To read more Linux Journal or start your subscription, please visit http://www.linuxjournal.com. AlienVault the Future of Security Information Management
Meet AlienVault OSSIM, a complex security system designed to make your life simpler.
JERAMIAH BOWLING
Security Information Management (SIM) systems have made many security administrators’ lives easier over the years. SIMs organize an enterprise’s security environment and provide a common interface to manage that environment. Many SIM products are available today that perform well in this role, but none are as ambitious as AlienVault’s Open Source Security Information Management (OSSIM). With OSSIM, AlienVault has harnessed the capabilities of several popular security packages and created an “intelligence” that translates, analyzes and organizes the data in unique and customizable ways that most SIMs cannot. It uses a process called correlation to make threat judgments dynamically and report in real time on the state of risk in your environment. The end result is a design approach that makes risk management an organized and observable process that security administrators and managers alike can appreciate. In this article, I explain the installation of an all-in-one OSSIM agent/server into a test network, add hosts, deploy a Figure 1. A little tough to read, but this is where everything starts. third-party agent, set up a custom security directive and take a quick tour of the built-in incident response system. In addition AlienVault site in .iso form (version 2.1 at the time of this to the OSSIM server, I have placed a CentOS-based Apache writing) and booted my VM from the media. Web server and a Windows XP workstation into the test On bootup, you will see a rather busy and slightly difficult- network to observe OSSIM’s interoperation with different to-read install screen (Figure 1). The default option is the text- systems and other third-party agents. based install, but by pressing the down arrow, you will see a graphical install option. Select the Text option and press Enter. Installation If you’ve seen Debian install screens, the OSSIM installer will To keep deployment time to a minimum, I deployed OSSIM look very familiar. Set your language preferences and partition on a VMware-based virtual machine (VM). OSSIM is built on your hard drive(s). Configure your settings for Postfix if desired. Debian, so you can deploy it to any hardware that Debian Finally, set your root password, and enter a static IP address for supports. I used the downloadable installation media from the the server when prompted. The installer will restart the
2 | march 2010 www.linuxjournal.com
To read more Linux Journal or start your subscription, please visit http://www.linuxjournal.com. article when I discuss correlation. To start the agent, run: You now have an active OSSIM server using passive network monitors like /var/ossec/bin/ossec-control start snort, Nagios and ntop to report on your test network’s activity. Next, let’s Now, from the CentOS Web server, add some client-based agents that feed ssh to the OSSIM server, and run the data into the OSSIM server. following command to add your client agent to the OSSEC server: Installing the OSSEC Agent Many client agents can communicate /var/ossec/bin/manage_agents Figure 2. Main Login Screen with OSSIM, but because of space limitations, I am covering the one I Select A to add an agent, and enter believe is the most valuable to security a unique name for it. Add the IP address administrators: OSSEC. OSSEC is a freely of your CentOS Web server and give the available host intrusion detection system agent a unique ID. The default ID usually (HIDS) maintained by Trend Micro that performs a multitude of client security tasks, such as logging, alert- ing, integrity checking and rootkit detection. Figure 3. Main Dashboard Additionally, a large number of OSSIM plug- machine to complete the configuration. ins for OSSEC already Open a browser from a machine on are installed with your the same network and enter the IP server that can monitor address of the OSSIM server in the URL virtually any part of a field (Figure 2). Enter “admin” as the UNIX/Linux/Windows user and password to log in to the man- system. Figure 4. Setting Up the First Network Scan agement site. Change your password First, let’s install under the Configuration→Users section. OSSEC on the CentOS After logging in, the main dashboard Web server. Download view loads (Figure 3). and extract the client The next step is to add systems tar from the OSSEC for the OSSIM server to monitor. Start Web site. If you have by defining your local network and difficulty finding the performing a cursory scan. On the OSSEC agent, or any Networks tab under Policy, click Insert other agent, links to New Network. Enter your LAN infor- OSSIM’s supported mation in the fields provided. If you third-party agents don’t see a sensor listed, insert a are available in the new one using the hostname and Tools/Downloads section IP address of your all-in-one OSSIM of the management server. Leave the Nagios check page. Next, run the Figure 5. Nagios Working under the Hood box enabled, but the Nessus box install.sh script from the unchecked (Figure 4) to reduce the unpacked tar folder. time needed for the first scan. After Verify your machine the scan completes, several hosts information and select should appear on the Hosts tab of the the agent install option. Policies section. OSSIM installs and Accept the default auto-configures Nagios and ntop install directory. Enter during installation, so you also can see the IP address of the basic network information by visiting server (the OSSIM the Monitors section of the manage- server). Run the integrity- ment page (Figure 5). Once all hosts check dæmon and are found, find the CentOS Web server enable the rootkit- in the Hosts section under Policies, detect engine. When and modify its priority from 1 to 5 asked to enable active (Figure 6). You will use this later in the response, answer “no”. Figure 6. Changing the Web Server’s Asset Value
www.linuxjournal.com march 2010 | 3
To read more Linux Journal or start your subscription, please visit http://www.linuxjournal.com. FEATURE AlienVault
is fine, unless you plan on implementing 7). As you now have an external feed a naming convention for your OSSEC coming into your OSSIM server, let’s look Popular clients. Enter Y to confirm adding the at how it digests and analyzes the data. agent. This returns you to the main OSSIM menu. Select E to extract. Input the Events, Alarms, Directives client ID you want to extract (the ID you and Correlation Plugins assigned to the CentOS server). From For OSSIM to decipher data from any another terminal window on the CentOS source, it first must have a plugin. A Web server, run the local manage_agents plugin is an XML-based configuration file command. Select I to import the unique that tells OSSIM how to read information Some of the more popular key. Copy and paste the unique key from from a particular data source and when plugins for OSSIM include the SSH window to the Web server’s local to register a security event. According the following: prompt. Enter Y to confirm the key, and to the AlienVault site, more than 2,300 select Q to quit. Close the SSH connection, plugins currently are available (see the I Snort and from the local prompt, restart the Popular OSSIM Plugins sidebar for a brief agent by running the command: listing of the leading ones). I Nagios An event is any occurrence that a /var/ossec/bin/ossec-control restart plugin’s native software deems impor- I OpenVAS tant enough to log or warn on. On your XP client, download and Events in OSSIM should be treated I Nessus install the OSSEC agent as well as the like log entries. They are not necessarily Putty SSH client. When finished, run the indicative of a problem, but should be I ntop Putty client to SSH to the OSSIM server reviewed nonetheless. When multiple and repeat the same manage_agents events take place in such a way that an I Nmap command to generate and extract the administrator has marked them as being XP client’s unique key from the server. “suspicious”, OSSIM throws an alarm. I OSSEC Once extracted, paste it into the XP It is also possible for a plugin to set a client by opening the Manage Agent single event’s settings high enough that I Passive OS Fingerprinter applet from the start menu under the it can throw an alarm when the single (p0f) OSSEC program group. event occurs. The criteria used to trigger Finally, to begin receiving OSSEC an alarm from multiple different events I Osiris events in OSSIM, open the file is known as a directive. The process of /etc/ossim/ossim_setup.conf on the analyzing multiple events within a direc- I arpwatch OSSIM server and in the [sensor] section tive is called correlation. Correlation add ossec to the end of the line that is central to OSSIM’s operation. With I syslog begins with the word detectors. Save correlation, administrators can take data and exit the config file, and restart from a multitude of disparate security I PAM your OSSIM server using the shutdown devices and tailor directives to reduce -r now command. Upon reboot, you false positives and extrapolate threat I Honeyd should start to see OSSEC events appear data in real time. in OSSIM. To test this, restart the OSSEC Take a typical IDS (Intrusion Detection I Passive Asset Detection agent on the XP machine and look in the System) device, for example. An System (pads) Events→SIM Events section of the OSSIM improperly tuned IDS can record a large management page. You should see mes- number of false positives. However, I Cisco—Routers and Pix sages related to the OSSEC agent (Figure with OSSIM, you can create a directive that correlates your IDS I Multiple firewalls—iptables, events with known sonicwall, monowall and vulnerabilities in Nessus. pfsense By doing so, you reduce false positives and refine I Web servers—IIS and questionable data into a Apache valuable security check. As another example, you I Windows logs—Snare, could correlate multiple OSSEC and ntsyslog port scans from Nmap with failed logins from I OCS-NG—inventory syslog (or OSSEC, as I software explain later) to detect break-ins. A third exam- Figure 7. Verifying the OSSEC Agent Is Talking to OSSIM ple would be to correlate
4 | march 2010 www.linuxjournal.com
