Best Practices for Configuring Your OSSIM Installation
-
Upload
alienvault -
Category
Technology
-
view
1.198 -
download
49
Transcript of Best Practices for Configuring Your OSSIM Installation
Resources for OSSIM Users
AlienVault Forums:
https://www.alienvault.com/forums/discussions/tagged/ossim
LinkedIn Group: https://www.linkedin.com/groupInvitation?gid=3793
USM & OSSIM On-Demand Training Archives:
https://www.alienvault.com/product-training
AlienVault Blog – Analysis from the AlienVault Labs research team, practical
tips to secure your environment & industry trends
Agenda
How to deploy & configure OSSEC agents
Best practices for configuring syslog and
enabling plugins
Scanning your network for assets and
vulnerabilities
OSSIM comes with OSSEC host-based IDS, which
provides:
• Log monitoring and collection
• Rootkit detection
• File integrity checking
• Windows registry integrity checking
• Active response
OSSEC uses authenticated server/agent architecture.
Host IDS
OSSIM Sensor
OSSEC Server
Servers
OSSEC Agent
OSSIM Server
UDP 1514
Normalized events
Deploying HIDS
1. Add an agent in OSSIM
2. Deploy HIDS agent to the target system.
3. Optionally change configuration file on the agent.
4. Verify HIDS operations.
Add an
agent.
Save agent.
Specify name
and IP address.
Add Agent in OSSIM
Required task for
all operating
systems
Can also be
added through the
manage_agents
script
Environment > Detection > HIDS > Agents
Specify domain, username and
password of the target system.
Download preconfigured
agent for Windows.
Automatic deployment
for Windows.Extract key.
Deploy HIDS Agent to Target System
Automated
deployment for
Windows
machines
Manual
installation for
other OS
Key extraction
is required for
manual
installation
Configuration
file.
Log
file.
Change Configuration File on Agent
OSSEC
configuration is
controlled by a
text file.
Agent needs to
be restarted after
configuration
changes.
Log file is
available for
troubleshooting.
Agent status
should be active.
Verify HIDS Operations
Displays overview of
OSSEC events and
agent information
Environment > Detection > HIDS > Overview
OSSEC events.
Verify HIDS Operations (Cont.)
Verify if OSSEC events
are displayed in the
SIEM console.
Utilize search filter to
display only events
from OSSEC data
source.
Analysis > Security Events (SIEM) > SIEM
Verify HIDS Operations (Cont.)
Environment > Detection > HIDS > Agents > Agent Control
Verify registry
integrity.
Verify presence
of rootkits.
Verify file
integrity.
Syslog Forwarding
Syslog configuration will vary based on
source device/application but, usually,
the necessary parameters are:
• Destination IP
• Source IP
• Port (default is UDP 514)
Enabling Plugins
Enable plugin at the
asset level
General > Plugins > Edit
Plugins
Green light under
“Receiving Data” will
confirm successful log
collection
Vulnerability Assessment
Uses a built-in OpenVAS scanner
Detects vulnerabilities in assets
• Vulnerabilities are correlated with events‘ cross-correlation rules
• Useful for compliance reports and auditing
Managed from the central SIEM console:
• Running and scheduling vulnerability scans
• Examining reports
• Updating vulnerability signatures
Advanced Options
Vulnerability assessment can be:
• Authenticated (SSH and SMB)
• Unauthenticated
Predefined profiles can be selected:
• Non destructive full and slow scan
• Non destructive full and fast scan
• Full and fast scan including destructive tests
Custom profiles can be created.
Vulnerability Assessment Config
1. (Optionally) tune global vulnerability assessment settings.
2. (Optionally) create a set of credentials.
3. (Optionally) create a scanning profile.
4. Create a vulnerability scan job.
5. Examine scanning results.
6. Optionally create a vulnerability or compliance report.
Update
configuration.
Select vulnerability
ticket threshold.
Tune Global Vulnerability Assessment Settings
The vulnerability
assessment
system opens a
ticket for found
vulnerabilities.
Start with a high
threshold and fix
important
vulnerabilities first.
Configuration > Administration > Main
Specify login
username.
Specify credential
set name.
Select
authentication type.
Click settings.
Create Set of Credentials
Used to log into a
machine for
authenticated scan
Supports the
DOMAIN/USER
username
Environment > Vulnerabilities > Overview
Examine 3 default
profiles.Enable/disable
plugin family.
Create a
new profle.
Edit profiles.
Create Scanning Profile
Enable profiles that
apply to assets you
are scanning.
Environment > Vulnerabilities > Overview
Create a new
scan job.
Import Nessus
scan report.
Select schedule
method.
Specify scan
job name.
Select profile.
Select server.
Select assets.
Select credential set for
authenticated scan.
Save job.
Create Vulnerability Scan Job
Environment > Vulnerabilities > Scan Jobs
Examine vulnerability
statistics.
View vulnerability
report for all assets.
Examine reports for
all scan jobs.
Examine Vulnerabilities Results
Environment > Vulnerabilities > Overview
How is USM different?
Correlation Directives: Over 2,000 built-in correlation directives developed by the
AlienVault Labs Threat Research Team, and updated weekly
Reporting: 150+ Customizable Reports, including compliance-specific reports
Log Management: Robust Log Management, Log Search & Long-Term Log
Retention
Professional Support via phone & email as well as customer support portal
And more…view comparison chart here:
https://www.alienvault.com/products/compare-ossim-to-alienvault-usm
“I started out with OSSIM and I didn’t fully realize how much value I would get out of USM until I started using it.
The reporting is awesome, it’s been a big benefit for me. And, having a fully supported solution means I can get
answers to my questions much more quickly than before.”
– Matthew Frederickson, Director of Information Technology, Council Rock School District
USM + Free Installation Services
http://www.alienvault.com/marketing/smb-bundles
888.613.6023
ALIENVAULT.COM
CONTACT US
Now for some Q&A
Resources for OSSIM Users
OSSIM vs. USM Comparison Charthttps://www.alienvault.com/products/compare-ossim-to-alienvault-usm
AlienVault Forumhttps://www.alienvault.com/forums/discussions/tagged/ossim
LinkedIn Grouphttps://www.linkedin.com/groupInvitation?gid=3793
Subscribe to the AlienVault Bloghttps://www.alienvault.com/blogs
Hands-on 5-day Training Classes, in-person or “Live on-line”https://www.alienvault.com/support/classroom-training