AlienVault Open Source SIEM (OSSIM) Installation Guide

Open Source AlienVault SIM (OSSIM) is a comprehensive security system that covers from detection level up to an executive level generating metrics and reports. OSSIM is offered as a security product that allows you to integrate into a single console all devices and security tools available on your network, as well as the installation of prestigious security open source tools like Snort, OpenVas, Ntop and OSSEC.

Once the events generated by different tools and devices have been collected by OSSIM, the system performs a risk assessment for each event and the correlation occurs. During the process of correlation, from a series of patterns, OSSIM generates new events to detect attacks or problems in your network.

To access all the information collected and generated by the system, OSSIM includes a Web console that also allows us to configure the system and see the overall state of your network in real time.

OSSIM is a constantly evolving product. For this reason you have to make sure you are using the latest version of the OSSIM installer and this installation guide. Newest versions are always available on the Project website http://www.AlienVault.com.

The purpose of this tutorial is to provide the reader a guide step by step on how to install AlienVault Open Source SIM. This documents also covers basic concepts and a brief explanation of the role of every profile that an OSSIM installation can adopt.

OSSIM is a product that integrates more than 30 Open Source tools. Both the operating system and many built-in tools have been modified to improve its functioning within the system. That is why installing OSSIM from source code requires a very broad knowledge and compiling more than 40 different tools.

To simplify the complex process of compiling, installing and configuring all these tools, the development team distributes OSSIM installer which includes the operating system, all the components and a powerful configuration and updating system. OSSIM installer is based on the Debian GNU/Linux operating system and is available in 32-bit and 64-bit editions

If your processor has 64-bits support then you can take advantage of the performance in this architecture. In certain deployments and based on the network throughput and the number of events, you may need hardware capable of handling large volumes of data. The 64-bit architecture also allows the use of a greater amount of physical memory.

The following processes take place within OSSIM:

1. Applications generate security events
2. Events are collected and normalized
3. Events are sent to a central server
4. Risk assessment
5. Event Correlation
6. Events storage
7. Access to stored events
8. Access to the configuration
9. Access to metrics and reports
10. Real-time information of the status of your network

The applications and devices in your network generate security events. These events are collected and normalized by the OSSIM agent, which is also responsible for sending them to the OSSIM Server.

In an OSSIM deployment you can have as many agents as you need. In some cases you will have an agent in each location of the company, or an agent inside the DMZ or another agent dedicated to collect all the firewall logs.

The OSSIM agent includes a set of tools (Snort, Ntop, Tcptrack, arpwatch …) that can analyze the network traffic in search of security problems and anomalies. To take advantage of this OSSIM functionality, the OSSIM agent must be receiving all traffic on the network, either using a hub, or configuring a port mirroring or SPAN port on the network devices.

All OSSIM agents send their events to a single OSSIM server. The server then carries the risk assessment and the correlation. Once these processes have taken place, events are stored in the OSSIM database.

To access this information OSSIM includes a Web console that can also be used to modify configuration parameters and to generate metrics and reports. The web console will also provide access to real-time information from a number of applications that analyze the global status of your network (Ntop, Nagios…).

Once the installation has finished the system allows changing the profile of the OSSIM installation. By default the All-in-one profile will be installed.

All-in-one profile is a combination of all profiles on a single machine. It includes a sensor, server, database and web console.

The sensor in the all-in-one profile will also enable Snort, OpenVas, Ntop, Arpwatch, P0f and Pads.

All-in-one is the default install profile.

The Sensor profile is responsible for the collection and normalization of events. To allow the sensor collecting all the logs you will have to send all the events to the Sensor using Syslog, FTP, Samba, Snare …

Each tool has an associated plugin in OSSIM that defines how to collect the events from the log files. Normalized events are sent to the server.

Snort, Ntop, Arpwatch, P0f and Pads are also enabled in the Sensor only profile. To make these tools useful, you should be using a hub or configuring port mirroring in your Network Switch.

The Server profile prepares your OSSIM box to collect the logs from all the OSSIM sensors.

Once the events have been processed, all information is stored in the database. The Server profile will also include an OSSIM agent to monitor the safety of the system (Pam Unix, SSH …)

This profile database server will have a MySQL database to store events, configurations and inventory information.

