Open Source Security Information and Event Management system
Security Management
Configuration from the Console
Accessing OSSIM from the console is easy by logging in with the root login and password you specified during the install. If you prefer, you can use the ncurses interface; but, in this example, I will exit. I favor this approach for updates because it brings me back to the comfy familiarity of Debian. Figure 4 shows a number of operations you can perform directly from the console by entering:
alienvault-setup
When you are done, simply issue
alienvault-reconfig
Figure 4: AlienVault setup.
to write your changes to memory. As always, you can issue the help command to get an idea of what is available. When you are done, simply type exit. Note that this article is based on the newest version of OSSIM 4.4.1. If you are using a previous version, the interface may be a bit different. (Oh, and BTW – upgrade!)
Post-Install Setup
In a real-world install, you would have most of your work ahead of you, after having installed and configured the base all-in-one OSSIM virtual machine.
From there, you would want to make decisions on your architecture using the many capabilities this powerful open source SIEM provides. I will look at only a subset of the many operations you might deploy for a full-blown installation. To begin, I will set up asset discovery and configuration.
Asset Discovery and Configuration
In this step, I populate my networks and associated assets in OSSIM. To begin, I log in to the web interface and go to Environments | Groups & Networks | Networks | Add Network (Figure 5). Simply name your network and add the IP space with CIDR notation. Also select under the Scan options Availability Monitoring , which adds these machines to Nagios for monitoring, then click Save to exit.
Figure 5: Adding a network.
The next step is asset discovery via Environment | Assets | Asset Discovery (Figure 6). This screen has several options to configure asset scanning. In my case, I expand Networks on the right, add in my previously added subnet, and select a Full Scan scan type from the drop-down under Advanced Options. From here, Nmap does its magic and finds all hosts, related services, and OS details. Once completed, you will see output similar to Figure 7.
Figure 6: Setting up asset discovery.
Figure 7: Asset scan output.
Simply click Update database values at the bottom to continue. From here, you can add any additional details to any of the assets discovered in this step. If you explore a bit, you will see that OSSIM has now added in the networks and assets. If you poke around the Environment pull-down, you see that the machines are now being monitored and you have insight into those nodes. For example, take a peek at Environment | Availability .
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
- AlienVault Virtual Appliance
-
New Products
-
Managing Port Scan Results with Dr. Portscan
Regularly scanning the ports on your own network prevents intruders from sneaking in, but if you have dozens or hundreds of servers, you’ll need professional help: Dr. Portscan to the rescue.
-
Implementing custom security frameworks with Bro
The Bro security framework takes a new approach to security monitoring, with the emphasis on trends and long-term analysis. -
Intrusion Detection with OSSEC
The OSSEC free intrusion detection and host-based intrusion prevention system detects and fixes security problems in real time at the operating system level with functions such as log analysis, file integrity checks, Windows registry monitoring, and rootkit detection. It can be deployed virtually anywhere and supports the Linux, Windows, and macOS platforms.