The Go To Forensics is one of two additional options at the upper right side of the Events page, along with the Configure Event Tabs page.

If you are still using Acid/BASE, you must use the Forensics link instead of the events viewer as illustrated in this section.

By clicking this link, you go directly to the Basic Analysis and Security Engine (BASE) page.

The Vulnerabilities portion of the OSSIM Control Panel displays information about potential weaknesses on your system, as shown in Figure 8 – Control Panel > Vulnerabilities.


Figure 8 – Control Panel > Vulnerabilities

The top portion of the Vulnerabilities page displays links to a number of various system scans. The 10 last performed scans are displayed in a table below these links. Each scan in the aforementioned table can display results, be deleted from the table, or archived for later use.

The Vulnerabilities page also displays graphic representations of Nets and Hosts scans for specific IP addresses.

The vulnerability list is obtained thanks to the Nessus scanner

The Last Scan link provides graphical results of the most recent scan performed on your system, as shown in Figure 9 – Last Scan Page.


Figure 9 – Vulnerabilities Last Scan Page

In the above figure, OSSIM used the Nessus Security Scanner to check the system. The report is divided in two distinct parts: Graphical Summary and Results by Host. Both sections are preceded by a scan summary, which displays the number of security holes, security warnings, and security notes.

The first part, Graphical Summary, displays two graphs: the first is the most dangers services on the network / number of holes graph; the second is the most present services on the network / number of occurrences.

The second part, Results by Host, displays the offending IP address that caused a security hole, as well as the number of security holes for that address.

You can click on the IP address in the Results by Host section to obtain additional information about the security breach. If you click the IP address, a graph is displayed illustrating the repartition of the level of the security problems for that IP address.

The IP address page also displays a list of open ports as well as information concerning any vulnerability or general information on any of the open ports (including a Nessus ID that provides a link that provides additional information).

The Reports page of the Vulnerabilities section lets you either create a new Nessus report or work with an existing report, as shown in Figure 3.


Figure 10 – Vulnerabilities - Reports Page

The Nessus custom reports page gives you four different options for working with custom generated reports:

• View a report.
  
• Delete a report.
  
• Archive a report.
  
• Generate a new report.
  

Existing reports appear in a table centrally located within the Reports page. The report title, as well as the date and time it was created, appear next to several links.

The first link, Show, lets you view the report. By clicking the report, the selected report appears in a text box below the aforementioned table.
The second link, Delete, lets you remove the report from the table.

The third link, Archive, allows you to store the report for later use. A message appears indicating that the archive was successful. Once complete, click Back to return to the Reports page.

Additionally, you can also create and generate a custom report using the Generate new report link located below the table listing the existing reports.

Using the scrolling box that appears in the Reports page, you can create your new report and generate it. First, give your report a name by entering it in the Report title text box. The next step is to select a host or hosts that appear below using the check boxes. You can select as many hosts as desired for your report, but keep in mind that only hosts that have been scanned appear in the list. The final step is to click Search. Once you click Search, a message appears indicating that the report was generated successfully and that you should reload the page. This can be done by clicking the aforementioned message, which appears as a link. The Reports page appears once you reload with the new report in the table. As mentioned earlier in this section, you can then view, delete, or archive the report.

The Update Scan tab of the Vulnerabilities page lets you scan your machine for vulnerabilities, as shown in the Update Scan page in Figure 11 – Vulnerabilities - Update Scan Page.


Figure 11 – Vulnerabilities - Update Scan Page

You can select sensors for the updated scan in one of two ways; either use the list that appears using bullet points at the top of the page. In Figure 4, this is called “Test”. You can also manually select a sensor using the check boxes or the Select/Unselect all link at the bottom of the page.

Once you have selected your sensor as mentioned above, click Submit. A message appears indicating that the scan is in progress and that it may take some time. Once you click Back, you are taken back to the Show Aggregated Scans page for Vulnerabilities where you scan is listed as one of the latest scans.

The Show Aggregated Scans page provides information about previously executed scans, as shown in Figure 12 – Vulnerabilities - Aggregated Scans.


Figure 12 – Vulnerabilities - Aggregated Scans

The Show Aggregated Scans page is also the default page that appears when you click the Vulnerabilities link at the top of the page. This page lets you access all of the features available in the Vulnerabilities section via links– such as last scan, reports, update scan, etc.
The table that appears below these links displays the last 10 scans (if you’ve not performed 10 scans, such as in Figure 5, then all scans appear). Each scan is titled by date and time; you can use the corresponding links to show, delete, or archive the scan. This is similar to the links that appear in the Reports page.

The scans in this page are color coded so that you know how fresh the information is; for example, scans older than 15 days appear in yellow, while those that are over 30 days old appear in red. More recent scans (less than 15 days) appear in blue.

At the bottom of the page, there is a graphic representation of the top 20 hosts. Using a line graph, the most used hosts appear by name (IP address) and their quantity. By clicking the IP address, you can obtain detailed information about the IP address, as shown in the Last Scan page.

The Schedule Scans page allows you to program scans for your computer, much like programming an anti-virus sweep, as shown in Figure 13 – Vulnerabilities - Schedule Scans.


Figure 13 – Vulnerabilities - Schedule Scans

The page displays any scheduled scans in the table in the middle of the page. The top section provides information regarding incident creation thresholds; in other words, you can set how tolerant your system is of potential vulnerabilities so that it only roots out serious problems and not minute problems that may simply be false positives. The current threshold is provided in this section; for example, it is 0 in Figure 13.

To add a scheduled scan, click Add another schedule, which is found at the bottom of the page. Like in the Update Scan page, you can either manually select your sensor using the check box or Select/Unselect all link, or you can use the sensor that appears as a bullet point. Once you have selected your sensor, you can then set your scheduling preferences using the right column of the table that appears.

The left column provides instructions for programming your scan. For examples, the minute cell accepts 0-59 as a value; the hour cell accepts 0-23 as a value, and so on. You can add a month or a year if desired, otherwise you can use a wildcard (*) character, which means that it will happen every month every year. Once you are finished, click Submit. A message appears indicating that your schedule was successfully added. You can then click Back to return to the Schedule Scans page, where the newly added schedule appears in the table.

If your needs change, you can use the links that appear in the table to either delete the schedules scan or to force the scan now instead of at the programmed date and time.

The Back link simply takes you back to the Show Aggregated Scans page. It has no other purpose.

The anomalies tab shows four type of anomalies:

1. RRD aberrant behaviour anomalies, both per host and at global level.
2. Operating system changes.
3. Mac Address changes.
4. Service version changes.

From this tab you can acknolwedge those changes, ignore them and generate related incidents.

The realtime event viewer represents events as they arrive at the server. It can be used for debugging purposes as well as a always-on-screen indicator for incoming events.

The Events page displays information for five distinct types of system events: snort, snare, OS events, service events, and MAC events. Using the Filter panel, you can display the events of your choice, as shown in Figure 6 – Control Panel > Events.


Figure 6 – Control Panel > Events

Snort events are related to snort, the network intrusion detection and prevention system. If some sensor your system is currently running snort, any attacks or intrusions related to snort are recorded as such.

Snare events are related to the log collection and auditing system of the same name - System iNtrusion Analysis and Reporting Environment. This events are extracted from windows events.

OS Events are any type of event that attempts to modify shows a modification in the operating system on someyour machine in the network.

Service Events are any type of event that shows modifications to attempts to modify any services on your some machine in the network.

MAC Events are any type of event that attempts to modify shows the MAC modifications on any machine in the network. address on your machine.
The Events page provides you with a number of different tasks for working with system events. In addition to finding out detailed information regarding specific system events, you can also configure Event tabs in OSSIM and use Forensics (Acid/BASE).

At the top of the Events page, there is a section with links to five different system events, as mentioned earlier in this page. Of course you can create new different event types, as you’ll see later. By clicking the link, the results are pared down to that specific type of event. For example, by clicking Snort, the list of results that appears at the bottom will reduce significantly, as only Snort events are displayed.

Alternatively, you can use the Filter panel in the middle of the Events page to search for an event or events using specific criteria. Using the filter panel, you can submit:

• The Host lets you set a specific host name for the desired event.
  

• The Date text box lets you set a specific date range for the desired event(s). By clicking the calendar icon to the right of the text box, you can select the start and end date using the pop-up calendar. When setting a date, keep in mind that your date must follow the year-month-date format.
  

• The Display by radio box selections allows you to apply a sort to your search results. You can choose to display events by date, type, source IP, or destination IP.
  

Once you have defined your search criteria, click Go.

By default, returned results are displayed by date. As you can see in Figure 5, the events are listed under a single date, which appears as a collapsible menu. If you open the menu, the events appear one-by-one under the date.

For each event, the Events page displays the event type, the date it occurred, as well as the source and destination IP addresses. You can find out additional information about the event, such as the plugin, plugin SID, and any user data by expanding the menu that comprises the event name under the Type column.

The Configure Event Tabs is one of two additional options at the upper right side of the Events page, along with the Go To Forensics page.

This screen features a table listing the five types of events: Snort, Snare, OS Events, Service Events, and MAC Events. Each event type features a checkbox (for selecting multiple event types), as well as a brief description of that event.

Each event type in the aforementioned table also features its own settings link; if you click Settings, a new panel appears for that particular event below the table, as shown in Figure 7 – Events Page.


Figure 7 – Configure Events Page

The new panel contains four tabs that allow you to set parameters for a particular column of a particular event: Date, Plugin, Source, and Destination. To toggle between tabs, simply click the tab name. You can remove a tab, or column, by clicking its corresponding Delete link. You can add an additional tab by clicking the Add Column link.

Each column has a three setting:

• Column label lets you set the name of the column; once set, it appears as a tab at the top of the panel.
  

• Column contents let you set the content for the tab, as well as a tag.
  

• Column settings let you set column appearance features, such as alignment, width, and whether or not to use word wrap.
  

• Written By: Jason A. Minto
• Reviewed By: Alberto Roman, Dominique Karg
• Contributors: Juan Blanco

Please add your name to the list above if you make significant improvements to this document