To read more Linux Journal or start your subscription, please visit http://www.linuxjournal.com. aberrant network behavior using ntop being tripped must be greater than 1. and set the From field to the IP address with rootkit checks from OSSEC or virus Although I have not talked much of your Web server as the OSSEC agent detections from Sophos, ClamAV or about risk until now, it is integral to will show the Web server as the source McAfee to monitor for client-based the function of correlation. Risk is the of the events. Set Occurrence to 4 and threats. With the number of plugins primary factor used by the correlation Reliability to 0 for now. Click Save. After available for OSSIM, the possibilities for engine to determine when alarms are adding the second rule, navigate to the correlation are almost limitless. generated. It is calculated using a series row of the new rule and move the of subjective numerical values assigned mouse over the directional arrows that Custom Directives, Risk and by the agents and administrators. control how rules are treated inside the Incident Response Expressed in mathematical form, the directive. The up and down arrows are Let’s create a simple directive so you can formula for risk looks like this: similar to AND statements, meaning both see correlation in action. As an example, rules must match, and the left and right let’s use a simple directive to monitor Risk = (priority x reliability x asset) / 25 arrows nest rules within each other like suspicious access to the Web server using nested IF statements. Move your second two different plugins. In order to do so, Priority is the number OSSIM uses to rule to the right. Open the second rule first turn down the values for your prioritize rules. It is set at the Directive back up and change the reliability to +2, OSSEC plugin. From the OSSIM manage- level. Priority can have a value of 0–5. which will increase the reliability by 2 ment page, go to the Plugins section 0 means OSSIM should ignore the alert. over the previously processed rule (3 if under Configuration. Scroll through the A value of 5 means OSSIM should treat the first rule is met). Now, if both rules tables to find Plugin ID 7010, and click this as a serious threat. Reliability refers are met, the risk will be > 1 and an on the ID column to edit the plugin’s to how reliable a rule is based on the alarm will be generated. Listing 1 shows values. On the resulting page, change chance that it’s a false positive. It is set the directive in XML format. the reliability values for the SIDs 5503 at the individual rule level and can be To generate an alarm, log on to the and 5716 from 5 to 1 (Figure 8). If you cumulative if there is more than one XP client and download Nmap. Run four left these values at 5, they would send rule in a directive. Possible values for scans against the CentOS server using an alarm before the rule is processed. reliability are 1–10, and they equate to the zenmap GUI and the quick scan Because the goal is to observe correla- percentages, so tion, you need to turn them down. 6 would mean a Click on the Directives link found rule is reliable under the Correlation section of the 60% of the navigation pane. From here, you get a time. Asset is brief description of how directives are the value that ordered and processed. Click on the represents the Add Directive line in the top left of the importance of a page. In the resulting fields, enter host. You “Unauthorized Access to Web Server” assigned the as the Name. In the blank field next to highest possible Id, enter 101, which places your direc- priority (5) to tive in the Generic directives group. Set your CentOS the Priority to 2 and click Save. On the server in the next page (Figure 9), click on the + Policies section symbol to add a rule to your new direc- earlier in the tive. In the Name field, type “NMAP article. Figure 8. Adjusting the Reliability of Our Plugin’s SIDs Scan on Web Server from Foreign At this Host”. Enter 1001 as the Plugin Id point, you (snort). In the Plugin Sid field, type have one rule “2000537, 2000545”, and under the under your Network section in the To field, type in directive, but no the IP address of your CentOS server correlation, so and the Port to List 22. In the Risk field, you need to add set Occurrence to 3, Reliability to 1. another rule. Set the Sticky field to True and Sticky Click on the + Different to SRC_IP. Click the Save symbol on your button at the bottom of the page. directive. Give In theory, you have a directive that the new rule a will send an alarm when a host runs an name of “Too Nmap scan against port 22 on your Web Many Auth server. However, you won’t receive Failures”. Set alerts yet. In order for a directive to the Plugin ID to send an alarm, the risk of the directive 7010 (OSSEC), Figure 9. The First Rule of the Test Directive
www.linuxjournal.com march 2010 | 5
To read more Linux Journal or start your subscription, please visit http://www.linuxjournal.com. FEATURE AlienVault
Listing 1. Directive in .xml Format
6 | march 2010 www.linuxjournal.com
To read more Linux Journal or start your subscription, please visit http://www.linuxjournal.com.