Popular OSSIM Plugins Sidebar for a Brief Agent by Running the Command: Listing of the Leading Ones)
Total Page:16
File Type:pdf, Size:1020Kb
To read more Linux Journal or start your subscription, please visit http://www.linuxjournal.com. AlienVault the Future of Security Information Management Meet AlienVault OSSIM, a complex security system designed to make your life simpler. JERAMIAH BOWLING Security Information Management (SIM) systems have made many security administrators’ lives easier over the years. SIMs organize an enterprise’s security environment and provide a common interface to manage that environment. Many SIM products are available today that perform well in this role, but none are as ambitious as AlienVault’s Open Source Security Information Management (OSSIM). With OSSIM, AlienVault has harnessed the capabilities of several popular security packages and created an “intelligence” that translates, analyzes and organizes the data in unique and customizable ways that most SIMs cannot. It uses a process called correlation to make threat judgments dynamically and report in real time on the state of risk in your environment. The end result is a design approach that makes risk management an organized and observable process that security administrators and managers alike can appreciate. In this article, I explain the installation of an all-in-one OSSIM agent/server into a test network, add hosts, deploy a Figure 1. A little tough to read, but this is where everything starts. third-party agent, set up a custom security directive and take a quick tour of the built-in incident response system. In addition AlienVault site in .iso form (version 2.1 at the time of this to the OSSIM server, I have placed a CentOS-based Apache writing) and booted my VM from the media. Web server and a Windows XP workstation into the test On bootup, you will see a rather busy and slightly difficult- network to observe OSSIM’s interoperation with different to-read install screen (Figure 1). The default option is the text- systems and other third-party agents. based install, but by pressing the down arrow, you will see a graphical install option. Select the Text option and press Enter. Installation If you’ve seen Debian install screens, the OSSIM installer will To keep deployment time to a minimum, I deployed OSSIM look very familiar. Set your language preferences and partition on a VMware-based virtual machine (VM). OSSIM is built on your hard drive(s). Configure your settings for Postfix if desired. Debian, so you can deploy it to any hardware that Debian Finally, set your root password, and enter a static IP address for supports. I used the downloadable installation media from the the server when prompted. The installer will restart the 2 | march 2010 www.linuxjournal.com To read more Linux Journal or start your subscription, please visit http://www.linuxjournal.com. article when I discuss correlation. To start the agent, run: You now have an active OSSIM server using passive network monitors like /var/ossec/bin/ossec-control start snort, Nagios and ntop to report on your test network’s activity. Next, let’s Now, from the CentOS Web server, add some client-based agents that feed ssh to the OSSIM server, and run the data into the OSSIM server. following command to add your client agent to the OSSEC server: Installing the OSSEC Agent Many client agents can communicate /var/ossec/bin/manage_agents Figure 2. Main Login Screen with OSSIM, but because of space limitations, I am covering the one I Select A to add an agent, and enter believe is the most valuable to security a unique name for it. Add the IP address administrators: OSSEC. OSSEC is a freely of your CentOS Web server and give the available host intrusion detection system agent a unique ID. The default ID usually (HIDS) maintained by Trend Micro that performs a multitude of client security tasks, such as logging, alert- ing, integrity checking and rootkit detection. Figure 3. Main Dashboard Additionally, a large number of OSSIM plug- machine to complete the configuration. ins for OSSEC already Open a browser from a machine on are installed with your the same network and enter the IP server that can monitor address of the OSSIM server in the URL virtually any part of a field (Figure 2). Enter “admin” as the UNIX/Linux/Windows user and password to log in to the man- system. Figure 4. Setting Up the First Network Scan agement site. Change your password First, let’s install under the Configuration→Users section. OSSEC on the CentOS After logging in, the main dashboard Web server. Download view loads (Figure 3). and extract the client The next step is to add systems tar from the OSSEC for the OSSIM server to monitor. Start