FEATURE OSSIM: a Careful, Free and Always Available Guardian for Your Network OSSIM a Careful, Free and Always Available Guardian for Your Network
Monitor your network’s security 24/7 with a free and open-source solution that collects, analyzes and reports logs of the events on your network.
MARCO ALAMANNI
68 / JUNE 2014 / WWW.LINUXJOURNAL.COM
LJ242-June2014.indd 68 5/22/14 12:36 PM etworks and information check them all, one by one, to obtain systems are increasingly meaningful information. N exposed to attacks that A further difficulty is that there is are becoming more sophisticated no single standard used to record the and sustained over time, such as logs and often, depending on the type the so-called APT (Advanced and size, they are not immediate or Persistent Threats). easy to understand. Information security experts agree It is even more difficult to relate on the fact that no organization, other logs produced by many even the best equipped to protect different systems to each other itself from these attacks, can be manually, to highlight anomalies considered immune, and that the in the network that would not be issue is not whether its systems will detectable by analyzing the logs of be compromised, but rather when each machine separately. and how it will happen. SIEM (Security Information and It is essential to be able to Event Management) software, detect attacks in a timely manner therefore, is not limited to and implement the relative being a centralized solution for countermeasures, following log management, but also (and appropriate procedures to respond especially) it has the ability to to incidents, thus minimizing the standardize logs in a single format, effects and the damages they can analyze the recorded events, cause. In order to detect intrusions highlight the most important and attacks, system administrators information and relate the logs to and information security analysts each other (correlation), allowing make use of tools, such as IDS/IPS analysts to detect anomalies and (Intrusion Detection/Prevention attacks more easily. System) and analysis of logs (event For example, for log management records) of servers and network software, three failed attempts to log devices, looking for any significant in to the same user account from three events from a security point of view. different clients will be only three A network of an organization of lines in your log file and not obviously average size produces, as a whole, related to each other. For an analyst, such a quantity of logs that it is very instead, it may be a sequence of difficult (and still very expensive) to events worthy of further analysis, and
WWW.LINUXJOURNAL.COM / JUNE 2014 / 69
LJ242-June2014.indd 69 5/22/14 12:36 PM FEATURE OSSIM: a Careful, Free and Always Available Guardian for Your Network
its correlation (looking for patterns in You can install these components the log files) can generate alerts when on a single physical machine (the these types of events occur. default installation), on a single virtual machine, on different virtual machines Overview of a SIEM Open-Source and/or physical machines, depending Solution: OSSIM on the size and configuration of the OSSIM is a SIEM software platform, network to monitor. free and open-source, developed by For a relatively small network, AlienVault and based on a Debian installation on a single machine, 64-bit Linux distribution. OSSIM has which is the simplest configuration, four major components: may be the right solution. For larger networks, it is advisable to 1. Sensor. install the Sensor and the Database separately. Figure 1 shows the 2. Server. OSSIM architecture. Sensor: The Sensor has two 3. Framework. main components:
4. Database. 1. The rsyslog service, which listens
Figure 1. OSSIM Architecture
70 / JUNE 2014 / WWW.LINUXJOURNAL.COM
LJ242-June2014.indd 70 5/22/14 12:36 PM on TCP/UDP port 514, receives Database: The Database is a the logs from network devices -Y31, SERVER INSTANCE THAT STORES and stores them locally, according events and system configuration data. to the configuration. Functionalities 2. The Ossim-agent, using a Following is a brief description series of modules called of OSSIM’s main features and plugins, one for each type of functionalities concerning the log, performs log analysis and collection, analysis and correlation normalization, and sends that of logs and the primary tools to the Server component. included in the system for network security monitoring. Plugins are of two types: Collection and Normalization of detectors, which detect anomalies Logs: You can collect logs from the and possible attacks (such as Snort, devices on your network in two ways: P0f, Arpwatch), and monitors to monitor the network status (like 1. Install a software agent (like Ntop and Nagios). Snare or SysLogAgent) in the Server: The Server performs source machine and configure the essential SIEM functions: it to read certain types of aggregation, risk assessment and logs and send them to the correlation of events that are received Sensor component. from the sensor through TCP port 40001. The server also sends the 2. Configure the source machine information concerning the events to send the logs upon request to the Database for storage. of the appropriate Sensor Framework: The Framework plugins (for example, via WMI connects and manages the OSSIM for Windows machines). Once components and security tools the Sensor records the logs, included, and it provides the system the OSSIM Agent performs the administration Web interface. It analysis and converts them to is the component that needs the a single format (normalization). least hardware resources and is Each log represents an event usually installed together with the that will be sent to the server Server component. for analysis (Figure 2).
WWW.LINUXJOURNAL.COM / JUNE 2014 / 71
LJ242-June2014.indd 71 5/22/14 12:36 PM FEATURE OSSIM: a Careful, Free and Always Available Guardian for Your Network
Figure 2. Log Collection and Normalization
Prioritization of Events and calculated in real time and is based on Risk Assessment: The prioritization three main factors: process involves assigning priority values to the recorded events, which 1. The value or level of importance of the is done by the Server component. machine that generated the event. It depends on the structure of the network and it needs, as 2. The type of threat posed by the event. prerequisites, the definition of security policies and the inventory of 3. The probability that this event occurs. information assets on the network, which can be managed in the Web The formula used for calculating administration panel. It sets the risk is the following (Figure 3): priority of an event based on the Risk = value * (reliability * Priority / 25). machine that generated it and the Analysis and Correlation of type of event to which it belongs. Events: The correlation of events The risk assessment of events is essentially relates events to each other
72 / JUNE 2014 / WWW.LINUXJOURNAL.COM
LJ242-June2014.indd 72 5/22/14 12:36 PM Figure 3. How to Calculate the Risk Associated with an Event
Figure 4. Example of Analysis and Correlation of Events
to achieve a comprehensive view events, using directives, consisting of of network security and to detect rules that relate events to patterns of possible attacks or anomalies. known attacks. This method is similar The correlation process is performed to using Snort for intrusion detection via two methods: (signature-based detection).
1. Correlation using sequence of 2. Correlation using heuristic
WWW.LINUXJOURNAL.COM / JUNE 2014 / 73
LJ242-June2014.indd 73 5/22/14 12:36 PM FEATURE OSSIM: a Careful, Free and Always Available Guardian for Your Network
algorithms can be detected by
these abnormal situations that do not detect the preceding rules ´reliability="+2" occurrence="5" from="1:SRC_IP" to="ANY" and may or may not be attacks ´port_from="ANY" time_out="20" port_to="ANY" (abnormality detection). ´plugin_id="4003" plugin_sid="1,2,3,4,5,6" sticky="true"> Directives are located in the /etc/ossim/server/directives.xml file. ´reliability="+2" occurrence="10" from="1:SRC_IP" to="ANY" Directives are specified in XML ´port_from="ANY" time_out="30" port_to="ANY" using tags like Id, Name, Priority, ´plugin_id="4003" plugin_sid="1,2,3,4,5,6" sticky="true"> Type, Reliability, Occurrence, Timeout, Source, Destination, Source port, destination port,
protocol, PluginSid and Sensor.
Reliability is a measure of the
probability that the considered
event truly represents the attack
referred to by the directive and is generally based on the number of occurrences of the event. The directive assigns a value of For example, consider the reliability equal to 3 (30% probability) following directive to detect when the number of occurrences of brute-force SSH attacks: the event detected by the sensor (SSH authentication error) is equal to
´reliability="3" occurrence="1" from="ANY" to="ANY" 2 at the tenth, thereby achieving a ´port_from="ANY" port_to="ANY" time_out="10" reliability of 8 (80% of probability) ´plugin_id="4003" plugin_sid="1,2,3,4,5,6"> when the incorrect authentication ´reliability="+1" occurrence="3" from="1:SRC_IP" to="ANY" correlate different types of logs, ´port_from="ANY" time_out="15" port_to="ANY" generated by various plugins (cross- ´plugin_id="4003" plugin_sid="1,2,3,4,5,6" sticky="true"> correlation). The cross-correlation 74 / JUNE 2014 / WWW.LINUXJOURNAL.COM LJ242-June2014.indd 74 5/22/14 12:36 PM allows you to change the event Q P0f: used for operating system reliability and risk assessment. For identification and analysis. example, suppose that Nessus or OpenVAS has identified a vulnerability Q Pads: used for detecting anomalies in a server. If Snort detects an event of the services running on a host. that indicates a possible attack on that server, the correlation engine Q Nessus and OpenVAS: the increases the level of risk associated most widely used and popular with the event. vulnerability scanners. Generation of Alarms and Response Actions: The directives Q Nmap: the most famous and can create alarms, which either powerful network scanner. are generated by a single event or by a specific sequence of events Q Snort: the most popular under certain conditions. The intrusion detection system (IDS). alarms can be displayed in the Web administration panel, under the Q Tcptrack: used for TCP menu item IncidentsAAlarms. connection monitoring. Furthermore, alarms can activate response actions, such as sending Q Nagios and Ntop: used to monitor an alert by e-mail to the system the status of the network, the hosts administrator and/or the execution and the availability of services. of appropriate scripts. Vulnerability Analysis, Q Osiris and OSSEC: intrusion Intrusion Detection and Network detection software for individual Monitoring: OSSIM includes hosts (HIDS—Host-Based IDS). many valuable tools, which also are open-source, that are among the Q Snare: a software agent for most known and used for intrusion collecting logs on Windows detection, vulnerability analysis and systems. network management and monitoring: Installation and Hardware Q Arpwatch: used for monitoring ARP Requirements traffic on the LAN and for related You can download the ISO file attack detection. for the installation from the WWW.LINUXJOURNAL.COM / JUNE 2014 / 75 LJ242-June2014.indd 75 5/22/14 12:36 PM FEATURE OSSIM: a Careful, Free and Always Available Guardian for Your Network AlienVault Web site download page the Intel e1000 Ethernet driver. at http://www.alienvault.com/ free-downloads-services. Of course, the hardware The most recent version (February requirements will be directly 2014) is 4.3.4, only for 64-bit proportional to the size of the architectures. You can choose the network (number of hosts and Automatic or Custom installation. network devices connected) and The automatic installation is fairly consequently to the amount of simple, in graphical mode by default, logs produced and recorded. and it installs all components of OSSIM on the same machine. The Configuration and Management custom installation allows you You can perform the system to select the mode (graphical or configuration and administration textual) and which components to through the console, a Linux shell install. The custom installation is a or through a more convenient and little more complex because it has intuitive Web interface. more configuration options. For Configuration through the instructions on how to install OSSIM, Console: To configure the system refer to the Installation Guide: through the console, you need to https://alienvault.bloomfire.com/ log in as root with the password posts/525575-installation-guide/public. you set during the installation The minimum hardware requirements process. The directory that contains are: the system’s configuration files is /etc/ossim. Q 64-bit processor or virtualization The main configuration file is software with support for /etc/ossim/ossim_setup.conf, which 64-bit operating systems (at contains the system’s main settings, least a quad-core processor such as IP addresses and ports of is recommended). the hosts on which components are installed, the active plugins Q 4GB of RAM. and the password used by the ROOT USER OF -Y31, RANDOMLY Q 500GB of free disk space. generated by the system during the installation procedure. Q Network adapter with support for For example, if you want to 76 / JUNE 2014 / WWW.LINUXJOURNAL.COM LJ242-June2014.indd 76 5/22/14 12:36 PM Figure 5. Configuration with the ossim_setup Tool change your password or other parameters of the previously shown data, you need to edit the file with configuration file, such as enabling the command: or disabling plugins. To get a list of plugins that can be turned on # vi /etc/ossim/ossim_setup.conf or off, select the option Change sensor settingsASelect detector Then run the following command: plugins (Figure 6). The OSSIM agent runs as a # ossim-reconfig background service (dæmon), and you can start it with this command: To change the main configuration file more easily, there is also a # /etc/init.d/ossim-agent start command called ossim_setup, which presents a graphical interface, Its configuration file is /etc/ossim/ shown in Figure 5. agent/config.cfg. The plugins’ Configuring the Sensor and configuration files also are text files Plugins: With the ossim_setup with the .cfg extension and are in the command, you can set the /etc/ossim/agent/plugins/ directory. WWW.LINUXJOURNAL.COM / JUNE 2014 / 77 LJ242-June2014.indd 77 5/22/14 12:36 PM FEATURE OSSIM: a Careful, Free and Always Available Guardian for Your Network Figure 6. List of Plugins in ossim_setup When you activate new plugins, you # cd /usr/share/ossim/scripts ; must restart the server: # plugin_wizard.pl -s "oracle" # /etc/init.d/ossim-server restart and you will get the plugins that contain the word “Oracle” in the name. More than 2,000 plugins are With the command: available (http://www.alienvault.com/ docs/AlienVault%20Plugin%20 # ./plugin_wizard.pl -g -s "oracle" List%20-%20Jun-20-2010.pdf), which you can download and install these plugins will be extracted to a via the Plugin Wizard. For example, directory called win_plugins. run the following commands: Next, you have to move them 78 / JUNE 2014 / WWW.LINUXJOURNAL.COM LJ242-June2014.indd 78 5/22/14 12:36 PM Figure 7. New Directives Specified in the user.xml File to the default directory /etc/ossim/ which specifies the configuration agent/plugins/: file directives, grouped by type of attack, such as malware, brute force # mv win_plugins/*.cfg /etc/ossim/agent/plugins/ and so on. When you create new guidelines, Files with the .sql extension must they should be specified in user.xml BE ADDED TO THE -Y31, DATABASE WITH rather than in the file containing the following command: the default directives (Figure 7). rsyslog’s Dæmon Configuration # ossim-db < ./win_plugins/*.sql and Log Rotation: The /var/log/ ossim directory contains the log If the database server is not files of OSSIM’s components. The installed on the same machine, you dæmon that keeps track of the need to copy the files on the server: logs is, as already mentioned, rsyslog, whose configuration file is # scp win_plugins/*.sql root@ WWW.LINUXJOURNAL.COM / JUNE 2014 / 79 LJ242-June2014.indd 79 5/22/14 12:36 PM FEATURE OSSIM: a Careful, Free and Always Available Guardian for Your Network based on expressions, which are .conf files usually placed in the /etc/rsyslog.d/ directory. For example, to save the logs from a Fortinet firewall in the file /var/log/ossim/fortinet.log, the expression would be: if ($source == '192.168.1.100' and $msg contains 'fortinet ') ´and $severity <= '6' then /var/log/ossim/fortinet.log Adding new hosts that send the logs to rsyslog, you quickly can run out of disk space. Therefore, it is Figure 8. Web Administration Interface important to define a policy for log Login Screen rotation in /etc/logrotate.conf. This involves the regular archiving, at predefined intervals, of the existing update, backups and so on). log files. After a predefined period, the archived log files are deleted or Q Creation and configuration of stored on external devices for backup. directives, policies and actions. Administration through the Web Interface: OSSIM also can be Q Real-time monitoring of network configured and managed through a security. nice Web interface, connecting with the browser to the IP address of the machine Q Report generation. on which you installed the Server/ Framework component (Figure 8). Q Ticketing system. The default user and password are admin/admin. When you log in for Q Vulnerability management and the first time, you are prompted to incident response. change your password. Through the Web interface, you can Q Management and optimization of perform the following tasks: network traffic. Q System configuration (users, The Web interface includes 80 / JUNE 2014 / WWW.LINUXJOURNAL.COM LJ242-June2014.indd 80 5/22/14 12:36 PM several sections: and a brief history of the actions taken by system administrators. Q Dashboard: provides an overview of detected security events. Q Analysis: shows a table with the Displays the visual counters and latest events detected, the type, statistics of the most important date, origin, destination, the security events (Figure 9). OSSIM node that detected it and the risk. From here, the user can Q Incidents: shows the list of search for patterns in the events security events and generated according to different criteria (for alarms with specific information, example, the source IP address). such as date, priority, risk, status This includes a real-time list of Figure 9. Dashboard with Statistics and Diagrams about Security Events WWW.LINUXJOURNAL.COM / JUNE 2014 / 81 LJ242-June2014.indd 81 5/22/14 12:36 PM FEATURE OSSIM: a Careful, Free and Always Available Guardian for Your Network Figure 10. This section manages the system logic: definition and management of policies, directives and actions. Figure 11. Configuration Panel 82 / JUNE 2014 / WWW.LINUXJOURNAL.COM LJ242-June2014.indd 82 5/22/14 12:36 PM detected events that is updated solution and a free alternative every two seconds. to other commercial SIEM products (including AlienVault Q Report: allows you to generate USM, the commercial version of reports about security events and OSSIM), which are much more network status. expensive, and it is supported by a community of developers Q Activities: this interface allows you to and users through forums and run and manage network inventory, documentation available on the identify and add new machines from AlienVault’s Web site.Q which to record the logs. Marco Alamanni has professional experience working as Q Intelligence: this section handles a Linux system administrator and information security the system logic—definition and administrator in banks and financial institutions in Italy management of policies/actions, and Peru. He holds a BSc in Computer Science and an MSc directives, event correlation and in Information Security, and his interests in information statistics of the network and of the technology include ethical hacking, digital forensics, malware OSSIM nodes. analysis, Linux and programming. He also collaborates with IT magazines writing articles about Linux and IT security. Q Configuration: this section allows you to manage all the system configurations (Figure 10). Send comments or feedback via Conclusion http://www.linuxjournal.com/contact OSSIM is a viable open-source SIEM or to [email protected]. Resources OSSIM Installation Guide: https://alienvault.bloomfire.com/posts/525575-installation-guide/public AlienVault User Manual: http://www.alienvault.com/wiki/doku.php?id=user_manual:introduction The Alienvault Repository of Knowledge: https://alienvault.bloomfire.com AlienVault OSSIM Forum: http://forums.alienvault.com Service Level SIEM—User and Programmer Guide: http://forge.fi-ware.org/plugins/mediawiki/wiki/ fiware/index.php/Security_Monitoring_/Service_Level_SIEM_-_User_and_Programmers_Guide WWW.LINUXJOURNAL.COM / JUNE 2014 / 83 LJ242-June2014.indd 83 5/22/14 12:36 PM