiki/doku.php

OSSEC: www.ossec.net

Jeramiah Bowling has been a system administrator and network engineer for more than ten years. He works for a regional accounting and auditing firm in Hunt Valley, Maryland, and holds numerous industry certifications, including the CISSP. Your comments are welcome at jb50c@yahoo.com.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

This will accumulate your

Anonymous's picture
Submitted by Anonymous (not verified) on Mon, 09/20/2010 - 04:25.

This will accumulate your affluence Bell Ross in the best action possible, and will aswell ensure that they angle the analysis of time!Your Bell Ross Watches ability abiding yachtmaster dejected punch 116689 Replica Bell Ross will endure abundant longer, and will be in abundant bigger condition, if you analyze it to your car. You wouldn't let your Replica Bell Ross Watches get damaged and leave it, or leave it afterwards application it regualry and accepting the MOT. 马文鑫测试

Very nice article

trevorbenson's picture
Submitted by trevorbenson on Wed, 03/17/2010 - 11:32.

I would love to see more on OSSIM! Here are a few of my ideas (some I have implemented, and some I have been wanting to do, but just didnt have the time to lab it up first):

More in depth on plugins:
-Adding a plugin (like m0n0wall) and enabling the logging for firewall logs.
-Configuring Snort/IDS, and enabling the data to come from a sensor.

Sensor configuration:
-Install OSSIM as a sensor to report up to the existing OSSIM server.
-Any steps required on the server to define or setup sensors.
-Configuring network interfaces on the OSSIM server to monitor local subnets.

Dashboard::
-Show how to update the Availability Dashboard to show a network map other then default.
-A brief comparison/explanation of the Global Score and Service Level

General:
-How to you 'resolve' the alarm the intended way? Most documentation and wiki explains alarms, how they can be corelated data, how to search through them, etc., but do not go into the stock 'resolving' of alarms. Deleting them via the ACID style drop down interface seems like the wrong answer to get things to stop showing unresolved, however I know many networks that started using this as a default to resolve the alarms.

Mixing steps together would give most readers the ability to design a fairly complex Security Management infrastructure based around their unique network topology, as well as provide the little nuances that tend to escape the howto pages.

Thanks!
Trevor Benson

Images on this page

Anonymous's picture
Submitted by Anonymous on Mon, 03/08/2010 - 17:31.

Hi we can't see images on this article. Trying from different machines, OS/s (XP and Win7) IE 7 and 8.
Thank you.

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions