Open Source Security Information and Event Management system
Security Management
OSSIM
Like any thriving open source ecosystem, OSSIM is propped up by commercial entities that support and develop it alongside the community. Both elements help support its growth and prosperity. As always, open source and capitalism have a relationship that allows for the growth of a project and underlying technology while still respecting the freedom and community aspect of FOSS. Technologist and industry both get what they want.
OSSIM remains the technology underpinning the collaborative efforts of the community and AlienVault – just like Fedora/Red Hat or WordPress/Automattic. These symbiotic relationships make for successful projects.
OSSIM Architecture Core Components
OSSIM has four main components: sensor, database, framework, and server. These are vital to understand in architecting your OSSIM installation.
- Sensor – The sensor connects your security devices and your management server(s). Sensors use plugins to parse data from your security devices and forward it to your management servers.
- Management server – This includes the OSSIM server itself and Framework daemon that controls its components. Simple deployments (e.g., an all-in-one install) have a single server, but in more complex environments, where high availability is required, there can be many servers with different roles in strategic locations.
- Front end – The framework provides the user interface to manage OSSIM, either in the form of the slick and easy-to-use web management interface or through the good old console.
- Database – A MySQL database is used to store configuration and events. As noted before, OSSIM provides real-time event correlation and forensic analysis but lacks the more advanced long-term storage features of AlienVault USM.
OSSIM Install and Setup
Setting up OSSIM was once quite a bit more complex than it is today. It involved downloading a long list of dependencies, difficult configurations, and compiling – just to get OSSIM up and running. Today's OSSIM takes a simpler approach, with a VM that you can download and run in your favorite virtualization technology, such as VMware, KVM, or VirtualBox, among others. For those with a presence in Amazon AWS, an easy-to-deploy Amazon AMI is available to deliver the benefits of OSSIM for your Amazon Cloud Environment.
In the test setup, I will use the ready-to-go ISO image [4] to get OSSIM up and running. This virtual machine, based on Debian Linux, has all the dependencies and requirements ready to go. This approach dramatically reduces the setup time of your SEIM, so you can get right to defending and managing your network without the technical setup headaches.
The AlienVault website lists the following bare minimum system requirements:
- 2GB of RAM
- 25GB hard drive
- 32- or 64-bit processor
- Two NICs that support the e1000 driver on Debian Linux
OSSIM is designed to be installed in a virtual environment, so you should consider a few more detailed specifications for right sizing [5] the configuration of your virtual machines. As a more general rule, your hardware specifications should scale to your environment; that is, it should be capable of the number of events per second and the general throughput of your network.
As noted in the systems requirements, two NICs are needed: one for the administrative interface and one for packet capture features needed for intrusion detection and passive asset detection. This process is first done by adding the interface in your virtual machine; be careful to select promiscuous mode so the virtual NIC can, in fact, see the traffic you seek to view. Finally, you can add it to OSSIM under the web interface under Configuration | Deployment and then click on the OSSIM server itself. Remember, setting the NIC to promiscuous mode is only half the battle. In order to capture traffic we need to set up a span port or network tap.
Fire up your virtual environment and install OSSIM. The setup is standard fare for those with systems experience, so I will only detail the highlights. Once you start up the VM, you want to choose the all-in-one profile (Figure 1), which includes all necessary components, such as sensor, server, framework, and database.
The default install makes the assumption that you will install all components on the same server. In a more complex setup, these may be split up for architectural, scalability, and infrastructure reasons. Once completed, you will see the console login screen (Figure 2).
Now you can log in via web interface by going to the static IP address you set during the install (Figure 3) and using the default user/password (admin/admin
). Of course, you will be required to change your sign-in credentials once you log in. To update your OSSIM install, enter alienvault-update
.
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.