Announces

Would you like to receive new releases and documentation announces?

Subscribe to Ossim-announces mailing list.

Linkedin group

Join the OSSIM Linkedin group and stay in touch with other OSSIM users.

Latest news

 GSoC Update
 AV Installer 1.0.5p1 update
 Summer of code 2008
 1.0.5 update: Important Fixes
 OSSIM Installer 1.0.4 released
 0.9.9 released
 OSSIM Tutorials: part 2
 OSSIM Tutorial series
 OSSIM Installer released
 New User Manual and FAQ
 OSSIM Linkedin group
 0.9.9rc5 is out

Download latest stable version

OSSIM Installer 1.0.4 (2008-Feb-22)
OSSIM 0.9.9 (2008-Feb-20)

Sourceforge

Project Page CVS
Forums
Mailing Lists
Statistics

RSS Feeds

News
Blog

---

Home - News - Download - Docs - Screenshots - Developers - Contact 

VMOSSIM - Virtualized Security Information Management

---

You can download the image using Bittorrent from our local tracker . Current version is VMOSSIM0704 (containing ossim 0.9.9rc4) and the uncompressed image takes around 1.1GB disk space.

Please refer to the Official BitTorrent site for more information and clients.

Note: Although we don't have any immediate bandwidth problems, please help out seeding to others.
Scroll down for default image data like user/passwords.

For a list of known issues and some extra documentation please visit the Wiki .

---

Checksums:

• MD5 (VMOSSIM.0.9.9rc2.tar.bz2) = 71057be89ed3cf0818672ebcc27180cf
• MD5 (VMOSSIM.0.9.9rc3.tar.bz2) = 44d710579705d2f7eed6db4ba098ba0e
• MD5 (VMOSSIM0704.tar.bz2) = 007ba253968ff22ef3582a58c596c123

---

Introduction

This virtual appliance contains a ready to use ossim deployment. For detailed information about OSSIM please refer to http://www.ossim.net

Components

Included with the applianace are the following software components:

• Arpwatch, used for mac anomaly detection.
• P0f, used for passive OS detection and os change analisys.
• Pads, used for service anomaly detection.
• Nessus, used for vulnerability assessment and for cross correlation (IDS vs Security Scanner).
• Snort, the IDS, also used for cross correlation with nessus.
• Spade, the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signature.
• Tcptrack, used for session data information which can grant useful information for attack correlation.
• Ntop, which builds an impressive network information database from which we can get aberrant behaviour anomaly detection.
• Nagios. Being fed from the host asset database it monitors host and service availability information.
• Osiris, a great HIDS.

Of course all of the OSSIM components are installed and enabled, for more information please have a look at the provided documentation .

Profiles

Usually a typical ossim deployment consists of:

• A database host.
• A server which hosts the correlation, qualification and risk assesment engine.
• N agent hosts which do information collection tasks from a number of devices. For a list of plugins please refer to: http://www.ossim.net/dokuwiki/doku.php?id=roadmap:plugins
• A control daemon which does some maintenance work and ties some parts together. It's called frameworkd.
• The frontend is web based, unifying all the gathered information and providing the ability to control each of the components.

The appliance has an easy to use wizard which helps both in selecting the type of Appliance as well as the needed IP address information.
You can choose between three different deployment types:

• All in one (the default type).
• Sensor only.
• Server + Database + Frontend.

Some quick notes about the image

The image has been downsized with easy & fast downloading and deployment in mind.
Partitioning has been done taking into account that we've got virtual disks so every separate partition can be easyly exchanged without too much trouble.
After installing a new Debian operating system and all the needed OSSIM components as well as the software itself a cleanup has been done in order to get the image size down to (compressed) 213 MB.
After getting a perfectly working system we focused in ways to allow for different uses of a single image as well as ease of reconfiguration for new environments.

All the software used herein has some sort of Open Source License, please refer to individual vendors/groups for the right ones. Ossim is licenses under the BSD license .

---

Customization instructions.

---

Default IP address is 192.168.1.11.
Non-privileged user is "vmuser:vmuser".
Root password is "vmossim".
Database password is also "vmossim" for the root user.
Interface login: "admin:admin".

First of all: this appliance requires promiscuous mode NIC on the host system. Please refer to the links you get returned when searching for "promiscuous" on the vmware.com site. Of course you must make sure your guest operating system also puts it's NIC into promiscuous mode.

First you have to decide what this image is going to be. For a start I'd suggest leaving it as it is (all in one) and only customizing it's ip address. To do so follow a couple of simple steps:

1. Start up the Virtual Appliance
2. Setup your networking, edit /etc/network/interfaces
3. Restart your networking "/etc/init.d/networking restart"
4. Use the included wizard to reconfigure your ossim server/sensor: "/root/tools/wizard.pl".
5. The easiest way to make all the components aware of the new settings is to reboot the Virtual Appliance. Otherwise kill the following processes: ossim-server, ossim-agent, ossim-framework, pads, ntop, p0f, arpwatch. And issue a "/etc/init.d/ossim start".
6. Point your browser at http://your_address/ossim/. Default login is "admin:admin" and upon login further instructions are being shown.
7. Enjoy!

In case you want to add more appliances on other parts of your network, you should split the server up and reconfigure the sensors as, well, sensors.

To do so follow the instructions provided by the /root/tools/setup.pl script. That script does the following tasks:

Sensor

• Disable server, mysql and apache.
• Reconfigure /etc/issue and /etc/issue.net so you can see what is configured at any time.
• Setup the right server & database values.

Server

• Disable pads, p0f, ntop, etc...
• Reconfigure /etc/issue and /etc/issue.net so you can see what is configured at any time.
• Grant mysql privileges to remote sensors.