Title

Introductions

Garrett Gross Mark Allen

Sr. Technical PMM Technical Sales Engineer
Resources for OSSIM Users

AlienVault Forums:
https://www.alienvault.com/forums/discussions/tagged/ossim
LinkedIn Group: https://www.linkedin.com/groupInvitation?gid=3793
USM & OSSIM On-Demand Training Archives:
https://www.alienvault.com/product-training
AlienVault Blog – Analysis from the AlienVault Labs research team, practical
tips to secure your environment & industry trends
Agenda
How to deploy & configure OSSEC agents
Best practices for configuring syslog and
enabling plugins
Scanning your network for assets and
vulnerabilities
Lets get started!
Host IDS Configuration
Host IDS
OSSIM comes with OSSEC host-based IDS, which OSSEC Agent
provides: Servers
• Log monitoring and collection
UDP 1514
• Rootkit detection
• File integrity checking OSSEC Server
• Windows registry integrity checking OSSIM Sensor

• Active response Normalized events

OSSEC uses authenticated server/agent architecture.

OSSIM Server
 Deploying HIDS

1. Add an agent in OSSIM

2. Deploy HIDS agent to the target system.
3. Optionally change configuration file on the agent.
4. Verify HIDS operations.
Add Agent in OSSIM
Required task for
all operating
systems
Can also be
added through the
manage_agents
script

Add an Specify name

agent. and IP address.
Save agent.

Environment > Detection > HIDS > Agents

Deploy HIDS Agent to Target System
Automated
deployment for
Windows Specify domain, username and
machines password of the target system.

Manual
installation for
other OS Download preconfigured
Key extraction agent for Windows.

is required for
manual
installation Automatic deployment
for Windows.
Extract key.
 Change Configuration File on Agent
OSSEC
configuration is
controlled by a
text file.
Agent needs to
be restarted after
configuration
Configuration
changes. file.
Log file is
available for
troubleshooting.
Log
file.
 Verify HIDS Operations

Displays overview of
OSSEC events and
agent information

Agent status
should be active.

Environment > Detection > HIDS > Overview

 Verify HIDS Operations (Cont.)

Verify if OSSEC events

are displayed in the
SIEM console.
Utilize search filter to
display only events
from OSSEC data
source.
OSSEC events.

Analysis > Security Events (SIEM) > SIEM

Verify HIDS Operations (Cont.)
Verify registry
integrity.
Verify file
integrity.

Verify presence
of rootkits.

Environment > Detection > HIDS > Agents > Agent Control
Syslog & Plugins
Syslog Forwarding
Syslog configuration will vary based on
source device/application but, usually,
the necessary parameters are:
• Destination IP
• Source IP
• Port (default is UDP 514)
Enabling Plugins
Enable plugin at the
asset level
General > Plugins > Edit
Plugins
Green light under
“Receiving Data” will
confirm successful log
collection
Vulnerability Assessment
Vulnerability Assessment
Uses a built-in OpenVAS scanner
Detects vulnerabilities in assets
• Vulnerabilities are correlated with
events‘ cross-correlation rules
• Useful for compliance reports and
auditing
Managed from the central SIEM
console:
• Running and scheduling
vulnerability scans
• Examining reports
• Updating vulnerability signatures
Advanced Options
Vulnerability assessment can be:
• Authenticated (SSH and SMB)
• Unauthenticated
Predefined profiles can be selected:
• Non destructive full and slow scan
• Non destructive full and fast scan
• Full and fast scan including destructive tests
Custom profiles can be created.
Vulnerability Assessment Config
1. (Optionally) tune global vulnerability assessment settings.
2. (Optionally) create a set of credentials.
3. (Optionally) create a scanning profile.
4. Create a vulnerability scan job.
5. Examine scanning results.
6. Optionally create a vulnerability or compliance report.
Tune Global Vulnerability Assessment Settings
The vulnerability
assessment
system opens a Update
configuration.
ticket for found
vulnerabilities.
Start with a high
threshold and fix
important
vulnerabilities first.

Select vulnerability
ticket threshold.

Configuration > Administration > Main

Create Set of Credentials
Used to log into a
machine for
authenticated scan Click settings.

Supports the
DOMAIN/USER Specify credential
username set name.

Specify login
username. Select
authentication type.

Environment > Vulnerabilities > Overview

Create Scanning Profile
Enable profiles that
apply to assets you
are scanning. Edit profiles.

Examine 3 default
profiles.
Enable/disable
plugin family.

Create a
new profle.

Environment > Vulnerabilities > Overview

 Create Vulnerability Scan Job
Specify scan Select profile.
job name.
Select server.
Select schedule
method.

Select credential set for

Create a new Import Nessus authenticated scan.
scan job. scan report.

Select assets.

Save job.

Environment > Vulnerabilities > Scan Jobs

 Examine Vulnerabilities Results

Examine vulnerability
statistics.

View vulnerability
report for all assets.

Examine reports for

all scan jobs.

Environment > Vulnerabilities > Overview

OSSIM vs. USM
How is USM different?
Correlation Directives: Over 2,000 built-in correlation directives developed by the
AlienVault Labs Threat Research Team, and updated weekly
Reporting: 150+ Customizable Reports, including compliance-specific reports
Log Management: Robust Log Management, Log Search & Long-Term Log
Retention
Professional Support via phone & email as well as customer support portal
And more…view comparison chart here:
https://www.alienvault.com/products/compare-ossim-to-alienvault-usm

“I started out with OSSIM and I didn’t fully realize how much value I would get out of USM until I started using it.
The reporting is awesome, it’s been a big benefit for me. And, having a fully supported solution means I can get
answers to my questions much more quickly than before.”

– Matthew Frederickson, Director of Information Technology, Council Rock School District

USM + Free Installation Services

http://www.alienvault.com/marketing/smb-bundles
Now for some Q&A
Resources for OSSIM Users CONTACT US
OSSIM vs. USM Comparison Chart
https://www.alienvault.com/products/compare-ossim-to-alienvault-usm 888.613.6023

AlienVault Forum
https://www.alienvault.com/forums/discussions/tagged/ossim
ALIENVAULT.COM
LinkedIn Group
https://www.linkedin.com/groupInvitation?gid=3793

Subscribe to the AlienVault Blog HELLO@ALIENVAULT.COM

https://www.alienvault.com/blogs

Hands-on 5-day Training Classes, in-person or “Live on-line”

https://www.alienvault.com/support/classroom-training