The OSSIM hardware requirements will basically depend on the number of events per second and the throughput of the network that you want to secure.

As a minimum requirement is always advisable to have at least 2GB of ram. You may have to increase the available RAM memory based on the network throughput, the number of events that the OSSIM server is processing and the amount of data that needs to be stored in the database. In order to achieve maximum performance, it is essential to use only those applications and components that will be useful to you in each case.

In terms of performance there is a huge difference between 32 bit and 64 bit processors, so you should always try to choose 64-Bits architecture when buying new hardware. Most components of OSSIM support multithreading, so those using 64-Bits processors will also obtain a great improvement in performance.

When thinking about network cards, you should try to choose those supported by the e1000 driver. The Open Source development model of this driver ensures good compatibility of these cards with Debian GNU/Linux.

The slowest network cards in your OSSIM boxes should be used to collect events from other devices or as the management interface.

In order to deploy OSSIM correctly you need to have a great knowledge of your network devices. You will have to configure port mirroring in those network devices that support this feature. To configure the port mirroring correctly you have to keep in mind avoiding these two situations:

• Duplicated network traffic : This happens when you are forwarding the same network traffic more than once in different network devices.

* Encrypted network traffic : In some cases it has no sense configuring a port mirroring in those devices that only show encrypted traffic (VPN, SSH…), as this traffic can not be easily analized by some applications.

Apart from the port mirroring, you need to have ready IP addresses for all the OSSIM boxes. Those OSSIM boxes running a Sensor profile may require more than one network card as the Sensor will be having access to different networks (Nessus, Nagios, Nmap…)

As an example, OpenVas (Vulnerability Scanning) will have to be able to reach the target networks when the scan happens. When using OpenVas, Nagios or Nmap you also have to make sure that your firewalls are configured correctly allowing access from your Sensors to the target networks or hosts.

As the events have to be normalized before being processed by the OSSIM Server, the OSSIM Sensor will require access to the Local Network DNS.

You will have to make sure that your computer can boot from the CD. Refer to your system's documentation for further information. This may require modifying the BIOS settings. To start the installation program, boot from the CD. The installer will delete any data stored in your hard disk

Choose the language used for the installation process. The choosen language will also be used also for the installed system.

Choose your current location:

Choose the keyboard layout:

At this point you will have to configure your network card. If you have more than one network card you will have to choose which one will be used as the management interface. In case of having multiple network interfaces, the installer will ask which network interface should be used as the management interface. This interface should also have internet access during the install process.

Enter the IP address and select Continue.

Insert the netmask.

Now enter the gateway IP address. All traffic that goes outside your LAN is sent through this router.

Enter the IP addresses of the name servers (separated by spaces). If you have a local name server in your network it should be the first one in this configuration. You can enter as many name servers as you want.

Enter the hostname for the system

If you are using a domain name in the computers of your network, enter the domain name

Select your timezone

At this point the disk partitioning takes place. Select the first option: Guided Use entire disk

Now it is time for partitioning. Select Guided: Use entire disk Notice that this will delete any data stored in your hard disk

At this point you choose whether to store all files in one partition or if you want a separate partition. Select “All files in one partition”.

Now the installer will show the suggested partitioning. Apply the changes and continue.

All software pacakges will now be configured. Postfix will ask about the mail server configuration that best meets your needs.

If you don't have a mail server in your network or you want to have your own in the OSSIM Box select Internet Site.

If you already have a mail server in your network, you can select Satellite System.

Accept the Java license agreement.

Once all software is installed and configured (this may take a few minutes) the system ask for the root password. You will have to enter the root password twice.

Before finishing the install process the system will check for the latest software versions available. It is therefore important that you have internet connection during the installation process.

The machine will be rebooted automatically. Once the system has booted all the applications will be configured according to the default settings.

To finish the installation process will reboot the machine automatically. Once you complete the boot process will proceed to configure all the applications according to the default settings.

To simplify the configuration of the large number of tools included in OSSIM, the configuration is centralized in a single file. Every time you modify this configuration you should run a command to update the configuration of every application based on the centralized configuration.

