AlienVault: the Future of Security Information Management

Meet AlienVault OSSIM, a complex security system designed to make your life simpler.

To generate an alarm, log on to the XP client and download Nmap. Run four scans against the CentOS server using the zenmap GUI and the quick scan option. Then, ssh to the same server and attempt to log in as root, but enter an incorrect password five times. You should see a new alarm in the Unresolved Alarms link at the top of the page. Access this link and find the alarm triggered by your test directive (Figure 10). Identify the row with your test alarm and click on the icon resembling a sheet of paper in the Action column to open a new Alarm Incident (Figure 11). A new window will pop up and display basic information about the incident that will be used to create a ticket. Click OK to confirm the information, and the full ticket editor will load. Add a description and any other pertinent information to this page, and click on the Add ticket button. You should see a new Unresolved Ticket on the indicator at the top of the page. To edit a ticket, navigate to the Tickets link in the Incidents section of the navigation pane. From here you can add notes, attach files and change the status of your tickets. A ticket will no longer show in the list once its status is set to Closed. Although quite simple, this built-in ticketing system contains the necessary functionality to satisfy most enterprises' incident-response needs. OSSIM also contains a knowledge base that you can use to link tickets and external documents that adds another layer of depth to its incident response system.

Figure 10. Test Directive Generating an Alarm

Figure 11. A New Ticket Generated by the Alarm

The Sky's the Limit

This brief walk-through barely touches on the power of OSSIM. Its correlation abilities and its multitude of plugins make it an intriguing alternative to the traditional SIM. If you factor in the ability to write your own plugins, you have a tool that is fully customizable for any environment and whose value is limited only by your creativity. The makers of OSSIM have given SIMs a new intelligence that hopefully will drive innovation in the field and take security management to the next level.

Jeramiah Bowling has been a system administrator and network engineer for more than ten years. He works for a regional accounting and auditing firm in Hunt Valley, Maryland, and holds numerous industry certifications, including the CISSP. Your comments are welcome at



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

This will accumulate your

Anonymous's picture

This will accumulate your affluence Bell Ross in the best action possible, and will aswell ensure that they angle the analysis of time!Your Bell Ross Watches ability abiding yachtmaster dejected punch 116689 Replica Bell Ross will endure abundant longer, and will be in abundant bigger condition, if you analyze it to your car. You wouldn't let your Replica Bell Ross Watches get damaged and leave it, or leave it afterwards application it regualry and accepting the MOT. 马文鑫测试

Very nice article

trevorbenson's picture

I would love to see more on OSSIM! Here are a few of my ideas (some I have implemented, and some I have been wanting to do, but just didnt have the time to lab it up first):

More in depth on plugins:
-Adding a plugin (like m0n0wall) and enabling the logging for firewall logs.
-Configuring Snort/IDS, and enabling the data to come from a sensor.

Sensor configuration:
-Install OSSIM as a sensor to report up to the existing OSSIM server.
-Any steps required on the server to define or setup sensors.
-Configuring network interfaces on the OSSIM server to monitor local subnets.

-Show how to update the Availability Dashboard to show a network map other then default.
-A brief comparison/explanation of the Global Score and Service Level

-How to you 'resolve' the alarm the intended way? Most documentation and wiki explains alarms, how they can be corelated data, how to search through them, etc., but do not go into the stock 'resolving' of alarms. Deleting them via the ACID style drop down interface seems like the wrong answer to get things to stop showing unresolved, however I know many networks that started using this as a default to resolve the alarms.

Mixing steps together would give most readers the ability to design a fairly complex Security Management infrastructure based around their unique network topology, as well as provide the little nuances that tend to escape the howto pages.

Trevor Benson

Images on this page

Anonymous's picture

Hi we can't see images on this article. Trying from different machines, OS/s (XP and Win7) IE 7 and 8.
Thank you.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState