Fonctionnement D'ossim

Total Page:16

File Type:pdf, Size:1020Kb

Fonctionnement D'ossim Fonctionnement d’OSSIM Dans le cadre de SIMS - Security Intrusion Management System (http ://www.tcom.ch/Tcom/Projets/SIMS/sims.html) Auteur : Joel¨ Winteregg ([email protected]) Chef de projet : Cyril Friche Professeur : Stefano Ventura Ecole´ : Swiss University of Applied Sciences (EIVD) Tcom institut (http ://www.tcom.ch) Date : 31 mai 2005 Table des matieres` 1 Fonctionnement logiciel d’OSSIM 3 1.1 Les applications Ossim-server et Ossim-agent ....................... 3 1.2 Fonctionnement de l’architecture avec une sonde Snort .................. 3 1.2.1 Pourquoi deux flux d’informations ? ........................ 3 1.3 Fonctionnement de l’architecture avec une sonde Ntop .................. 5 1.3.1 Ntop c’est quoi ? .................................. 5 1.3.2 Fonctionnement ................................... 6 1.4 Fonctionnement de l’architecture avec une sonde P0f ................... 6 1.4.1 P0f c’est quoi ? ................................... 7 1.4.2 Fonctionnement ................................... 7 1.5 Fonctionnement de l’architecture avec une sonde TCPTrack ............... 7 1.5.1 TCPTrack c’est quoi ? ............................... 7 1.5.2 Fonctionnement ................................... 7 1.6 Fonctionnement de l’architecture avec une sonde PADS .................. 8 1.6.1 PADS c’est quoi ? .................................. 8 1.6.2 Fonctionnement ................................... 9 1.7 Fonctionnement de l’architecture avec une sonde Syslog ................. 9 1.7.1 Qu’est-ce qu’une sonde HIDS ........................... 9 1.7.2 Fonctionnement ................................... 10 A Installation et configuration d’Ossim-server 11 A.1 Prerequis´ .......................................... 11 A.2 Installation ......................................... 11 A.3 Configuration ........................................ 12 A.3.1 Configuration du serveur Web ........................... 13 B Ajout et configuration d’une sonde Snort 14 B.1 Installation ......................................... 14 B.1.1 Snort ........................................ 14 B.1.2 Ossim-agent .................................... 15 B.2 Configuration ........................................ 15 B.2.1 Snort ........................................ 15 1 SIMS - Security Intrusion Manager System - Joel¨ Winteregg B.2.2 Ossim-agent .................................... 16 B.3 Configuration d’Ossim-server pour une nouvelle sonde Snort ............... 16 B.4 Test de fonctionnement ................................... 18 B.4.1 Erreur de demarrage´ de l’agent Ossim ....................... 18 C Ajout et configuration de Ntop 20 C.1 Installation ......................................... 20 C.1.1 Ntop ........................................ 20 C.2 Configuration ........................................ 21 C.2.1 Ntop ........................................ 21 C.2.2 L’agent Ossim ................................... 21 C.3 Configuration d’Ossim-server pour une nouvelle sonde Ntop ............... 23 D Ajout et configuration de P0f 24 D.1 Installation ......................................... 24 D.2 Configuration ........................................ 24 D.2.1 P0f ......................................... 24 D.2.2 L’agent Ossim ................................... 24 E Ajout et configuration de TCPTrack 25 E.1 Installation ......................................... 25 E.2 Configuration ........................................ 25 F Ajout et configuration d’une sonde HIDS Syslog 26 F.1 Installation ......................................... 26 F.2 Configuration ........................................ 26 G Ajout et configuration de PADS 27 G.1 Installation ......................................... 27 G.2 Configuration ........................................ 27 2 Chapitre 1 Fonctionnement logiciel d’OSSIM Des informations relatives a` l’installation sont disponibles dans les annexes ou sur le site officiel d’Ossim (http ://www.ossim.net/docs.php) 1.1 Les applications Ossim-server et Ossim-agent Ossim-agent recup´ ere` simplement les informations des fichiers de logs des plugins (fichier fast.log pour Snort) et les envoie directement au serveur Ossim permettant ainsi le traitement temps reel´ de celles-ci. De plus, l’agent Ossim s’occupera de la mise en marche et de l’arretˆ des differentes´ sondes qui lui sont connectees.´ Il ne sera ainsi pas necessaire´ de demarrer´ la sonde Snort ”a` la main” puisque son activation sera effectuee´ depuis la console de management offerte par Ossim- server. Ossim-server constitue le noyau de l’architecture. En effet, celui-ci comporte les modules d’analyse et de correlation´ des donnees´ ainsi qu’un serveur Web permettant l’interaction avec l’utilisateur (administrateur reseau).´ 1.2 Fonctionnement de l’architecture avec une sonde Snort Le principe de communication d’une sonde Snort avec le serveur OSSIM est illustre´ par la figure 1.1. Nous remarquons que l’IDS1 Snort est independant´ du programme client d’OSSIM (nomme´ : ossim- agent) et que deux flux d’informations sont emis´ en direction du serveur. 1.2.1 Pourquoi deux flux d’informations ? Le flux nomme´ ”Requetesˆ SQL pour depos´ des alertes” est utilise´ afin de deposer´ directement les alertes dans la base de donnee´ ”Snort BD” du serveur. Ceci permettra l’archivage de celles-ci et 1Intrusion Detection System 3 SIMS - Security Intrusion Manager System - Joel¨ Winteregg FIG. 1.1 – Principe de communication entre une sonde Snort et le serveur d’OSSIM leur conslutation via ACID2, permettant ainsi l’analyse precise´ de chaque alertes. Le flux nomme´ ”Envoi des alertes pour l’anayse temps reel´ (TCP et protocole applicatif propre a` OSSIM” est quant a` lui necessaire´ pour le proced´ e´ d’analye et de correlation´ temps reel´ oper´ e´ sur le serveur d’OSSIM. Ces deux flux d’informations redondants sont indispensables si l’on ne veut pas redefinir´ le protocole d’envoi des informations dans la base de donnee´ ”Snort BD”. En effet, le plugin de sortie Mysql ne serait pas suffisant pour un traitement temps reel´ puisque le stockage des informations dans une base de donnes´ ”casse” le proced´ e´ temps reel.´ Un tel fonctionnement impliquerait l’interrogation continuelle de la base de donnee´ afin de decouvrir´ les nouvelles donnees´ inser´ ees.´ Les concepteurs d’OSSIM ont donc pref´ er´ e´ utiliser deux flux d’informations plutotˆ que de creer´ un nouveau plugin de sortie pour Snort permettant d’envoyer les alertes dans un seul flux structure´ au serveur. Dans ce mode de fonctionnement, c’est le serveur qui se chargerait ensuite du traitement temps reel´ et de l’insertion des informations dans une base de donnee.´ Pour l’analyse et la correlation,´ le serveur Ossim utilise uniquement les alertes provenant de l’agent Os- sim, alors que les alertes directement stockees´ dans la base de donnees´ sont uniquement utilisees´ pour la 2Analysis Console for Intrusion Databases, interface Web integr´ ee´ a` OSSIM permettant l’interrogation d’une base de donne´ Snort (developp´ e´ dans le cadre du projet Open Source Snort) 4 SIMS - Security Intrusion Manager System - Joel¨ Winteregg consultation. 1.3 Fonctionnement de l’architecture avec une sonde Ntop Le principe de communication d’une sonde Ntop avec le serveur OSSIM est illustre´ par la figure 1.2. FIG. 1.2 – Principe de communication entre une sonde Ntop et le serveur d’OSSIM 1.3.1 Ntop c’est quoi ? Ce logiciel analyse de maniere` temps reel´ le trafic reseau´ et met a` disposition une liste de compteurs (par exemple : IP DNSBytes, IP HTTPBytes), permettant le monitoring ainsi que le calcul de statistiques. La sonde Ntop met en place un serveur Web permettant le monitoring ainsi que la configuration de celle-ci a` distance. Le plugin de sortie RRD3 est necessaire´ pour l’integration´ de Ntop dans Ossim. Celui-ci permet l’enregis- trement des donnees´ sous forme de tourniquet (les plus vieilles donnees´ sont ecras´ ees´ par les nouvelles). 3Round Robin Database 5 SIMS - Security Intrusion Manager System - Joel¨ Winteregg L’interrogation de la base de donnee´ RRD est ensuite facilite´ a` l’aide de l’outil RRDtool4. 1.3.2 Fonctionnement Le script Perl rrd plugin.pl effectue la liaison entre Ntop et l’agent Ossim. Celui-ci interroge periodiquement´ la ”base de donnee”´ RRD (illustree´ par Ntop/rrd log file) a` l’aide de l’outil RRDtool. Il recup´ ere` (via des requetesˆ SQL sur le serveur) les seuils des compteurs defini´ par l’administrateur reseau´ a` l’aide du frame- work de configuration5 et les compare aux des donnees´ prec´ edemment´ recup´ er´ ees´ (a` l’aide de RRDtool). Les eventuels´ depassement´ des seuils sont ensuitre stocke´ dans un fichier de log (/var/log/ossim/rrd plugin.log) qui sera recup´ er´ e´ par l’agent Ossim afin de permettre l’envoi temps reel´ des informations au serveur. La correlation´ des ces informations peut ensuite etreˆ effectuee´ sur le serveur. 1.4 Fonctionnement de l’architecture avec une sonde P0f Le principe de communication d’une sonde P0f avec le serveur OSSIM est illustre´ par la figure 1.3. FIG. 1.3 – Principe de communication entre une sonde P0f et le serveur d’OSSIM 4http ://people.ee.ethz.ch/ oetiker/webtools/rrdtool/ 5interface Web offerte par le serveur. Menu : Configuration - RRD config 6 SIMS - Security Intrusion Manager System - Joel¨ Winteregg 1.4.1 P0f c’est quoi ? P0f est un logiciel de detection´ de systemes` d’exploitations6 passif. Il analyse les trames transitant sur le reseau´ (le segment analyse)´ et les compare avec une base de donnees´ des caracteristiques´ de chaque OS (prise d’empreintes) afin d’en retrouver l’OS correspondant.
Recommended publications
  • OSSIM: a Careful, Free and Always Available Guardian for Your Network OSSIM a Careful, Free and Always Available Guardian for Your Network
    FEATURE OSSIM: a Careful, Free and Always Available Guardian for Your Network OSSIM a Careful, Free and Always Available Guardian for Your Network Monitor your network’s security 24/7 with a free and open-source solution that collects, analyzes and reports logs of the events on your network. MARCO ALAMANNI 68 / JUNE 2014 / WWW.LINUXJOURNAL.COM LJ242-June2014.indd 68 5/22/14 12:36 PM etworks and information check them all, one by one, to obtain systems are increasingly meaningful information. N exposed to attacks that A further difficulty is that there is are becoming more sophisticated no single standard used to record the and sustained over time, such as logs and often, depending on the type the so-called APT (Advanced and size, they are not immediate or Persistent Threats). easy to understand. Information security experts agree It is even more difficult to relate on the fact that no organization, other logs produced by many even the best equipped to protect different systems to each other itself from these attacks, can be manually, to highlight anomalies considered immune, and that the in the network that would not be issue is not whether its systems will detectable by analyzing the logs of be compromised, but rather when each machine separately. and how it will happen. SIEM (Security Information and It is essential to be able to Event Management) software, detect attacks in a timely manner therefore, is not limited to and implement the relative being a centralized solution for countermeasures, following log management, but also (and appropriate procedures to respond especially) it has the ability to to incidents, thus minimizing the standardize logs in a single format, effects and the damages they can analyze the recorded events, cause.
