AlienVault: the Future of Security Information Management

Meet AlienVault OSSIM, a complex security system designed to make your life simpler.

To generate an alarm, log on to the XP client and download Nmap. Run four scans against the CentOS server using the zenmap GUI and the quick scan option. Then, ssh to the same server and attempt to log in as root, but enter an incorrect password five times. You should see a new alarm in the Unresolved Alarms link at the top of the page. Access this link and find the alarm triggered by your test directive (Figure 10). Identify the row with your test alarm and click on the icon resembling a sheet of paper in the Action column to open a new Alarm Incident (Figure 11). A new window will pop up and display basic information about the incident that will be used to create a ticket. Click OK to confirm the information, and the full ticket editor will load. Add a description and any other pertinent information to this page, and click on the Add ticket button. You should see a new Unresolved Ticket on the indicator at the top of the page. To edit a ticket, navigate to the Tickets link in the Incidents section of the navigation pane. From here you can add notes, attach files and change the status of your tickets. A ticket will no longer show in the list once its status is set to Closed. Although quite simple, this built-in ticketing system contains the necessary functionality to satisfy most enterprises' incident-response needs. OSSIM also contains a knowledge base that you can use to link tickets and external documents that adds another layer of depth to its incident response system.

Figure 10. Test Directive Generating an Alarm

Figure 11. A New Ticket Generated by the Alarm

The Sky's the Limit

This brief walk-through barely touches on the power of OSSIM. Its correlation abilities and its multitude of plugins make it an intriguing alternative to the traditional SIM. If you factor in the ability to write your own plugins, you have a tool that is fully customizable for any environment and whose value is limited only by your creativity. The makers of OSSIM have given SIMs a new intelligence that hopefully will drive innovation in the field and take security management to the next level.

Jeramiah Bowling has been a system administrator and network engineer for more than ten years. He works for a regional accounting and auditing firm in Hunt Valley, Maryland, and holds numerous industry certifications, including the CISSP. Your comments are welcome at jb50c@yahoo.com.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

This will accumulate your

Anonymous's picture

This will accumulate your affluence Bell Ross in the best action possible, and will aswell ensure that they angle the analysis of time!Your Bell Ross Watches ability abiding yachtmaster dejected punch 116689 Replica Bell Ross will endure abundant longer, and will be in abundant bigger condition, if you analyze it to your car. You wouldn't let your Replica Bell Ross Watches get damaged and leave it, or leave it afterwards application it regualry and accepting the MOT. 马文鑫测试

Very nice article

trevorbenson's picture

I would love to see more on OSSIM! Here are a few of my ideas (some I have implemented, and some I have been wanting to do, but just didnt have the time to lab it up first):

More in depth on plugins:
-Adding a plugin (like m0n0wall) and enabling the logging for firewall logs.
-Configuring Snort/IDS, and enabling the data to come from a sensor.

Sensor configuration:
-Install OSSIM as a sensor to report up to the existing OSSIM server.
-Any steps required on the server to define or setup sensors.
-Configuring network interfaces on the OSSIM server to monitor local subnets.

Dashboard::
-Show how to update the Availability Dashboard to show a network map other then default.
-A brief comparison/explanation of the Global Score and Service Level

General:
-How to you 'resolve' the alarm the intended way? Most documentation and wiki explains alarms, how they can be corelated data, how to search through them, etc., but do not go into the stock 'resolving' of alarms. Deleting them via the ACID style drop down interface seems like the wrong answer to get things to stop showing unresolved, however I know many networks that started using this as a default to resolve the alarms.

Mixing steps together would give most readers the ability to design a fairly complex Security Management infrastructure based around their unique network topology, as well as provide the little nuances that tend to escape the howto pages.

Thanks!
Trevor Benson

Images on this page

Anonymous's picture

Hi we can't see images on this article. Trying from different machines, OS/s (XP and Win7) IE 7 and 8.
Thank you.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix