Title

Introductions

Mark Allen Technical Sales Engineer

Garrett GrossSr. Technical PMM

Resources for OSSIM Users

AlienVault Forums:

https://www.alienvault.com/forums/discussions/tagged/ossim

LinkedIn Group: https://www.linkedin.com/groupInvitation?gid=3793

USM & OSSIM On-Demand Training Archives:

https://www.alienvault.com/product-training

AlienVault Blog – Analysis from the AlienVault Labs research team, practical

tips to secure your environment & industry trends

Agenda

How to deploy & configure OSSEC agents

Best practices for configuring syslog and

enabling plugins

Scanning your network for assets and

vulnerabilities

Lets get started!

Host IDS Configuration

OSSIM comes with OSSEC host-based IDS, which

provides:

• Log monitoring and collection

• Rootkit detection

• File integrity checking

• Windows registry integrity checking

• Active response

OSSEC uses authenticated server/agent architecture.

Host IDS

OSSIM Sensor

OSSEC Server

Servers

OSSEC Agent

OSSIM Server

UDP 1514

Normalized events

Deploying HIDS

1. Add an agent in OSSIM

2. Deploy HIDS agent to the target system.

3. Optionally change configuration file on the agent.

4. Verify HIDS operations.

Add an

agent.

Save agent.

Specify name

and IP address.

Add Agent in OSSIM

Required task for

all operating

systems

Can also be

added through the

manage_agents

script

Environment > Detection > HIDS > Agents

Specify domain, username and

password of the target system.

Download preconfigured

agent for Windows.

Automatic deployment

for Windows.Extract key.

Deploy HIDS Agent to Target System

Automated

deployment for

Windows

machines

Manual

installation for

other OS

Key extraction

is required for

manual

installation

Configuration

file.

Log

file.

Change Configuration File on Agent

OSSEC

configuration is

controlled by a

text file.

Agent needs to

be restarted after

configuration

changes.

Log file is

available for

troubleshooting.

Agent status

should be active.

Verify HIDS Operations

Displays overview of

OSSEC events and

agent information

Environment > Detection > HIDS > Overview

OSSEC events.

Verify HIDS Operations (Cont.)

Verify if OSSEC events

are displayed in the

SIEM console.

Utilize search filter to

display only events

from OSSEC data

source.

Analysis > Security Events (SIEM) > SIEM

Verify HIDS Operations (Cont.)

Environment > Detection > HIDS > Agents > Agent Control

Verify registry

integrity.

Verify presence

of rootkits.

Verify file

integrity.

Syslog & Plugins

Syslog Forwarding

Syslog configuration will vary based on

source device/application but, usually,

the necessary parameters are:

• Destination IP

• Source IP

• Port (default is UDP 514)

Enabling Plugins

Enable plugin at the

asset level

General > Plugins > Edit

Plugins

Green light under

“Receiving Data” will

confirm successful log

collection

Vulnerability Assessment

Vulnerability Assessment

Uses a built-in OpenVAS scanner

Detects vulnerabilities in assets

• Vulnerabilities are correlated with events‘ cross-correlation rules

• Useful for compliance reports and auditing

Managed from the central SIEM console:

• Running and scheduling vulnerability scans

• Examining reports

• Updating vulnerability signatures

Advanced Options

Vulnerability assessment can be:

• Authenticated (SSH and SMB)

• Unauthenticated

Predefined profiles can be selected:

• Non destructive full and slow scan

• Non destructive full and fast scan

• Full and fast scan including destructive tests

Custom profiles can be created.

Vulnerability Assessment Config

1. (Optionally) tune global vulnerability assessment settings.

2. (Optionally) create a set of credentials.

3. (Optionally) create a scanning profile.

4. Create a vulnerability scan job.

5. Examine scanning results.

6. Optionally create a vulnerability or compliance report.

Update

configuration.

Select vulnerability

ticket threshold.

Tune Global Vulnerability Assessment Settings

The vulnerability

assessment

system opens a

ticket for found

vulnerabilities.

Start with a high

threshold and fix

important

vulnerabilities first.

Configuration > Administration > Main

Specify login

username.

Specify credential

set name.

Select

authentication type.

Click settings.

Create Set of Credentials

Used to log into a

machine for

authenticated scan

Supports the

DOMAIN/USER

username

Environment > Vulnerabilities > Overview

Examine 3 default

profiles.Enable/disable

plugin family.

Create a

new profle.

Edit profiles.

Create Scanning Profile

Enable profiles that

apply to assets you

are scanning.

Environment > Vulnerabilities > Overview

Create a new

scan job.

Import Nessus

scan report.

Select schedule

method.

Specify scan

job name.

Select profile.

Select server.

Select assets.

Select credential set for

authenticated scan.

Save job.

Create Vulnerability Scan Job

Environment > Vulnerabilities > Scan Jobs

Examine vulnerability

statistics.

View vulnerability

report for all assets.

Examine reports for

all scan jobs.

Examine Vulnerabilities Results

Environment > Vulnerabilities > Overview

OSSIM vs. USM

How is USM different?

Correlation Directives: Over 2,000 built-in correlation directives developed by the

AlienVault Labs Threat Research Team, and updated weekly

Reporting: 150+ Customizable Reports, including compliance-specific reports

Log Management: Robust Log Management, Log Search & Long-Term Log

Retention

Professional Support via phone & email as well as customer support portal

And more…view comparison chart here:

https://www.alienvault.com/products/compare-ossim-to-alienvault-usm

“I started out with OSSIM and I didn’t fully realize how much value I would get out of USM until I started using it.

The reporting is awesome, it’s been a big benefit for me. And, having a fully supported solution means I can get

answers to my questions much more quickly than before.”

– Matthew Frederickson, Director of Information Technology, Council Rock School District

USM + Free Installation Services

http://www.alienvault.com/marketing/smb-bundles

888.613.6023

ALIENVAULT.COM

CONTACT US

HELLO@ALIENVAULT.COM

Now for some Q&A

Resources for OSSIM Users

OSSIM vs. USM Comparison Charthttps://www.alienvault.com/products/compare-ossim-to-alienvault-usm

AlienVault Forumhttps://www.alienvault.com/forums/discussions/tagged/ossim

LinkedIn Grouphttps://www.linkedin.com/groupInvitation?gid=3793

Subscribe to the AlienVault Bloghttps://www.alienvault.com/blogs

Hands-on 5-day Training Classes, in-person or “Live on-line”https://www.alienvault.com/support/classroom-training