    [Show full text]
  • Popular OSSIM Plugins Sidebar for a Brief Agent by Running the Command: Listing of the Leading Ones)
    To read more Linux Journal or start your subscription, please visit http://www.linuxjournal.com. AlienVault the Future of Security Information Management Meet AlienVault OSSIM, a complex security system designed to make your life simpler. JERAMIAH BOWLING Security Information Management (SIM) systems have made many security administrators’ lives easier over the years. SIMs organize an enterprise’s security environment and provide a common interface to manage that environment. Many SIM products are available today that perform well in this role, but none are as ambitious as AlienVault’s Open Source Security Information Management (OSSIM). With OSSIM, AlienVault has harnessed the capabilities of several popular security packages and created an “intelligence” that translates, analyzes and organizes the data in unique and customizable ways that most SIMs cannot. It uses a process called correlation to make threat judgments dynamically and report in real time on the state of risk in your environment. The end result is a design approach that makes risk management an organized and observable process that security administrators and managers alike can appreciate. In this article, I explain the installation of an all-in-one OSSIM agent/server into a test network, add hosts, deploy a Figure 1. A little tough to read, but this is where everything starts. third-party agent, set up a custom security directive and take a quick tour of the built-in incident response system. In addition AlienVault site in .iso form (version 2.1 at the time of this to the OSSIM server, I have placed a CentOS-based Apache writing) and booted my VM from the media.
    [Show full text]
  • OSSIM Fast Guide
    ----------------- OSSIM Fast Guide ----------------- February 8, 2004 Julio Casal <[email protected]> http://www.ossim.net WHAT IS OSSIM? In three phrases: - VERIFICATION may be OSSIM’s most valuable contribution at this time. Using its correlation engine, OSSIM screens out a large percentage of false positives. - The second advantage is that of INTEGRATION, we have a series of security tools that enable us to perform a range of tasks from auditing, pattern matching and anomaly detection to forensic analysis in one single platform. We take responsibility for testing the stability of these programs and providing patches for them to work together. - The third is RISK ASSESSMENT, OSSIM offers high level state indicators that allow us to guide inspection and measure the security situation of our network. * DISTRIBUTION - OSSIM integrates a number of powerful open source security tools in a single distribution. These include: - Snort - Nessus - Ntop - Snortcenter - Acid - Riskmeter - Spade - RRD - Nmap, P0f, Arpwatch, etc.. - These tools are linked together in OSSIM’s console giving the user a single, integrated navigation environment. * ARCHITECTURE - OSSIM is organized into 3 layers: . Sensors . Servers . Console - The database is independent of these layers and could be considered to be a fourth layer. OSSIM 2004/02/07 Sensors - Sensors integrate powerful software in order to provide three capabilities: . IDS . Anomaly Detection . Real time Monitoring - Sensors can also perform other functions including traffic consolidation on a segment and event normalization. - Sensors communicate and receive orders from the server using a proprietary protocol. Server - OSSIM’s server has the following capabilities: . Correlation . Prioritization . Online inventory . Risk assessment . Normalization Console The console’s interface is structured hierarchically with the following functions: .
    [Show full text]
  • OSSIM, Una Alternativa Para La Integración De La Gestión De Seguridad En La Red
    Revista Telem@tica. Vol. 11. No. 1, enero-abril, 2012, p. 11-19 ISSN 1729-3804 OSSIM, una alternativa para la integración de la gestión de seguridad en la red Walter Baluja García1, Cesar Camilo Caro Reina2, Frank Abel Cancio Bello3 1 ISPJAE, Ingeniero en Telecomunicaciones y Electrónica, Dr. C. Tec. [email protected] 2ISPJAE. Estudiantes de 5to Año de Telecomunicaciones y Electrónica [email protected] 3 ISPJAE, Ingeniero en Informática [email protected] RESUMEN / ABSTRACT En la actualidad resulta cada vez más complicado mantenerse asegurado frente a los diferentes ataques que se pueden presentar en una red, lo cual resulta en una gestión de seguridad mucho más compleja para los administradores de red. Para cumplir con ese cometido los gestores utilizan un grupo de soluciones que permiten automatizar su trabajo, gestionando grandes volúmenes de información. El presente artículo realiza un breve resumen sobre los sistemas de Administración de Información y Eventos de Seguridad (SIEM por sus siglas en ingles), revisando sus principales características, y continua con la descripción del sistema OSSIM Alienvault, donde se muestran su arquitectura y componentes. Palabras claves: Gestión, Seguridad, SIEM, OSSIM. OSSIM, an alternative network management and protection: Actuality is more difficult to maintain a system secured from the different threats that exist on a network, this results in more complex security management for network managers. This paper briefly summarizes Security Information and Event Management systems (SIEM), it reviews the main characteristics and continues with a description of OSSIM Alienvault System, showing its components and architecture. Keywords: Management, Security, SIEM, OSSIM.
    [Show full text]
  • Alienvault OSSIM Installation Guide
    AlienVault Installation Guide AlienVault LC - 1901 S Bascom Avenue Suite 220 Campbell, CA, 95008 T +1 408 465-9989 [email protected] wwww.alienvault.com Juan Manuel Lorenzo ([email protected]) Version 1.5 Copyright © AlienVault 2010 All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or me- chanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written per- mission of the copyright owner and publisher. Any trademarks referenced herein are the property of their respective holders. AlienVault LC - 1901 S Bascom Avenue Suite 220 Campbell, CA, 95008 T +1 408 465-9989 [email protected] wwww.alienvault.com AlienVault Table of Contents Introduction! 1 About this Installation Guide! 1 AlienVault Professional SIEM! 2 What is AlienVault Professional SIEM?! 2 Basic Operation! 3 Components! 4 Detector! 4 Collector! 5 SIEM! 5 Logger! 5 Web interface! 5 Before installing AlienVault! 6 Installation Profiles! 6 Sensor! 6 Server! 7 Framework! 7 Database! 7 All-in-one! 7 Overview of the AlienVault installation procedure! 8 Automated Installation! 8 Custom Installation! 8 What you will need! 9 Professional Key! 9 Role of the installed system! 9 Network configuration for the Management Network card! 9 Requirements! 10 Hardware requirements! 10 Network requirements! 10 Obtaining AlienVault Installation Media! 11 Downloading the installer from AlienVault Website! 11 Creating a boot CD! 11 Booting the installer! 11 AlienVault Installation
    [Show full text]
  • Una Possibile Soluzione Per L'analisi Di Sicurezza All-In-One
    Public Una possibile soluzione per l’analisi di sicurezza all-in-one AlienVault-OSSIM in configurazione all-in-one per branch office e sedi medio piccole Gianluca Peco INFN CCR Workshop Public Public Contesto 4 Panoramica dei sistemi esistenti e scelta Cos’è e cosa fa OSSIM 3 Sommario Com’è fatto OSSIM 2 Implementazione del sistema 1 Demo 5 min. 24 maggio 2021 Gianluca Peco - INFN CCR Workshop 2 Public Public Contesto Anche a seguito dell’evoluzione delle linee guida di sicurezza delle informazioni risulta estremamente utile dotarsi di uno strumento per il monitoring, l’analisi e la correlazione di eventi di sicurezza (ma non solo), a supporto della difesa attiva, della compliance e dell’analisi forense. Grandi quantità di dati prodotti dai sistemi di log, dai firewall perimetrali, dalle sonde IDS (Intrusion Detection Systems) e dai sistemi EDR (Endpoint Detection and Response) sono spesso inutilizzati fino all’evento negativo. Esistono strumenti per l’analisi e la correlazione real-time degli eventi di sicurezza sia opensource che commerciali. I sistemi IT si sono stratificati e differenziati al punto da richiedere la gestione distribuita di attività storicamente centralizzate come l’analisi dei log e degli eventi. 24 maggio 2021 Gianluca Peco - INFN CCR Workshop 3 Public Public Stadi evolutivi della cybersecurity Fonte: https://www.trianz.com/cybersecurity 24 maggio 2021 Gianluca Peco - INFN CCR Workshop 4 Public Public Definizione di SIEM (1/2) https://it.wikipedia.org/wiki/Security_Information_and_Event_Management Software e servizi che integrano vari componenti per fornire analisi in tempo reale degli eventi, la possibilità di fornire report inerenti ai dati raccolti, rispondendo alle esigenze di incident response, compliance e analisi forense.
    [Show full text]
  • Case Study: Open-Source Networked Infrastructure Management
    Research Publication Date: 25 March 2008 ID Number: G00155852 Case Study: Open-Source Networked Infrastructure Management Geoff Johnson Networked infrastructures can be reliably managed more affordably than traditional vendors' solutions by using open-source-based appliances and network management tools. Open-source solutions — including Nagios for host, service and network monitoring; GroundWork for collaboration; and Open Source Security Information Management (OSSIM) for security information management — have been used by Opengear to create significant alternatives to the traditional management of networked IT infrastructure. Key Findings • Use of open-source solutions in networked IT operations management can be a valid and reliable approach. • IT operations managers should consider "best fit for purpose" solutions, such as open- source software (OSS) solutions, as well as best-of-breed solutions. Recommendations • Invite and evaluate OSS solutions when choosing management tools in IT operations. • Examine the scope for open source in new IT requirements and for tactical fixes to operational problems. • Ensure that end users of open-source applications across your business understand the legal, staffing and developer requirements in the new open-source community and ecosystem to which they are committing. • Use external resources from network service providers (NSPs) and integrators, rather than internal staff, for open-source applications. © 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such.
    [Show full text]
  • Cybersecurity Framework Manufacturing Profile Low Impact Level Example Implementations Guide: Volume 1 – General Implementation Guidance
    NISTIR 8183A Volume 1 Cybersecurity Framework Manufacturing Profile Low Impact Level Example Implementations Guide: Volume 1 – General Implementation Guidance Keith Stouffer Timothy Zimmerman CheeYee Tang Jeffrey Cichonski Michael Pease Neeraj Shah Wesley Downard This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8183A-1 NISTIR 8183A Volume 1 Cybersecurity Framework Manufacturing Profile Low Impact Level Example Implementations Guide: Volume 1 – General Implementation Guidance Keith Stouffer Neeraj Shah Timothy Zimmerman Strativia, LLC CheeYee Tang Largo, Maryland Michael Pease Intelligent Systems Division Engineering Laboratory Jeffrey Cichonski Wesley Downard Applied Cybersecurity Division G2, Inc. Information Technology Laboratory Annapolis Junction, Maryland This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8183A-1 September 2019 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology National Institute of Standards and Technology Internal Report 8183A, Volume 1 81 pages (September 2019) This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8183A-1 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications.
    [Show full text]
  • OWASP Logging Guide
    OWASP Logging Guide SUMMARY Why log ?............................................................................................................................................................. 2 What is commonly logged ? ................................................................................................................................ 2 What are security logs ?....................................................................................................................................... 2 What are the most common issues with logging ? ............................................................................................. 2 What are the common functions of a log management infrastructure ?.............................................................. 3 General............................................................................................................................................................. 3 Storage............................................................................................................................................................. 3 Analysis ........................................................................................................................................................... 3 Disposal ........................................................................................................................................................... 3 How to plan a logging infrastructure ? ...............................................................................................................
