Sessions are viewed through Monitors > Session. Sessions are TCP and UDP sessions communications between hosts on a monitored network. They are persistent communications between two hosts (if it is a TCP session). OSSIM monitors session when correlating network data. Nntop collects and presents this session information. There is a Sensor selector and a table listing network sessions in this interface (see Figure 17 – Monitors > Session).


Figure 25 – Monitors > Session

The Sensor selector allows the user to choose which sensor session table to view. The selector is the combo-box below the OSSIM menu and above the TCP/UDP Session table. The selector lists sensors and networks. Networks are defined under Policy > Networks.

The Active TCP/UDP Sessions table lists all of the sessions for the selected Sensor. There are ten columns in this table:

• Client is the hostname or IP Address of the host talking to a server. A host is any computer, router, printer, or other device attached to a network. There are four fields within this column. The first field is the hostname. ntop will display a hostname if it can resolve the name via DNS or NetBIOS; else wise it displays an IP Address. The second field is optional and in brackets and tells you how the hostname was resolved. The third field is an optional icon or series icons. Flag icons denote a risk with that particular host, where green is low, yellow is medium, and red is high risk. Finally, the last field is the port number on the host where network traffic is originating. ntop uses the /etc/services file on the ntop server to resolve service numbers with service names.
  

• Server is the hostname or IP Address of the host accepting connections from clients. A server typically accepts connections from multiple clients because it offers services to those clients. There are four fields with this column. These fields are the same as the client fields described above (see Client).
  

• Data Sent is the amount of data sent from the client in the current connection. This is given in bytes, Kilobytes (KB), Megabytes (MB), etc.
  

• Data Rcvd (Data Received) is the amount of data received from the server in the current connection. This is given in bytes, Kilobytes (KB), Megabytes (MB), etc.
  

• Active Since is the time and date when this connection started. This time is the time on the ntop server.
  

• Last Seen is the time the connection was last monitored on the network. This is the time on the ntop server.
  

• Duration is the time duration of the monitored session. This is in the format hh:mm:ss.
  

• Latency is the recorded latency between the client and server.
  

Networks are viewed through ntop. ntop is an open source network “top”. top is a *nix command that lists the “top” active processes on the host (this is similar to the task manager on windows). It monitors and collects information about protocols and hosts on the network. OSSIM uses a wrapper with a left sidebar around ntop to present it in a manner consistent with OSSIM’s usage and methodology (see Figure 18 – Monitors > Network).


Figure 26 – Monitors > Network

OSSIM’s left sidebar has a number of options to view data. These options are accessible for all Sensors and their Interfaces (defined both under the Policy→Sensors tab).

The Sensor selector allows the user to choose which sensor to view data. The selector is the combo-box at the top of the left sidebar. The selector lists hosts with OSSIM Agents installed.

The Interface selector allows the user to choose which interface to view ntop data. The selector is the combo-box beneath the Sensor selector. This selector displays all of the interfaces configured for use on the Sensor selected above.

Note: The Interface selector will only work if ntop is started with the “-M” option. ntop uses this option to enable separation of traffic by interface. Without this option, all of this traffic will appear under the sensor.

Global is the global information for the currently selected sensor. This provides an executive overview of ntop’s measurements. This page features a large number of graphs suitable for inclusion in management reports about the current state of the network. Particularly noteworthy, is a link to Historical Data listed under the Traffic Report; here you’ll see historical information stored in RRD format.

Protocols lists host traffic categorized by network protocols. The categories include Network and Transport layer protocols from the five-layer TCP/IP model (e.g. ICMP, IGMP, TCP, UDP, etc.). It displays reports the number of bytes sent using each protocol.

Services > By host: Total lists total host traffic categorized by network application. This is a table with a row for each host and data values with the number of bytes sent by each host. The categories are Application layer protocols from the five-layer TCP/IP model (e.g. HTTP, DNS, NETBIOS, etc.). Services > By host: Total is the sum of bytes sent and received by the host. Services > By host: Sent lists the same information, but only sent data. Services > By host: Recv lists the same information, but on received data.

Services > Service statistic displays overview information about protocols and services on the network. This is a combination of tables and charts.

Services > By client-server lists services seen on the network and the hosts using those services. This is a table with rows for each service.
Throughput > By host: Total lists total averages, peaks, and current rates of network traffic. This is a table with rows for each host and data values with the rate for each host in bytes per second (bps). The total is the sum of the bytes sent and received by the host. Throughput > By host: Sent lists the same information, but only sent data. Throughput > By host: Recv lists the same information, but only the received data.

