AlienVault: the Future of Security Information Management

Meet AlienVault OSSIM, a complex security system designed to make your life simpler.

Security Information Management (SIM) systems have made many security administrators' lives easier over the years. SIMs organize an enterprise's security environment and provide a common interface to manage that environment. Many SIM products are available today that perform well in this role, but none are as ambitious as AlienVault's Open Source Security Information Management (OSSIM). With OSSIM, AlienVault has harnessed the capabilities of several popular security packages and created an “intelligence” that translates, analyzes and organizes the data in unique and customizable ways that most SIMs cannot. It uses a process called correlation to make threat judgments dynamically and report in real time on the state of risk in your environment. The end result is a design approach that makes risk management an organized and observable process that security administrators and managers alike can appreciate.

In this article, I explain the installation of an all-in-one OSSIM agent/server into a test network, add hosts, deploy a third-party agent, set up a custom security directive and take a quick tour of the built-in incident response system. In addition to the OSSIM server, I have placed a CentOS-based Apache Web server and a Windows XP workstation into the test network to observe OSSIM's interoperation with different systems and other third-party agents.


To keep deployment time to a minimum, I deployed OSSIM on a VMware-based virtual machine (VM). OSSIM is built on Debian, so you can deploy it to any hardware that Debian supports. I used the downloadable installation media from the AlienVault site in .iso form (version 2.1 at the time of this writing) and booted my VM from the media.

On bootup, you will see a rather busy and slightly difficult-to-read install screen (Figure 1). The default option is the text-based install, but by pressing the down arrow, you will see a graphical install option. Select the Text option and press Enter. If you've seen Debian install screens, the OSSIM installer will look very familiar. Set your language preferences and partition your hard drive(s). Configure your settings for Postfix if desired. Finally, set your root password, and enter a static IP address for the server when prompted. The installer will restart the machine to complete the configuration.

Figure 1. A little tough to read, but this is where everything starts.

Open a browser from a machine on the same network and enter the IP address of the OSSIM server in the URL field (Figure 2). Enter “admin” as the user and password to log in to the management site. Change your password under the Configuration→Users section. After logging in, the main dashboard view loads (Figure 3).

Figure 2. Main Login Screen

Figure 3. Main Dashboard

The next step is to add systems for the OSSIM server to monitor. Start by defining your local network and performing a cursory scan. On the Networks tab under Policy, click Insert New Network. Enter your LAN information in the fields provided. If you don't see a sensor listed, insert a new one using the hostname and IP address of your all-in-one OSSIM server. Leave the Nagios check box enabled, but the Nessus box unchecked (Figure 4) to reduce the time needed for the first scan. After the scan completes, several hosts should appear on the Hosts tab of the Policies section. OSSIM installs and auto-configures Nagios and ntop during installation, so you also can see basic network information by visiting the Monitors section of the management page (Figure 5). Once all hosts are found, find the CentOS Web server in the Hosts section under Policies, and modify its priority from 1 to 5 (Figure 6). You will use this later in the article when I discuss correlation.

Figure 4. Setting Up the First Network Scan

Figure 5. Nagios Working under the Hood

Figure 6. Changing the Web Server's Asset Value

You now have an active OSSIM server using passive network monitors like snort, Nagios and ntop to report on your test network's activity. Next, let's add some client-based agents that feed data into the OSSIM server.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

This will accumulate your

Anonymous's picture

This will accumulate your affluence Bell Ross in the best action possible, and will aswell ensure that they angle the analysis of time!Your Bell Ross Watches ability abiding yachtmaster dejected punch 116689 Replica Bell Ross will endure abundant longer, and will be in abundant bigger condition, if you analyze it to your car. You wouldn't let your Replica Bell Ross Watches get damaged and leave it, or leave it afterwards application it regualry and accepting the MOT. 马文鑫测试

Very nice article

trevorbenson's picture

I would love to see more on OSSIM! Here are a few of my ideas (some I have implemented, and some I have been wanting to do, but just didnt have the time to lab it up first):

More in depth on plugins:
-Adding a plugin (like m0n0wall) and enabling the logging for firewall logs.
-Configuring Snort/IDS, and enabling the data to come from a sensor.

Sensor configuration:
-Install OSSIM as a sensor to report up to the existing OSSIM server.
-Any steps required on the server to define or setup sensors.
-Configuring network interfaces on the OSSIM server to monitor local subnets.

-Show how to update the Availability Dashboard to show a network map other then default.
-A brief comparison/explanation of the Global Score and Service Level

-How to you 'resolve' the alarm the intended way? Most documentation and wiki explains alarms, how they can be corelated data, how to search through them, etc., but do not go into the stock 'resolving' of alarms. Deleting them via the ACID style drop down interface seems like the wrong answer to get things to stop showing unresolved, however I know many networks that started using this as a default to resolve the alarms.

Mixing steps together would give most readers the ability to design a fairly complex Security Management infrastructure based around their unique network topology, as well as provide the little nuances that tend to escape the howto pages.

Trevor Benson

Images on this page

Anonymous's picture

Hi we can't see images on this article. Trying from different machines, OS/s (XP and Win7) IE 7 and 8.
Thank you.