The centralized configuration is stored in the following file:

/etc/ossim/ossim_setup.conf

You can edit this file using any text editor (vim, nano, pico…). Inexperienced users should be using the following command to edit this file:

ossim-setup

To apply the centralized configuration on every configuration file you will have to run the following command:

ossim-reconfig

All profiles are enabled by default after running the installer. You can change the profile using the ossim-setup script and selecting the second option (Change Profile Settings)

Based on the choosen profile you will have to configure different configuration parameters:

• Choose interfaces: Enter those interfaces (Separated by comma) that are receiving all the traffic of the network.

• Profile Networks: Enter the networks (home networks) in CIDR format, and separated by comma, that the sensor will be able to see in its listening interface (e.g.: 192.168.0.0/24, 10.0.0.0/8)

• OSSIM Sensor Name: Name given to the sensor installed in this machine.

• Choose the plugins: Select those plugins that should be enabled in this Sensor. Monitor plugins are only enabled under request of the OSSIM Server during correlation. Detector plugins are collecting events in real time from files, databases, sockets..

• OSSIM Sensor Name: Name given to the sensor installed in this machine.

• Choose interfaces: Enter those interfaces (Separated by comma) that are receiving all the traffic of the network.

• Profile Networks: Enter the networks (home networks) in CIDR format, and separated by comma, that the sensor will be able to see in its listening interface (e.g.: 192.168.0.0/24, 10.0.0.0/8)

• OSSIM Server Ip Address: Enter the IP address where the OSSIM server is listening.

• Choose the plugins: Select those plugins that should be enabled in this Sensor. Monitor plugins are only enabled under request of the OSSIM Server during correlation. Detector plugins are collecting events in real time from files, databases, sockets..

• OSSIM Mysql Server IP Address: Enter the IP address of the OSSIM box that is running database profile. Make sure that you have the correct perms in the database to be able to connect from a remot machine.

• OSSIM Mysql Server Port: Listening por for MySQL. (Default port is 3306)

• OSSIM Mysql Password: Password for root user in MySQL Server.

• OSSIM Mysql Password: Password for root user in MySQL Server.

If you only want to reconfigure the profile in use, select the profile in use and you will also be asked to enter the configuration parameters.

To apply changes have to select “Apply and save all changes” or run the ossim-reconfig command.

Those machines running OSSIM require special care when configuring networking.

The network configuration is defined in the following file:

/etc/network/interfaces

If the network configuration has been modified, to apply the changes use the following command:

/etc/init.d/networking restart

Each OSSIM box must have at least one static IP address so the different OSSIM components can communicate among themselves and the administrator can have remote access to the machines.

Each interface with an ip address should have an entry in the /etc/network/interfaces file using the following schema:

allow-hotplug eth0
iface eth0 inet static
	address 192.168.1.133
	netmask 255.255.0.0
	network 192.168.0.0
	broadcast 192.168.255.255
	gateway 192.168.1.1
	dns-nameservers 192.168.1.100

Those interfaces used to collect all the network traffic should never have an IP address. Promiscuous interfaces do not require any special configuration in the network configuration file.

The following commands will update the OSSIM system:

apt-get update; apt-get dist-upgrade;

The software updating system being used in the OSSIM installer has been desgined to ensure that the correct versions are being used. It allows OSSIM developers blocking or forcing updates of certain software in the system. For this reason, you should never be including new software repositories in your /etc/apt/sources.list.

Apart from leading the OSSIM development, AlienVault is developing AlienVault Professional SIEM which offers importants enhancements for demanding environments:

• SEM: high volume storage
• Scalability: distributed, hierarchical deployments
• Performance: 30 times more performance
• Reliability: Redundancy and high availability

• In production environments it is always recommended to use 64-bit architectures, since there is a large difference in performance terms compared with the 32-bit version.
  
• You should never be installing an OSSIM Sensor in a virtualized environment if this sensor is going to collect huge amounts of network traffic. Because of the way these virtualization tools manage virtual network interfaces, a large amount of network traffic is lost without being analyzed.
  
• Never install software in the OSSIM Box that requires modifying the Debian repositories (/etc/apt/sources.list)
• OSSIM will always be supporting the latest stable version of Debian GNU/Linux. If a new Debian version is released the developers will provide a guide on how to upgrade to the newest version.
  
• There is no limitation on the software that can be installed on the machines but keep in mind the high consumption of memory and cpu of some applications when installing new software. As an example, you should never install a desktop environment on your OSSIM machines.