Matrix > Data Matrix is a table listing IP Subnet Traffic.

Matrix > Time Matrix is a table color-coded listing of percentages for traffic of each host on the network by time.

Gateways, VLANS > Gateways lists activity from local subnet routers. It shows the routers that are actively used by any host.

Gateways, VLANs > VLANs lists activity from local Virtual Local Area Networks (VLAN).

OS and Users lists the operating systems and user IDs found on the network. The data inside here hasn’t got a direct relation with the Report→Host report information

Domains lists the statistics for all Domains on the network.

ntop features are best described and documented in the official documentation. See the following URLs:

http://www.ntop.org/
http://sourceforge.net/projects/ntop/

Availability shows the status of hosts connected and reporting into Nagios. Nagios reports on a host and services within your network. OSSIM uses a wrapper with a left sidebar around nagios to present it in a manner consistent with OSSIM’s usage and methodology (see Figure 27 – Monitors > Availability).


Figure 27 – Monitors > Availability

You need to configure nagios in order to use it. Detailed information is available at http://www.nagios.org/. Briefly, hosts need to be configured and added to the /etc/nagios configuration files. This entails creating templates and objects for a variety of hosts and configurations (e.g. unix, windows, server, client, etc.).

According to the official FAQ, Nagios stands for “Nagios Ain’t Gonna Insist on Sainthood”. It is a recursive acronym that refers to the Nagios’ original name, Netsaint. However, agios means saint in Geek, so you may call it the Network Saint.

OSSIM’s left sidebar has a number of options to view data. These options are accessible for all Sensors. The details are divided between Monitoring and Reporting.

The Sensor selector allows the user to choose which sensor to view data. The selector is the combo-box at the top of the left sidebar. The selector lists hosts with the OSSIM Agent installed.

Service Detail lists the details of monitored network services. This includes services like http and ftp.

Host Detail lists the details of monitored hosts. This provides details of various statistics collected by the Nagios agents.

Status Overview, Status Grid, Status Map, Service Problems, Service Problems, Host Problems, Process Info, and Performance Info all provide different views into comprehensive information for the sensor. These features allow users to see problems with their network assets in one place.

Comments allows administrators to share information about various assets.

Scheduling Queue is where various nagios jobs are scheduled. Nagios runs processes at various times and this is where that is configured. This includes when services are checked among other things.

Trends reports with graphs the various state of assets over a period of time.

Availability reports on the readiness of assets over a period of time.

Event Histogram reports with a graph the availability of an asset over time.

Event Summary has generic reports about host and service alert data. This includes alert totals, top alert producers, and a number of other metrics.

Notifications displays messages that have been sent to various contacts in nagios’ database. These messages are used to forward information about a specific asset to specific persons.

Performance Info is a collection of mrtg graphs illustrating various statistical data for monitored assets.

Sensors status is displayed through Monitors > Sensors interface. Here you’ll see al the sensors connected to OSSIM, as OSSIM uses sensors to collect data. The information on this web page may change when the web page reloads. There is one table in this interface listing the status of plugins on the sensor (see Figure 20 – Monitors > Sensors).


Figure 28 – Monitors > Sensors

There are five columns to the sensor status table.

Plugin is the name of the plugin installed and configured on the sensor. A plugin is the mechanism through which OSSIM receives data. The plugin is responsible for parsing incoming data on the sensor and normalizing it into a format that OSSIM understands.

Status indicates whether or not the plugin is operational. A green UP indicates that the plugin is running and sending information to OSSIM. A red DOWN indicates that the plugin is not running. A black Unknown indicates that the sensor cannot determine the status (this is not necessary a bad thing).

Action (at the right of ‘Status’) is a hyperlink that may be used to change the state of the plugin. Start hyperlinks attempt to start the corresponding plugin. Stop hyperlinks attempt to stop the corresponding plugin. These commands are executed only on the corresponding sensor.

Enabled indicates whether or not the plugin is active and reporting. The plugin may be disabled in the agent configuration file. The sensor’s built-in watchdog does not monitor disabled plugins. Furthermore, it may be disabled in from the following action column.

Action (at the right of ‘Enabled’) is a hyperlink that may be used to change the state of the plugin. Disable turns off a plugin and stops it from auto starting when the sensor reboots. Enable turns on a plugin and starts it when a senor reboots.

• Written By: Jason A. Minto
• Reviewed By: Alberto Roman, Dominique Karg
• Contributors: Juan Blanco

Please add your name to the list above if you make significant improvements to this document