    [Show full text]
  • USM Appliance Deployment Guide
    USM Appliance™ Deployment Guide Copyright © 2021 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or affiliated companies. All other marks are the property of their respective owners. Updated April 27, 2021 2 USM Appliance™ Deployment Guide Contents System Overview 7 About USM Appliance 8 About USM Appliance System Architecture and Components 16 Event Collection, Processing, and Correlation Workflow 18 USM Appliance Deployments 23 USM Appliance Deployments 24 USM Appliance Deployment Types 25 USM Appliance Deployment Requirements 30 Firewall Permissions 33 Configure the USM Appliance Hardware 36 Deploy USM Appliance in VMware 50 Deploy USM Appliance Using Hyper-V Manager 55 Deploy USM Appliance with AMI 61 Configure the USM Appliance Sensor after Deployment 64 Configure the USM Appliance Logger after Deployment 65 Configure the USM Appliance Enterprise Server and Enterprise Database 70 Set Up the Management Interface 72 Register USM Appliance 73 USM Appliance Initial Setup 77 Access the AlienVault Setup Menu 78 Configure Network Interfaces 80 Configure the Search Domain 83 Configure a Hostname for USM Appliance 83 Change the Default Time Zone 84 Configure USM Appliance to Use a DNS 85 Configure Synchronization with an NTP Server 86 Configure USM Appliance to Recognize Your Local Keyboard 86 Configure Custom HTTPS Certificates in USM Appliance 87 Create the Default Admin User 89 USM Appliance™ Deployment Guide 3 Configure Mail
    [Show full text]
  • Installing OSSIM on a Debian GNU/Linux
    Installing OSSIM on a Debian GNU/Linux David Gil Stéphane Fournier Installing OSSIM on a Debian GNU/Linux by David Gil and Stéphane Fournier Revision History Revision 0.1 2004-10-21 Revised by: sfournier Conversion from plain text to Docbook v4.2 and update of debian packages versions Table of Contents 1. Introduction........................................................................................................................................................1 1.1. Foreword..................................................................................................................................................1 1.2. Structure considerations ..........................................................................................................................1 1.3. Lazy install ..............................................................................................................................................1 1.4. Necessary software installation...............................................................................................................2 2. Databases ............................................................................................................................................................3 2.1. Ossim database........................................................................................................................................3 2.2. Snort/Acid database.................................................................................................................................4
    [Show full text]
  • SCADA Intrusion Detection System Test Framework
    SCADA Intrusion Detection System Test Framework By: Henrik Waagsnes Supervisor: Nils Ulltveit-Moe, Associate Professor Ph.D IKT 590 - Master’s thesis Spring 2017 Department of Information and Communication Technology Faculty of Engineering and Science University of Agder Grimstad, 21 May 2017 Henrik Waagsnes SCADA Intrusion Detection System Test Framework Abstract Supervisory control and data acquisition (SCADA) systems play an important role in our critical infrastructure (CI). Several of the protocols used in SCADA communication are old and lack of security mechanisms. This master thesis presents a SCADA Intrusion Detection System Test Framework that can be used to simulate SCADA traffic and detect malicious network activity. The framework uses a signature-based approach and utilize two different IDS engines, Suricata and Snort. The IDS engines include rule-sets for the IEC 60870-5-104, DNP3 and Modbus protocols. The IDS engines ships detected events to a distributed cluster and visualize them using a web interface. The experiments carried out in this project show that there generally is little difference between Suricata and Snort's ability to detect malicious traffic. Suricata is compatible with signatures written in snort lightweight rules description language. I did however, discover some compatibility issues. The purposed framework applies additional latency to the analysis of IDS events. The perceived latency was generally higher for Snort events than for Suricata events. The reason for this is probably the additional processing time applied by the implemented log conversion tool. Keywords: SCADA, IDS, SIEM 2 Henrik Waagsnes SCADA Intrusion Detection System Test Framework Preface This report is the result of the master thesis IKT 590 (30 ECTS) which is part of my fourth semester MSc study at the Faculty of Engineering and Science, University of Agder (UiA) in Grimstad, Norway.
    [Show full text]