Web site. If you have by defining your local network and difficulty finding the performing a cursory scan. On the OSSEC agent, or any Networks tab under Policy, click Insert other agent, links to New Network. Enter your LAN infor- OSSIM’s supported mation in the fields provided. If you third-party agents don’t see a sensor listed, insert a are available in the new one using the hostname and Tools/Downloads section IP address of your all-in-one OSSIM of the management server. Leave the Nagios check page. Next, run the Figure 5. Nagios Working under the Hood box enabled, but the Nessus box install.sh script from the unchecked (Figure 4) to reduce the unpacked tar folder. time needed for the first scan. After Verify your machine the scan completes, several hosts information and select should appear on the Hosts tab of the the agent install option. Policies section. OSSIM installs and Accept the default auto-configures Nagios and ntop install directory. Enter during installation, so you also can see the IP address of the basic network information by visiting server (the OSSIM the Monitors section of the manage- server). Run the integrity- ment page (Figure 5). Once all hosts check dæmon and are found, find the CentOS Web server enable the rootkit- in the Hosts section under Policies, detect engine. When and modify its priority from 1 to 5 asked to enable active (Figure 6). You will use this later in the response, answer “no”. Figure 6. Changing the Web Server’s Asset Value www.linuxjournal.com march 2010 | 3 To read more Linux Journal or start your subscription, please visit http://www.linuxjournal.com. FEATURE AlienVault is fine, unless you plan on implementing 7). As you now have an external feed a naming convention for your OSSEC coming into your OSSIM server, let’s look Popular clients. Enter Y to confirm adding the at how it digests and analyzes the data. agent. This returns you to the main OSSIM menu. Select E to extract. Input the Events, Alarms, Directives client ID you want to extract (the ID you and Correlation Plugins assigned to the CentOS server). From For OSSIM to decipher data from any another terminal window on the CentOS source, it first must have a plugin. A Web server, run the local manage_agents plugin is an XML-based configuration file command. Select I to import the unique that tells OSSIM how to read information Some of the more popular key. Copy and paste the unique key from from a particular data source and when plugins for OSSIM include the SSH window to the Web server’s local to register a security event. According the following: prompt. Enter Y to confirm the key, and to the AlienVault site, more than 2,300 select Q to quit. Close the SSH connection, plugins currently are available (see the I Snort and from the local prompt, restart the Popular OSSIM Plugins sidebar for a brief agent by running the command: listing of the leading ones). I Nagios An event is any occurrence that a /var/ossec/bin/ossec-control restart plugin’s native software deems impor- I OpenVAS tant enough to log or warn on. On your XP client, download and Events in OSSIM should be treated I Nessus install the OSSEC agent as well as the like log entries. They are not necessarily Putty SSH client. When finished, run the indicative of a problem, but should be I ntop Putty client to SSH to the OSSIM server reviewed nonetheless. When multiple and repeat the same manage_agents events take place in such a way that an I Nmap command to generate and extract the administrator has marked them as being XP client’s unique key from the server. “suspicious”, OSSIM throws an alarm. I OSSEC Once extracted, paste it into the XP It is also possible for a plugin to set a client by opening the Manage Agent single event’s settings high enough that I Passive OS Fingerprinter applet from the start menu under the it can throw an alarm when the single (p0f) OSSEC program group. event occurs. The criteria used to trigger Finally, to begin receiving OSSEC an alarm from multiple different events I Osiris events in OSSIM, open the file is known as a directive. The process of /etc/ossim/ossim_setup.conf on the analyzing multiple events within a direc- I arpwatch OSSIM server and in the [sensor] section tive is called correlation. Correlation add ossec to the end of the line that is central to OSSIM’s operation. With I syslog begins with the word detectors. Save correlation, administrators can take data and exit the config file, and restart from a multitude of disparate security I PAM your OSSIM server using the shutdown devices and tailor directives to reduce -r now command. Upon reboot, you false positives and extrapolate threat I Honeyd should start to see OSSEC events appear data in real time.